Finding 2022-005 Programs: All Material Weakness over Information Technology Security Repeat Finding: Yes Auditee?s Corrective Action Plan: We concur with the findings. The Baltimore City Office of Information & Technology (BCIT) has made significant progress in resolving this finding. Specific ...
Finding 2022-005 Programs: All Material Weakness over Information Technology Security Repeat Finding: Yes Auditee?s Corrective Action Plan: We concur with the findings. The Baltimore City Office of Information & Technology (BCIT) has made significant progress in resolving this finding. Specific improvements are below: Vulnerability Management Status: ? BCIT continues to make progress on addressing the backlog of vulnerabilities in our environment. ? We transitioned to a new vulnerability management tool, Tenable, to reduce the number of false positives and issues with reporting that we had with our original tool. ? We hired an experienced vulnerability lead to take over the planning tracking and monitoring of backlog initiatives. ? As we finish up current initiatives like Win 10 v1909, SMBv1 Workstation, Flash Uninstall and Internet Explorer - we tee up new initiatives. ? We are currently in the planning / scoping phase to remove old versions of Adobe Acrobat, Adobe Products and Mozilla Firefox. ? For operational patching, we are deploying 90% of patches on critical servers within 7 days, but we are only deploying 70% of workstation patches within 3 weeks. Upcoming Vulnerability Management Milestones: ? We have a funded position to hire a full-time workstation vulnerability engineer to ensure workstation patching is at 95% completion after 3 weeks. We have reviewed resumes, selected a slate and plan to have a person join the team in May 2023. ? We have diagnosed the reason we are deploying 90% of patches on critical servers. We patch the operating system consistently, but we are not always patching applications on the servers. The server patching team has begun patching applications. For April 2023 critical server patches, we achieved 100% in 7 days. We will continue to monitor our corrective action. Privileged Access Entitlement Review Status: ? Developed and implemented a process to review privileged credentials city-wide. o The user requesting admin privileges fills out a privilege access agreement (PAA) that documents the privileges required. o The admin?s manager signs the request. o The user signs an acknowledgement of their responsibilities and attaches to form a ticket. o The ticket results in computer-based training being assigned to the admin. o The ticket is forwarded to appropriate team in BCIT ? server or desktop for their review / approval. o When training is verified and BCIT approvals are completed, the user is authorized to continue using existing credentials or assigned the new credentials requested. ? BCIT leveraged this exercise to standardize admin account naming conventions aligned with best practices. We now require separate admin accounts for workstation or server administration. We are disabling / doing away with the legacy one size fits all generic admin accounts (P accounts). Upcoming Milestones: o Complete the review and cleanup of the final wave of agencies ? BCIT, BCHD, BCFD and some stragglers from DPW, DHR and DOF ? May 2023 o Disable all privileged accounts that have not been used within 180 days ? May 2023 o Review any remaining P accounts for disposition ? June 2023 o Seek feedback from agencies on the FY 2023 Privileged Account review process and develop process improvements ? 1st quarter FY 24 o Begin FY 24 Privilege entitlement review process ? 2nd quarter FY 24. Segregation of Duties: The Blue Hill vendor now has a designated full-time Team Lead to oversee the City of Baltimore?s contract. Now that we have a dedicated Blue Hill Team Lead, the VMLIB process and programmer rights will be modified to only allow the Blue Hill Team Lead or the BCIT Mainframe Manager to promote programs to production. Mainframe Restoration: To restore mainframe operations at the secondary data center, BCIT employs Blue Hill, who maintains an alternative backup site in New Jersey (BlueZone) should the main location in Pearl River, New York ever go down. o Every night the data and code are replicated and transmitted to the backup site. o Should a disaster occur, the backup (BlueZone) site will be operational in less than 48 hours. Contact Person: Todd Carter, CIO/CDO Baltimore City Completion Date: June 2024 and continuously reviewing.