Finding 502556 (2023-001)

Material Weakness Repeat Finding

Requirement

Questioned Costs

Year

2023

Accepted

2024-10-11

Audit: 324551

Organization: Puerto Rico Health Insurance Administration (PR)

Auditor: Aquino De Cordova LLC

AI Summary

Core Issue: The ADP security plan is not implemented or tested, lacking essential contingency procedures.
Impacted Requirements: SMAs must conduct periodic risk analyses and biennial reviews of ADP system security to ensure compliance.
Recommended Follow-Up: Establish a program for regular risk analysis to implement effective safeguards for all systems.

Finding Text

Criteria SMAs must establish and maintain a program for conducting periodic risk analyses to ensure appropriate and cost effective safeguards are incorporated into new and existing systems. State agencies must perform risk analyses whenever significant system changes occur. SMAs shall review ADP system security installations involved in the administration of HHS programs on a biennial basis. At a minimum, the reviews shall include an evaluation of physical and data security operating procedures, and personnel practices. The SMA shall maintain reports on its biennial ADP system security reviews, together with pertinent supporting documentation, for HHS on-site reviews (45 CFR section 95.621). Condition The security plan for ADP (Automatic Data Processing) system, including policies and procedures to address contingency plans in the event of unforeseen interruptions has not been implemented and tested. Cause This situation was primarily caused by the lack of effective internal control over ADP Risk Analysis and System Security Review. Effect Critical business functions may not be resumed on time in case an emergency or disaster causes the ADP system resources to become unable to meet critical processing needs in the event of a short or long-term interruption of service. Questioned Costs None Perspective information N/A Prior Year Audit Finding 2022-001 Recommendation The Administration should establish and maintain a program for conducting periodic risk analysis to ensure appropriate, cost-effective safeguards are incorporated into new and existing systems. Management’s Response: Refer to Grantee’s Corrective Action Plan

Corrective Action Plan

ASES contracted a Cybersecurity expert to review the Disaster Recovery Plan (DRP) and a Business Impact Analysis was completed to acquire space within the AZURE cloud with the approval of the Puerto Rico Innovation and Technology Service (PRITS). The strategy of protection and alternate space was designed to work on ASES applications and documents in case of a disaster. ASES already has a virtual RED environment where the resources are being replicated for users and area documentation and eventually the servers will be replicated in the AZURE space. Additionally, an internal Risk Assessment was performed that helped identify and remedy the vulnerabilities in the agency. It was prepared by the Information Systems Security Administrator, evaluated by the personnel hired at the executive level and signed in acceptance of the exercise carried out. As a result, the DRP was updated based on departmental needs and the current capabilities of the agency's information systems. ASES also implemented the use of OneDrive tools for users to save their documents in this application and SharePoint for departmental files and documents.

Other Findings in this Audit

502557 2023-001

Material Weakness Repeat
502558 2023-002

Significant Deficiency Repeat
502559 2023-002

Significant Deficiency Repeat
502560 2023-002

Significant Deficiency Repeat
502561 2023-002

Significant Deficiency Repeat
1078998 2023-001

Material Weakness Repeat
1078999 2023-001

Material Weakness Repeat
1079000 2023-002

Significant Deficiency Repeat
1079001 2023-002

Significant Deficiency Repeat
1079002 2023-002

Significant Deficiency Repeat
1079003 2023-002

Significant Deficiency Repeat

Programs in Audit

ALN	Program Name	Expenditures
93.778	Medical Assistance Program	$106.17M
93.767	Children's Health Insurance Program	$2.91M