HARTFORD, CT — It’s no secret the Department of Motor Vehicles struggled to implement a new computer and licensing system, but the department recently told the Auditors of Public Accounts that they’ve fixed those problems.
The problems were mostly related to security, stemming from the installation of a more than $26-million computer system that spanned all or part of the tenure of at least four DMV commissioners. The DMV’s current commissioner, Sibongile Magubane, wasn’t appointed until April 2019, months after the audit was completed.
The DMV contracted with Science Applications International Corporation (SAIC) in 2009 to develop the Connecticut Integrated Vehicle and Licensing System (CIVLS). SAIC later assigned the contract to 3M Corporation, which worked on the project until 2016 when the DMV terminated the contract.
The new system was part of a larger plan to modernize DMV operations to improve the department’s overall business and administrative processes, but the Auditors of Public Accounts found several problems with the way that plan was implemented.
From overly optimistic project milestones to project management turnover, and the vendor’s lack of understanding of the complexity and scope of the project, it appears that it got off to a bad start, according to the auditors.
One of the problems highlighted by the auditors in a report released last week involved password security for employees who worked on the system.
At the time the auditors were testing the password policy, only 125 of 800 DMV employees had user accounts with the stricter password policy.
“This policy has been addressed. An industry-standard password policy has been implemented,” the DMV stated.
The DMV also failed to maintain the level of user access to certain accounts.
“DMV lacks control over inappropriate access levels being issued to and removed from users,” the auditors found. “The department lacks the ability to determine when users are added to or removed from groups, or even enabled and disabled.”
The department said that issue has been addressed.
The auditors also found that new accounts can be created without detection.
“Additionally, intruders typically create backdoor accounts, and some malware is specifically programmed for that purpose,” the auditors warned.
The DMV said both problems have been addressed.
“This finding has been addressed. A procedure has been completed regarding the configuration of new, promoted/demoted, and terminated employees. The procedure also addresses the monitoring of audit log reports,” the DMV said in response to the audit.
But the auditors have been unable to test the new policy.
“DMV recently provided our office with a report displaying disabled accounts, but it did not include all of the required tracking functionality. We will test the policy during our next audit,” the auditors stated in the report.
Without much detail due to security concerns, the auditors also pointed out the problems with password protection.
The auditors recommended the DMV take steps to properly implement secure authentication controls.
“This finding is currently being addressed, with a project plan in place to ensure appropriate password encryption standards are implemented by 2021,” the DMV stated.
The auditors found that the department does not have documentation of a personnel security policy and procedure. That means there’s a risk that the related security controls and control enhancements may not be effectively implemented. The auditors said the DMV had not prioritized it.
“This finding is currently being addressed, with a plan in place to create written policy & procedures regarding personnel access with a target completion in December 2019,” the DMV stated.
The system also fails to disable inactive accounts, which may allow some users unnecessary access to the system. DMV uses Microsoft to manage user accounts, which is not configured to automatically disable user accounts after a defined period of inactivity.
The DMV again said the finding “has been addressed. Dormant accounts are monitored and deactivated when necessary.”
The auditors also found that between January 1, 2015, and January 18, 2017, there were 58 instances in which an employee was terminated but the user account had not been deactivated at the time of testing on January 19, 2017.
“This finding has been addressed. A procedure has been implemented to disable terminated employee accounts within one business day,” the DMV stated.
The new policies the DMV said it implemented might be tested as part of the DMV’s regular audit, but that has yet to be determined.