Audit Division
Audit Summary
Security And Integrity Of The
LA02-24
Errors and missing data in the criminal history records database reduce the reliability of programs that rely on this information. Such programs include background checks for employment and gun purchases. In addition, thousands of criminal fingerprint cards have not been fully processed and others were not processed timely. These weaknesses have resulted from a lack of controls in entering and testing data, and allocating resources to other activities.
Computer security weaknesses place the criminal history repository at risk of unauthorized access to the system and data. This could result in sensitive and confidential information being viewed, altered, or destroyed deliberately or accidentally. In addition, controls over physical access to source documents and computer equipment need strengthening. Furthermore, the lack of a complete disaster recovery plan leaves the system vulnerable in the event of a disaster or tampering with data. Sustained management commitment is needed to ensure these weaknesses are addressed.
· The criminal history database contained inaccurate information and some records were missing. In one test, 31 of 945 (3%) data elements in the database contained errors. In another test, 56 of 155 (36%) data elements contained errors. These errors were caused by data entry, lack of a re-key function, and system design problems. Furthermore, the entire criminal histories for 47 individuals were no longer present in the database. The cause of these missing records is unknown. Having errors in records of criminal history will impact the accuracy of background checks for gun purchases and work-related background checks. (page 12)
· Nearly 70,000 criminal fingerprint cards have not been fully processed by the Records and Identification Services Bureau. Specifically, informa-tion from the cards has been entered into the criminal history records database, but the fingerprints have not been matched to existing records. In addition, the re-key function has not been performed for 40% of these cards which could reduce the accuracy of the information entered into the database. This has resulted from the Bureau’s decision to put more resources into other activities, such as civil applicant background checks. (page 14)
· Adequate password controls, designed to prevent unauthorized access to computer data, have not been implemented. We found 4,381 of 4,757 (92%) passwords tested for one computer system did not meet the criteria for strong passwords. In addition, we found passwords that had been in use for an extended period of time without a forced change. One employee had used the same password for 2½ years. Furthermore, passwords are stored in plain text rather than encrypted. (page 17)
· Computer system access controls are not designed to limit or detect access to computer programs and data. These controls protect information from being viewed, altered, or destroyed by unauthorized individuals. Users are allowed unlimited login attempts, and are not locked out after a period of inactivity. In addition, the system is not designed to detect and prevent suspicious activities leading to unauthorized access. (page 19)
· Access to the computer system is not always terminated for ex-employees. One employee had access 3 months after leaving and another employee 11 months after leaving. By allowing access to ex-employees, there is increased risk of these employees or others gaining unauthorized access to sensitive criminal information. (page 20)
· Access to fingerprints cards was not adequately controlled thus increasing the risk of losing cards. The door to the fingerprint card room was open 39 of the 43 (91%) times we checked. In addition, nearly 4,000 criminal fingerprint cards were stored in open containers by the door to this storage room. (page 21)
· The Bureau’s disaster recovery plan for the criminal history records database does not address all key components that are designed to ensure protection of assets. Specifically, the plan has not been tested, there is no specific assignment of responsibilities, and critical data has not been identified. In addition, the location used to store a backup copy of the criminal history database is not off-site. (page 23)
· The Bureau is required to audit biennially each local agency within the State that uses the criminal history computer system. Agencies include sheriff’s offices, district attorney offices, and federal agencies. Ten of 112 (9%) agencies were not audited within the last biennium. These audits ensure that local agencies are complying with Nevada and FBI criminal justice policies and regulations. (page 24)
Department of
Public Safety
Agency Response
to Audit Recommendations
|
Recommendation Number |
|
Accepted |
|
Rejected |
|
|
|
|
|
|
|
1 |
Periodically test the accuracy of the
criminal history records database. |
X |
|
|
|
|
|
|
|
|
|
2 |
Perform the re-key function, by
separate individuals, when entering information from criminal fingerprint
cards and dispositions. |
X |
|
|
|
|
|
|
|
|
|
3 |
Work with local jurisdictions to
standardize the disposition form. |
X |
|
|
|
|
|
|
|
|
|
4 |
File dispositions so that retrieval is
more efficient. |
X |
|
|
|
|
|
|
|
|
|
5 |
Re-enter missing records into the
criminal history records database and determine how records were deleted. |
X |
|
|
|
|
|
|
|
|
|
6 |
Retain the $24 fee when performing
background searches for the FBI. |
X |
|
|
|
|
|
|
|
|
|
7 |
Provide password controls that prevent
unauthorized access to the criminal history records database. |
X |
|
|
|
|
|
|
|
|
|
8 |
Program the LEMS software to lock
users out after a specified period of inactivity. |
X |
|
|
|
|
|
|
|
|
|
9 |
Periodically review the list of LEMS
users to determine if users are still employed in a position that requires
system access. |
X |
|
|
|
|
|
|
|
|
|
10 |
Ensure software is set to capture
information and produce reports on user activities. |
X |
|
|
|
|
|
|
|
|
|
11 |
Ensure physical access is controlled
so only authorized individuals are allowed access to sensitive areas. |
X |
|
|
|
|
|
|
|
|
|
12 |
Update the disaster recovery plan to
include all key components. |
X |
|
|
|
|
|
|
|
|
|
13 |
Provide better backup of the criminal
history records database by either storing backup cartridges at an off-site
location, or placing the database on the backup mainframe in Las Vegas. |
X |
|
|
|
|
|
|
|
|
|
14 |
Ensure each agency is audited
biennially in accordance with FBI requirements. |
X |
|
|
|
|
|
|
|
|
|
|
TOTALS |
14 |
|
0 |