Report LA96-15

Results in Brief

Computer security control weaknesses at NDOT do not ensure that access to its information resources is limited to authorized personnel acting within the scope of their assigned duties. Although NDOT has developed formal security policies and procedures, some areas have not been addressed, and some procedures have not been carried out as required. As a result, NDOT's information resources are vulnerable to unauthorized use, modification, or destruction. Due to the critical nature of NDOT's data, programs, and software, unauthorized access could have serious consequences on its operations.

Principal Findings

1. Our audit revealed a number of inconsistent and inappropriate system-wide security settings that weaken the security controls and increase the risk of unauthorized access to NDOT's information resources. (page 9)

2. NDOT did not change all of the factory-set user profile passwords as recommended by IBM, when it installed the AS/400 computers in 1992. As a result, NDOT's systems are at considerable risk of unauthorized access, since these passwords are printed in the IBM user manual. (page 11)

3. We identified a number of user profiles that were still active for employees that had terminated or transferred more than a year earlier. (page 11)

4. NDOT had several special authority user profiles in effect that were not needed, and several that granted levels of access greater than required by the employee's job function. (page 12)

5. Several user profiles could not be identified as NDOT employees because required user ID naming conventions were not always followed. (page 12)