LANSING – The Michigan Department of Management and Budget is not properly restricting access to information technology equipment and is not ensuring that equipment is being properly stored, Auditor General Doug Ringler said in a report released Friday.
The performance audit of physical security and environmental controls over information technology resources for the period October 1, 2012, through July 31, 2105, found the department was not always locating communications equipment in separate rooms and, even when it was, those rooms were not always properly secured.
The department was also not ensuring the equipment was protected from conditions that could damage it.
The auditors did find the department was generally adequate in protecting the servers, switches and cabling, but of 163 rooms designated for telecommunications equipment across 83 buildings (the state has 790 buildings), 12 were shared space. Auditors said federal standards require that each building have one dedicated main telecommunications room and that each floor of the building have a room for the equipment on that floor. Those rooms are supposed to be accessible only to authorized staff.
In a related lesser finding, auditors said the department was also not ensuring its access records were up to date. Of the 186 access authorizations across two hosting centers and eight switch rooms, 15 were for former employees and nine were for people who had not undergone a background check.
In addition to controlling access, DTMB was also not controlling the items brought into those rooms, auditors said. The federal standards call for dust and fire control in rooms containing IT equipment and recommend prohibiting food and beverages.
Auditors found evidence of food in five of the eight switch rooms and 20 of the 163 telecommunications rooms in the buildings reviewed. They also found those rooms being used for general storage in the case of one of the three hosting centers, seven of the switch rooms and 122 of the telecommunications rooms.
In an unusual step for an audit report, auditors included photographs of some of the offenses, including several telecommunications rooms with general storage, one with cables hanging into the middle of the room. In one instance, the equipment was installed in a garage above a hose reel.
Department officials agreed with the findings and, as to physical access, said they would review equipment location and move it to a secure room where possible. Officials indicated some challenges meeting the standards in leased buildings.
Officials said they had already begun cleaning the rooms and would establish a cleaning schedule for those rooms. The department is also implementing a policy prohibiting general storage in those rooms, as well as possession of food and drinks, and would be posting signs to that effect on the rooms.
Auditors also cited the department for not having replacement schedules for mechanical equipment serving its hosting centers and switch rooms. In two of the three hosting centers and four of the eight switch rooms, auditors found air conditioning units, uninterruptible power supplies and surge suppressors that were beyond their recommended lifespan.
DTMB officials said they replace equipment based on technician recommendation and budget capacity but would plan for the coming year to replace the items identified by auditors.
In two other findings, auditors said the department was not keeping accurate inventories of its equipment (they found new items that were not recorded) and was not maintaining preventative maintenance records.
This story was published by Gongwer News Service. To subscribe, click on www.gongwer.com
