area cooperative computerized educational service system

Transcription

area cooperative computerized educational service system
AREA COOPERATIVE COMPUTERIZED EDUCATIONAL SERVICE SYSTEM (ACCESS)
STATE REGION - ISA, MAHONING COUNTY
SERVICE ORGANIZATION CONTROLS REPORT (SOC 1)
APRIL 1, 2012 THROUGH MARCH 31, 2013
AREA COOPERATIVE COMPUTERIZED EDUCATIONAL SERVICE SYSTEM
TABLE OF CONTENTS
TABLE OF CONTENTS
I
INDEPENDENT SERVICE AUDITOR'S REPORT.......................................................................... 1
2
SERVICE ORGANIZATION'S ASSERTION……………………… .................................................. 5
3
DESCRIPTION OF THE SERVICE ORGANIZATION'S SYSTEM ................................................. 7
CONTROL OBJECTIVES AND RELATED CONTROLS................................................................. 7
OVERVIEW OF OPERATIONS ....................................................................................................... 7
RELEVANT ASPECTS OF THE CONTROL ENVIRONMENT, RISK ASSESSMENT AND
MONITORING .................................................................................................................................. 7
Control Environment ........................................................................................................... 7
Risk Assessment................................................................................................................. 9
Monitoring ......................................................................................................................... 10
INFORMATION AND COMMUNICATION ..................................................................................... 10
GENERAL COMPUTER CONTROLS ........................................................................................... 11
Development and Implementation of New Applications and Systems ............................. 11
Changes to Existing Applications and Systems................................................................ 11
IT Security ......................................................................................................................... 12
IT Operations .................................................................................................................... 17
COMPLEMENTARY USER ENTITY CONTROLS ........................................................................ 19
4
INDEPENDENT SERVICE AUDITOR'S DESCRIPTION OF TESTS OF CONTROLS AND
RESULTS ...................................................................................................................................... 21
GENERAL COMPUTER CONTROLS PLACED IN OPERATION AND TESTS OF OPERATING
EFFECTIVENESS.......................................................................................................................... 22
Changes to Existing Applications and Systems................................................................ 22
IT Security ......................................................................................................................... 22
IT Operations .................................................................................................................... 30
5
OTHER INFORMATION PROVIDED BY THE SERVICE ORGANIZATION - UNAUDITED ....... 33
INFORMATION TECHNOLOGY CENTER PROFILE ................................................................... 33
This Page Intentionally Left Blank
Independent Service Auditor’s Report on a Description of a Service Organization’s
System and the Suitability of the Design and Operating Effectiveness of Controls
Board of Directors
Area Cooperative Computerized Educational Service System (ACCESS)
100 DeBartolo Place, Suite 222
Boardman, Ohio 44512
To Members of the Board:
Scope
We have examined ACCESS’s accompanying Description of its Alpha ES45 system used for processing
transactions for users of the Uniform School Accounting System (USAS), Uniform Staff Payroll System
(USPS), and School Asset Accounting System/Equipment Inventory Subsystem (SAAS/EIS) throughout
the period April 1, 2012 to March 31, 2013 and the suitability of the design and operating effectiveness of
controls to achieve the related control objectives stated in the Description. The Description indicates that
certain control objectives specified in the Description can be achieved only if complementary user entity
controls contemplated in the design of ACCESS’s controls are suitably designed and operating
effectively, along with related controls at the service organization. We have not evaluated the suitability
of the design or operating effectiveness of such complementary user entity controls.
The ACCESS uses the State Software Development Team (SSDT) located at the Northwest Ohio
Computer Association (NWOCA) service organization for systems development and maintenance of the
USAS, USPS, and SAAS/EIS application systems. The Description in section 3 includes only the controls
and related control objectives of the ACCESS and excludes the control objectives and related controls of
the NWOCA. Our examination did not extend to controls of the NWOCA.
Service organization’s responsibilities
In section 2, ACCESS has provided an Assertion about the fairness of the presentation of the Description
and suitability of the design and operating effectiveness of the controls to achieve the related control
objectives stated in the Description. ACCESS is responsible for preparing the Description and for the
Assertion, including the completeness, accuracy, and method of presentation of the Description and the
Assertion, providing the services covered by the Description, specifying the control objectives and stating
them in the Description, identifying the risks that threaten the achievement of the control objectives,
selecting the criteria, and designing, implementing, and documenting controls to achieve the related
control objectives stated in the Description.
Service auditor’s responsibilities
Our responsibility is to express an opinion on the fairness of the presentation of the Description and on
the suitability of the design and operating effectiveness of the controls to achieve the related control
objectives stated in the Description, based on our examination. We conducted our examination in
accordance with attestation standards established by the American Institute of Certified Public
Accountants. Those standards require that we plan and perform our examination to obtain reasonable
assurance about whether, in all material respects, the Description is fairly presented and the controls
were suitably designed and operating effectively to achieve the related control objectives stated in the
Description throughout the period April 1, 2012 to March 31, 2013.
88EastBroadStreet,TenthFloor,Columbus,Ohio43215‐3506
Phone:614‐466‐3402or800‐443‐9275Fax:614‐728‐7199
www.auditor.state.oh.us Area Cooperative Computerized Educational Service System (ACCESS)
Mahoning County
Independent Service Auditor’s Report
Page 2
An examination of a Description of a service organization’s system and the suitability of the design and
operating effectiveness of the service organization’s controls to achieve the related control objectives
stated in the Description involves performing procedures to obtain evidence about the fairness of the
presentation of the Description and the suitability of the design and operating effectiveness of those
controls to achieve the related control objectives stated in the Description. Our procedures included
assessing the risks that the Description is not fairly presented and that the controls were not suitably
designed or operating effectively to achieve the related control objectives stated in the Description.
Our procedures also included testing the operating effectiveness of those controls that we consider
necessary to provide reasonable assurance that the related control objectives stated in the Description
were achieved. An examination engagement of this type also includes evaluating the overall presentation
of the Description and the suitability of the control objectives stated therein, and the suitability of the
criteria specified by the service organization and described in section 3. We believe that the evidence we
obtained is sufficient and appropriate to provide a reasonable basis for our opinion.
The information in section 5 describing the information technology center is presented by the
management of ACCESS to provide additional information and is not part of the ACCESS’s Description of
controls that may be relevant to a user entity’s internal control. Such information has not been subjected
to the procedures applied in the examination of the Description of the controls applicable to the
processing of transactions for user entities and, accordingly, we express no opinion on it.
Inherent limitations
Because of their nature, controls at a service organization may not prevent, or detect and correct, all
errors or omissions in processing or reporting transactions. Also, the projection to the future of any
evaluation of the fairness of the presentation of the Description, or conclusions about the suitability of the
design or operating effectiveness of the controls to achieve the related control objectives is subject to the
risk that controls at a service organization may become inadequate or fail.
Opinion
In our opinion, in all material respects, based on the criteria described in ACCESS’s Assertion in section
2,
a. the Description fairly presents the system that was designed and implemented throughout the
period April 1, 2012 to March 31, 2013.
b. the controls related to the control objectives stated in the Description were suitably designed to
provide reasonable assurance that the control objectives would be achieved if the controls
operated effectively throughout the period April 1, 2012 to March 31, 2013 and user entities
applied the complementary user entity controls contemplated in the design of the ACCESS’s
controls throughout the period April 1, 2012 to March 31, 2013.
c.
the controls tested, which together with the complementary user entity controls referred to in the
scope paragraph of this report, if operating effectively, were those necessary to provide
reasonable assurance that the control objectives stated in the Description were achieved,
operated effectively throughout the period April 1, 2012 to March 31, 2013.
Description of tests of controls
The specific controls tested and the nature, timing, and results of those tests are listed in section 4.
Area Cooperative Computerized Educational Service System (ACCESS)
Mahoning County
Independent Service Auditor’s Report
Page 3
Restricted use
This report, including the Description of tests of controls and results thereof in section 4, is intended solely
for the information and use of ACCESS, user entities of ACCESS’s system during some or all of the
period April 1, 2012 to March 31, 2013, and the independent auditors of such user entities, who have a
sufficient understanding to consider it, along with other information including information about controls
implemented by user entities themselves, when assessing the risks of material misstatements of user
entities’ financial statements. This report is not intended to be and should not be used by anyone other
than these specified parties.
Dave Yost
Auditor of State
Columbus, Ohio
July 8, 2013
This Page Intentionally Left Blank
AREA COOPERATIVE COMPUTERIZED EDUCATIONAL SERVICE SYSTEM
DESCRIPTION OF THE SERVICE ORGANIZATION’S SYSTEM
SECTION 3 - DESCRIPTION OF THE SERVICE ORGANIZATION’S SYSTEM
CONTROL OBJECTIVES AND RELATED CONTROLS
The ACCESS’ control objectives and related controls are included in section 4 of this report, “Independent Service Auditor’s Description of Tests of
Controls and Results,” to eliminate the redundancy that would result from listing them here in section 3 and repeating them in section 4. Although
the control objectives and related controls are included in section 4, they are, nevertheless, an integral part of the ACCESS’ description of
controls.
OVERVIEW OF OPERATIONS
The ACCESS is one of 22 governmental computer service organizations serving more than 900 educational entities and 1.4 million students in the
state of Ohio. These service organizations, known as Information Technology Centers (ITCs), and their users make up the Ohio Education
Computer Network (OECN) authorized pursuant to Section 3301.075 of the Revised Code. Such sites, in conjunction with the Ohio Department of
Education (ODE), comprise a statewide delivery system to provide comprehensive, cost-efficient accounting and other administrative and
instructional computer services for participating Ohio entities. Funding for this network and for the ACCESS is derived from the state of Ohio and
from user fees.
ITCs provide information technology services to school districts, community (charter) schools, JVS/career & technical, educational service centers
(ESCs) and parochial schools; however, not all entities subscribe to the same services. Throughout the remainder of the report, the term “user
entity” will be used to describe an entity that uses one or more of the following applications:



Uniform School Accounting System (USAS).
Uniform Staff Payroll System (USPS).
School Asset Accounting System/Equipment Inventory Subsystem (SAAS/EIS).
ITCs are organized either as consortia under ORC 3313.92 or as a Council of Governments (COG) under ORC 167. ORC 3313.92 allows school
districts to create a partnership (consortia) to resolve mutual needs. One of the members of the consortia is designated as fiscal agent. The fiscal
agent provides all accounting, purchasing, and personnel services for the consortia. A “COG” under ORC chapter 167 allows one or more
governmental entities to join to form a new legal entity. A COG can have its own treasurer, make its own purchases, hire staff, and have debt
obligations. The ACCESS is a subsidiary of the ACCESS Council, which is a council of governments organized under ORC 167. The governing
board of the Mahoning County Educational Service Center (MCESC) serves as fiscal agent for ACCESS.
RELEVANT ASPECTS OF THE CONTROL ENVIRONMENT, RISK ASSESSMENT AND MONITORING
Control Environment
Operations are under the control of the executive director and the ACCESS Council board of directors. The ACCESS exists to provide a costeffective, advanced technology platform that will enhance the educational experiences of the students and support the academic and business
efforts of the organizations, teachers, administrators and staff which they serve. One member from each member user entity is appointed to the
7
AREA COOPERATIVE COMPUTERIZED EDUCATIONAL SERVICE SYSTEM
DESCRIPTION OF THE SERVICE ORGANIZATION’S SYSTEM
legislative body of the council known as the assembly. The assembly meets at least twice per year to estimate program costs, approve annual
appropriations, select members of the board of directors and approve other matters as determined to require the approval of the assembly.
The board of directors is the governing body of the ACCESS Council and is composed of the county superintendents for each of the counties of
Columbiana and Mahoning, two superintendents from each county, and one treasurer from each county. The board of directors is required to
meet each month except July. The board has also established subcommittees to assist in the operation of the ACCESS and its programs.
The ACCESS employs a staff of nine individuals and the executive director. It is supported by the following functional areas:
Fiscal Support:
Facilitates the implementation and operation of fiscal services of the ACCESS which include USAS, USPS,
SAAS/EIS, and GAAP application systems and provides user training and support.
Student Support:
Facilitates the implementation and operation of the student services of the ACCESS and provides user
training and support.
Network/Systems Support: Designs and supports the ACCESS computer systems and its networked communications systems and
provides user training and support as needed.
Library Support:
Facilitates the implementation and operation of the library services of the ACCESS and provides user training
and support.
Executive Director
WAN Manager
LAN Manager/
Mainframe
Associate Director
Student Services ‐ EMIS
Student Services
LINUX ‐ Database Administrator
Fiscal Services
Library Services
Fiscal Services
Each functional area reports to the executive director.
8
AREA COOPERATIVE COMPUTERIZED EDUCATIONAL SERVICE SYSTEM
DESCRIPTION OF THE SERVICE ORGANIZATION’S SYSTEM
Users are responsible for the authorization and initiation of all transactions. Management reinforces this segregation of duties as a part of its new
employee orientation process, through on the job training, and by restricting employee access to user data. Changes to user data are infrequent.
Only experienced ACCESS staff members may alter user data and only at the request of the user entity.
The ACCESS staff, with the exception of the executive director and the associate director, is part of the MCESC bargaining unit and therefore
follows the master agreement executed between the MCESC and the MCESC Employees Association.
The ACCESS’ hiring practices place an emphasis on the hiring and development of skilled information technology professionals. Most positions
within the organization require some type of college degree in a computer-related field, and all of the ACCESS staff members are required to
attend professional development and training as a condition of continued employment. Each full-time staff member must attend at least 20 hours
of approved professional development training annually, and part-time staff member training hours are pro-rated.
The master agreement addresses personnel policies and procedures for the ACCESS staff. For policies not addressed in the master agreement,
ACCESS staff follows the policies in the MCESC Policies and Procedures Manual. Detailed job descriptions exist for all positions. The ACCESS
is constantly re-evaluating its need for personnel to provide for the increasing range of services provided. The reporting structure and job
descriptions are periodically updated to create a more effective organization.
ACCESS is also subject to ITC site reviews by the Technology Solutions Group of the Management Council – Ohio Education Computer Network
MCOECN (mc•tsg). These site reviews are conducted by a team consisting of an employee of the Ohio Department of Education (ODE), two
current and/or former school district administrators, two current and/or former ITC Directors, and one additional team member to provide training to
subsequent teams. Approximately three to five ITC site reviews are conducted annually. The sites chosen for review are designated by the
OECN Oversight Advisory Committee as approved by ODE. The guidelines and recommended procedures for these reviews are based on the
Ohio Administrative Code, which cover the following areas: governance, administration, finance, personnel and staff development, physical
facilities, hardware, software, user in-service, and operations. ACCESS’s site review was conducted February 27 – March 1, 2013.
Risk Assessment
The ACCESS does not have a formal risk management process; however, the ACCESS board is made up of representatives from the member
user entities who actively participate in the oversight of the ACCESS.
As a regular part of its activity, the ACCESS board addresses:





New technology.
Realignment of the ACCESS organization to provide better service.
Personnel issues, including hiring and terminations.
Additional services provided to member user entities and other entities.
Changes in the operating environment as a result of ODE requirements, Auditor of State (AOS) and other accounting pronouncements,
and legislative issues.
9
AREA COOPERATIVE COMPUTERIZED EDUCATIONAL SERVICE SYSTEM
DESCRIPTION OF THE SERVICE ORGANIZATION’S SYSTEM
In addition, the ACCESS has identified operational risks resulting from the nature of the services provided to the user entities. These risks are
primarily associated with computerized information systems. These risks are monitored as described under ”Monitoring” below and in additional
detail throughout the ”General Computer Controls“ section of this report.
Monitoring
The ACCESS organization is structured so that staff report directly to the executive director. The ACCESS executive director and supervisory
personnel monitor the quality of internal control performance as a routine part of their activities. To assist them in this monitoring, ACCESS uses a
variety of key indicator reports to monitor the processes involved in processing transactions for user entities.
Hardware, software, network, data integrity, Internet usage, and computer security reports are monitored on an ongoing basis by management.
Some of these reports are automatically run through a scheduler program and are sent to management via e-mail. Exceptions to normal
processing related to hardware, software or procedural problems are logged and resolved daily.
INFORMATION AND COMMUNICATION
The aspects of the information and communication component of internal control as they affect the services provided to user entities are discussed
within the General Computer control section.
10
AREA COOPERATIVE COMPUTERIZED EDUCATIONAL SERVICE SYSTEM
DESCRIPTION OF THE SERVICE ORGANIZATION’S SYSTEM
GENERAL COMPUTER CONTROLS
Development and Implementation of New Applications and Systems
The ACCESS staff does not perform system development activities. Instead, the ACCESS utilizes the software developed and supplied by the
State Software Development Team (SSDT), located at the Northwest Ohio Computer Association (NWOCA), another ITC of the OECN. The ODE
determines the scope of software development for state-supported systems. Tactical means of accomplishing software development priorities are
determined by the Software Advisory Committee (SAC), which consists of members from the Management Council of the OECN (MCOECN), the
Ohio Association of School Business Officials (OASBO), the ODE and the SSDT. The SAC meets four times per year to discuss the status of
proposed and ongoing projects.
Changes to Existing Applications and Systems
End-users participate in the program development/change process via the Software Performance Report/Request (SPR) tracking procedure,
which is maintained by the SSDT. The SPR system utilizes SiteScape Forum, which is used for electronic conferencing, to accept and discuss
proposed software enhancements in a public forum. Each major software package (USAS, USPS and SAAS/EIS) has its own public and ITC
forum which is monitored by the SSDT system analysts. All OECN ITCs and a majority of user entities have access to forum conferences,
providing end-user participation in the program development/change process.
The ACCESS personnel do not perform program maintenance activities. Instead, they utilize the applications supplied to them by the SSDT. The
OECN requires the ITC to keep the version of each application current based on the provider’s standard for continued support. Procedures are in
place to ensure the SSDT developed applications are used as distributed. Upon notification of their availability from SSDT, ITCs obtain quarterly
updates by downloading zipped files from the SSDT’s download site. The source code is not distributed with these files. Release notes, which
explain the changes, enhancements and problems corrected, are provided via the SSDT website. User and system manager manuals are also
made available via the SSDT website with these releases. The SSDT informs the ITCs that they will support only the latest release of the state
software beginning 30 days following the software release date.
The ACCESS uses a software utility called OECN_INSTALL to unpack these zipped files and install each individual package into its proper OECN
directory. The OECN_INSTALL utility has two options which will either install the new release on the system or install a patch for the current
release. This utility ensures that all required components are installed properly and consistently.
Only vendor-supplied changes are made to the operating system or system software documentation. As a participating member of the MCOECN,
an ITC can enter into a cooperative agreement, “Campuswide Software License Grant (CSLG) and Education Software Library (ESL) Program”,
through the MCOECN, for acquiring and/or providing software maintenance services for a limited series of Hewlett Packard (HP), and other
supplier’s, software packages as approved by the MCOECN board of trustees.
The services acquired and/or provided by the MCOECN under the agreement include the following:

Provide for the acquisition and distribution of software media to the participating ITCs for a limited series of HP software packages as
approved by the board of trustees of the MCOECN.
11
AREA COOPERATIVE COMPUTERIZED EDUCATIONAL SERVICE SYSTEM
DESCRIPTION OF THE SERVICE ORGANIZATION’S SYSTEM

Provide telephone technical support to the participant’s technical staff for a limited series of HP software packages approved by the
board of trustees of the MCOECN.

Track and maintain an accurate listing of all HP hardware and software covered under the agreement.

Provide and maintain support on one (1) license of Process Software’s Multinet TCP/IP stack for each system registered under this
program.
As a participating member of the MCOECN program, the participating ITCs agree to the following:

Maintain its status as a member in good standing of the MCOECN as a qualification for participating in (or continuing to participate in)
this program.

Read, sign, and comply with the rules and regulations of the CSLG Program as operated by the MCOECN.

Provide unrestricted privileged access to all computer systems covered under the agreement for the purposes of identifying and/or
correcting problems, distributing software, or assuring licensing compliance.

Provide HP or MCOECN representatives, upon prior written notice, with physical access to computer facilities at reasonable times
during normal business hours to inspect sites and system records for compliance with the terms of the CSLG and ESL Programs.

Make payments to MCOECN for services under the agreement within 30 days of the receipt of an invoice for said services.
Before new releases are installed at the ACCESS, a backup of the application or operating system affected by the change is prepared to ensure
retention of the existing application or operating system in case of an error stemming from the upgrade process.
Documentation for the current version of the OpenVMS operating system and new releases are provided on the HP web site. New releases
include documented changes to the operating system and implementation procedures. Current release documentation is maintained by the LAN
manager at the ACCESS.
IT Security
The ACCESS has instituted an acceptable use policy which outlines the acceptable use guidelines for the ACCESS network. It also includes a
security policy which defines procedures for granting access to data and security guidelines for reducing the risk of unauthorized access.
The ACCESS provides user accounts for both staff and students. User entities are responsible for their own account management. Individuals at
the entities that have the OECN_STUACC identifier can create and delete staff and teacher accounts. In addition they can disable student
accounts. Student accounts are automatically built on a daily basis from information in the student services package. Teacher accounts are built
upon the generation of an e-mail request from a designated individual within the user entity. Confirmation of the account is automatically
generated via e-mail. Access to the financial applications may only be requested by the treasurer and/or superintendent for each user entity and
12
AREA COOPERATIVE COMPUTERIZED EDUCATIONAL SERVICE SYSTEM
DESCRIPTION OF THE SERVICE ORGANIZATION’S SYSTEM
the capability to establish accounts with access to the financial applications is restricted to ACCESS staff. The ACCESS agreement states the
most current acceptable use policy, as duly adopted by the ACCESS board of directors, is considered to be part of the user agreement.
The ACCESS developed a computer release form for suggested use by their user entities. The form lists the user entity, user, and applications,
as well as the rules and regulations for non-student user accounts. The user entities are responsible for maintaining the signed forms. The policy
stipulates that each user on the system should have a personal sign-on and a unique UIC with a unique group number for each user entity. It is
the responsibility of the user to protect his password. The students are put in a separate group from the staff of the user entity. In addition to the
security policy, the ACCESS uses banner screens that are displayed when a user logs on to the system. The screen informs the user that
unauthorized access of the system is prohibited and individuals using this computer system are subject to having their activities monitored by the
ACCESS personnel.
Student and teacher accounts are initially established with a randomly generated password. Forgotten passwords can be reset by an e-mail
request from the designated user at the entity. Password minimum length and expiration intervals have been established for user accounts. Staff
accounts, which normally have higher privileges, have a shorter expiration interval than student and teacher accounts. Passwords may be
changed by the user/owner by sending an e-mail message from Internet Message Access Protocol (IMAP), Post Office Protocol (POP3) client, or
PMDF mail, if available to the user (not available to teachers and students).
IMAP is the protocol used by Mulberry which is a front-end application to the e-mail service on the Alpha. Users sign-on to Mulberry to retrieve
their e-mail, though most email has been moved to an exchange server. IMAP retrieves the e-mail messages and leaves the e-mail on the server.
Thus, users can access their e-mail from any computer in the entity. POP3 is a protocol used by Netscape, Internet Explorer, etc. POP3 retrieves
the e-mail and downloads the e-mail message to the computers. This protocol is used mainly by users who retrieve e-mail from home. Users may
also use a web-based application to retrieve e-mail from the server. ACCESS has completed its implementation of Microsoft Exchange for all staff
and teacher accounts. Student email accounts are implemented through Microsoft’s Live@EDU service offering.
ACCESS confirms user accounts at least once a year by sending a list of all users and their privileges to the superintendent, treasurer, and
technology coordinator of each user entity. They are requested to check it carefully to ensure the access is appropriate. In addition, monthly
reports are available for user entities to review information related to user access. These reports include the following:




Listing of all staff accounts.
Listing of all teacher accounts.
Listing of users who have not accessed their accounts in 90 days.
Listing of users who have never accessed their accounts.



Listing of users with the STUACC identifier.
Listing of users with access to USAS and USPS.
Listing of users with access to the student services package.
A termination policy has been adopted which outlines the steps necessary to secure the system upon the termination of an employee of ACCESS
or an employee of one of the user entities.
Security alarm messages are sent to an operator terminal that has been enabled to receive security event messages. Security audit messages
are sent to the audit log file; alarms are sent to the operator log file. Access to the operator log and audit log is limited to data processing
personnel. Critical events are reported as both alarms and audits; less critical events can be written to a log file for later examination. The
following security alarms and/or security audits have been enabled through OpenVMS to monitor any security violations on the ACCESS system:
13
AREA COOPERATIVE COMPUTERIZED EDUCATIONAL SERVICE SYSTEM
DESCRIPTION OF THE SERVICE ORGANIZATION’S SYSTEM
ACL:
Gives file owners the option to selectively alarm certain files and events. Read, write, execute, delete, or control modes
can be audited.
AUDIT:
Enabled by default to produce a record of when other security alarms were enabled or disabled.
BREAK-IN:
Produces a record of break-in attempts. The DIALUP, LOCAL, REMOTE, NETWORK, and DETACHED break-in types
can be monitored.
LOGFAILURE:
Provides a record of logon failures. The BATCH, DIALUP, LOCAL, REMOTE, NETWORK, SUBPROCESS and
DETACHED logon failure types can be monitored.
A batch processed, command procedure executes each night to extract security violations from the audit log and creates summary and detail
reports. These reports, also called security monitor reports, are e-mailed to the executive director and the LAN manager and are reviewed daily.
If an event is deemed suspicious, it is investigated further to determine the exact nature of the event and the corrective action needed.
The ACCESS utilizes IronPort and Sophos Anti-Virus software on the MailMarshal server to scan all inbound and outbound e-mail. If a virus is
found, the e-mail is quarantined and discarded from the e-mail recipient’s mailbox. MailMarshal also scans and isolates SPAM. The Iron Port
anti-spam software, housed at NWOCA, removes SPAM originating from e-mail servers known to be used by global senders of SPAM and does
not pass the SPAM on to ACCESS.
Primary logical access control to the HP computers is provided by security provisions of the OpenVMS operating system. This includes access to
data, programs and system utilities. When a user logs in to use OpenVMS interactively, or when a batch or network job starts, OpenVMS creates
a process which includes the identity of the user. OpenVMS manages access to the process information using its authorization data and internal
security mechanisms.
A proxy login enables a user logged in at a remote node to be logged in automatically to a specific account at the local node, without having to
supply any access control information. A proxy login differs from an interactive login because an interactive login requires a user to supply a user
name and password before the user can perform any interactive operations. The ACCESS utilizes proxy logins.
The User Identification Codes (UIC) are individually assigned to all accounts. UIC based protection controls access to objects such as files,
directories, and volumes.
Certain limited access accounts require a less restrictive environment than captive accounts. Accounts, under which network objects run, for
example, require temporary access to DCL. Such accounts are set up as restricted accounts, not captive accounts. User accounts are set with
the RESTRICTED flag instead of the CAPTIVE flag if they need to use network applications like MAIL or network proxy accounts. The
RESTRICTED and CAPTIVE flags are typically not used for administrative accounts (treasurers and some staff) because access to the DCL
prompt is necessary for them to perform some operations. However all other users, such as teachers and students, are assigned the
RESTRICTED and CAPTIVE flags respectively. If both flags are assigned and the RESTRICTED flag is assigned first, the RESTRICTED flag will
allow access to MAIL, and since the CAPTIVE flag is also assigned, the use of the SPAWN command to gain access to the DCL prompt is
prohibited. Students and teachers are also not allowed interactive access, so they may only check e-mail via IMAP/POP3.
14
AREA COOPERATIVE COMPUTERIZED EDUCATIONAL SERVICE SYSTEM
DESCRIPTION OF THE SERVICE ORGANIZATION’S SYSTEM
The system forces users, who use the various software packages, to change their passwords on a periodic basis. The DEFAULT account
password lifetime and password length fields have been set according to the standards established by ACCESS. Passwords are set to expire
when a new user identification code is issued or when a user has forgotten his password. This parameter requires the user to change his
password during the first logon procedure.
The operating system has system parameters, which when set appropriately control and monitor sign-on attempts. There are parameters in place
to control certain aspects of the sign-on procedure, which include the following:

The terminal name is part of the association string for the terminal mode of break-in detection.


The user is restricted on the length of time they have to correctly enter a password on a terminal on which the system password is in
effect.
The number of times a user can try to log in over a phone line or network connection. Once the specified number of attempts has been
made without success, the user loses the carrier.

The length of time allowed between login retry attempts after each login failure.

The length of time a user terminal, or node, is permitted to attempt a logon before the system assumes that a break-in attempt is occurring
and evasive action is taken.

The period for which evasive action is taken is variable and will grow as further logon failures are detected from the suspect source.

The number of retry attempts allowed for users attempting to logon before evasive action consists of refusing to allow any logons during a
designated period of time.
System parameter standards have been established through the use of HP established defaults. Any changes are logged and reviewed by the
LAN manager.
A timeout program, HITMAN, is used to monitor terminal inactivity and log-off inactive users after a predetermined period of time of non-use. The
use of this program helps to reduce the risk of an unattended terminal being used to enter unauthorized transactions. Also, timeout programs aid
in efficient use of system resources by maintaining connectivity with only active system users.
Associated with each object recognized by OpenVMS may be an Access Control List (ACL). When an access request is made to an object, ACLs
are always checked first. An ACL may either grant or deny access to the user requesting the object. When an ACL fails to specifically grant
access, the system then defaults to UIC-based protection.
The system directory contains security files that control the security parameters for the system. When a user attempts to gain access to an object,
such as a file or directory, the system compares the user’s UIC to the owner's UIC for that object. In UIC-based protection, the relationship
between the user’s UIC and the object’s UIC determines whether access is granted. Owner relationships are divided into four categories:
15
AREA COOPERATIVE COMPUTERIZED EDUCATIONAL SERVICE SYSTEM
DESCRIPTION OF THE SERVICE ORGANIZATION’S SYSTEM
SYSTEM:
Any of the following: (1) Users with a UIC group number between 1 and the SYSGEN parameter for MAXSYSGROUP. (2)
Users with system privileges (SYSPRV). (3) Users with group privileges (GRPPRV) whose UIC group number matches the
UIC group number on the object. (4) Users whose UIC matches the owner UIC of the volume on which the file is located.
OWNER:
Users with the same UIC as the object’s owner.
GROUP:
Users with the same UIC group number as the object's owner.
WORLD:
All users, including those in SYSTEM, OWNER, and GROUP.
Through the protection code, each category of users can be allowed or denied read, write, execute, and delete access. The default file protection
is for (1) SYSTEM having read, write, execute, and delete capabilities; (2) OWNER having read, write, execute and delete capabilities; (3) GROUP
having read and execute capabilities; and (4) WORLD having no access capabilities.
Certain privileges can override all UIC-based and ACL protection. OpenVMS analyzes privileges included in the user authorization file (UAF)
record for each user and places the user in one of seven categories depending on which privileges have been granted to the user. Default
privileges are those authorized privileges that are automatically granted at login. If an authorized privilege is not a default privilege, it will not
automatically be effective at login, and must be enabled or disabled by the user. All user entity personnel have NORMAL privileges.
The write and delete access capabilities are not activated for WORLD access to the files in the system directory. The UIC associated with each of
these files is within the MAXSYSGROUP number.
To limit access to security files, the ACCESS has limited WORLD access for the user authorization file, which contains account information to
identify which users are allowed access to accounts on the system; the proxy file, which contains proxy account information to identify which
remote users are allowed access to proxy accounts on the system; and the rights file, which contains names of the reserved system identifiers and
identifiers for each user.
Access to the OECN software packages is controlled at the ITC level by a security mechanism called the OECN Security Authorization (OSA)
utility. Access to specific packages is provided by granting the appropriate OpenVMS identifiers to authorized users. Each application package
has a set of unique identifiers that permit access to programs. In addition to the standard identifiers for each package, a pass through identifier
can be used to further customize access. OSA is used in conjunction with the OECN menu processor utility thus allowing the users to see only
the items they are authorized to execute. UIC-based protection prevents WORLD write or delete access to the USAS, USPS and SAAS/EIS
application data files.
User entities have been set up with sub-networks, which have addresses not recognizable to the Internet. This private address space is only
recognizable within the ACCESS network and comprises ACCESS’s private internal network. A Cisco ASA (Adaptive Security Appliance) firewall
and additional routing devices deny all outbound traffic requests originating from the sub-network. Instead, the requests are routed to proxy
servers which serve to filter all Internet access. The Internet filter service retrieves requests from the Internet for the typical user. Permission to
bypass the proxy server requires management authorization. The Cisco ASA firewall and routing devices prevent all outside connections from
accessing inside hosts or servers, unless the IP address originated from inside the network.
16
AREA COOPERATIVE COMPUTERIZED EDUCATIONAL SERVICE SYSTEM
DESCRIPTION OF THE SERVICE ORGANIZATION’S SYSTEM
Remote access to the network is restricted using a virtual private network (VPN). A VPN account is required in order to access the ACCESS
network remotely.
Once a VPN account has been established, users can connect through either a VPN client or through an SSL (secure sockets layer) VPN
connection, also called “clientless VPNs”. In both cases the account must pass through the Cisco ASA firewall which provides encryption of VPN
connections or allows for SSL VPN before reaching access to control servers.
Authentication of the VPN session occurs at the Cisco ASA firewall through ACCESS’ Microsoft Active Directory database when connecting
through an SSL VPN connection.
The entry doors to the building where ACCESS is located are locked and a building alarm is set during non-business hours. The main entrance to
ACCESS is staffed during business hours.
In November of 2009, ACCESS moved its data center to a hosting center located in Youngstown. This hosting center provides carrier-class
protection for ACCESS’ equipment and services, as follows:



Redundant power protection, including line power and UPS power, with UPS power being protected by a diesel generator.
State-of-the-art environmental controls and fire protection.
Individually coded key cards, biometric scanning, and tight physical security for access to equipment.
IT Operations
Traditional computer operations procedures are minimal since user entity personnel initiate all application jobs and are primarily responsible for
ensuring the timeliness and completeness of processing. All ACCESS employees have a procedure manual available, which provides directions
and guidelines for most of the operational functions performed. They also have access to operations procedure manuals for the Alpha system. In
addition, ACCESS employees have access to the OECN SiteScape Forum, which is a bulletin board that allows the ACCESS employees to
communicate with users across the state.
User problems that require the ACCESS staff to change data require the user to submit the request via the MCOECN Helpdesk system or e-mail.
In addition, the user entities have the option of printing an AUDIT report that shows activity changes to their data files.
Individual user entities are responsible for running their own regular reports which are batch processes. Batch processes are initiated and
completed by the individual user entities.
Certain routine jobs are initiated for system maintenance. ACCESS is responsible for operational maintenance tasks, such as system backups,
file rebuilds, log reports, and other maintenance directed at the whole system. They use an automated application called DECScheduler which
schedules and performs these tasks. DECScheduler is a program that continually submits jobs on the Alpha system.
Hard copies of the console log are not printed. The console log is maintained online and is backed up daily. There is a section in the system
operation manual listing all console messages, their meaning, and action required. The files can be analyzed for occurrences of specific incidents.
The files are not routinely printed or reviewed, but instead are used only to research problems.
17
AREA COOPERATIVE COMPUTERIZED EDUCATIONAL SERVICE SYSTEM
DESCRIPTION OF THE SERVICE ORGANIZATION’S SYSTEM
The ACCESS data processing equipment is maintained at a secure, environmentally controlled location approximately five miles from the
ACCESS offices.
ACCESS staff maintains a listing of individuals to contact in the event of complications with the hardware environment. The operating system
monitors the hardware environment and reports all hardware malfunctions automatically through the console. The hardware error logs are
reviewed by the LAN manager and service calls are placed to the appropriate vendor when necessary.
ACCESS has a hardware maintenance agreement with Service Express that is paid quarterly. The coverage of the equipment includes a
response time of four hours.
In addition, network and Internet traffic is monitored on a regular basis. The tools used to monitor traffic on the router and firewalls are typically
used for trouble shooting purposes only. What’s Up Gold is utilized to monitor interfaces and offers a number of tools that will compile
performance data which is available to the WAN administrator. The Cisco ASA Firewall and the PRTG Network Monitor also allows for monitoring
of bandwidth to and from the Internet.
The ACCESS maintains documented backup procedures and schedules to guide staff in backing up programs and data. The written backup
procedures include the frequency of tape backups, the rotation schedule and the retention period. Data processing and the Data Protector Tape
Library backups are performed at the hosting site. Full system backups are performed on the first Friday of each month and are stored at the
ACCESS offices. Daily incremental backups of the ALPHA are created and stored at the State DR site in Columbus. The first full Friday tape
backups of the month are maintained for one year. Full backups from Friday for the current month (except the first full Friday of the month) are
maintained at the ACCESS office for one month. An annual fiscal backup is kept off site at Chase bank in Canfield and is maintained indefinitely.
All system and program documentation is stored electronically and is subject to the same back-up procedures as the other data files.
ACCESS’s data processing equipment is covered under an insurance policy.
18
AREA COOPERATIVE COMPUTERIZED EDUCATIONAL SERVICE SYSTEM
DESCRIPTION OF THE SERVICE ORGANIZATION’S SYSTEM
COMPLEMENTARY USER ENTITY CONTROLS
The applications were designed with the assumption that certain controls would be implemented by user entities. This section describes additional
controls that should be in operation at the user entities to complement the controls at the ITC. User auditors should consider whether the following
controls have been placed in operation at the user entity:
General Computer Control Procedures
1. User entities should have controls over their own web applications, which access data stored at the ITC to ensure only thoroughly tested
and authorized web applications are implemented.
2. User entity management should have practices to ensure users are aware of the confidential nature of passwords and the precautions
necessary to maintain their confidentiality.
3. User entity management should immediately request the ITC to revoke the access privileges of user entity personnel when they leave or
are otherwise terminated.
4. User entity management should retain signed copies of the computer release form for their user accounts.
5. User entity personnel should respond to account confirmation requests from their ITC.
6. User entities should have documented acceptable use policies to define the activities deemed appropriate for use of the Internet. Internet
users should be required to accept the terms of the policy before access is provided.
7. User entity management should utilize the monthly reports generated by the ITC to manage their user accounts.
8. User entity technical staff should respond to requests for confirmation of firewall conduit statements from their ITC.
9. Access privileges should only be issued to authorized users who need access to computer resources to perform their job function.
10. PCs and terminals should be protected against damage or misuse by having separate areas, either independent rooms or sections of
rooms that restrict access to only authorized individuals.
11. Communication lines, junctions and modems should be secured in an area that restricts access to only authorized individuals.
12. User entities should retain source documents for an adequate period to ensure data can be re-entered in the event that data files are
destroyed prior to being backed up and rotated off-site.
13. User entities should establish and enforce a formal data retention schedule with their ITC for the various application data files.
19
AREA COOPERATIVE COMPUTERIZED EDUCATIONAL SERVICE SYSTEM
DESCRIPTION OF THE SERVICE ORGANIZATION’S SYSTEM
The complementary user entity control considerations presented above do not represent a comprehensive set of all the controls that should be
employed by user entities. Other controls may be required at the user entity.
20
AREA COOPERATIVE COMPUTERIZED EDUCATIONAL SERVICE SYSTEM
TESTS OF OPERATING EFFECTIVENESS
SECTION 4 - INDEPENDENT SERVICE AUDITOR'S DESCRIPTION OF TESTS OF CONTROLS AND
RESULTS
This section is intended to provide interested parties with information sufficient to obtain an understanding of those aspects of the Area
Cooperative Computerized Educational Service System (ACCESS)’s internal control that may be relevant to user entity's internal control, and
reduce the assessed level of control risk below the maximum for certain financial statement assertions.
The broad objectives of data processing controls should be achieved by a combination of the procedures that are employed in various segments
of the transaction processing system, for example procedures performed at the Area Cooperative Computerized Educational Service System
(ACCESS) and procedures performed at user entities that utilize the Area Cooperative Computerized Educational Service System (ACCESS).
For each of the control objectives listed below, only those controls which contribute to the attainment of the related control objective are described
and were tested.
21
AREA COOPERATIVE COMPUTERIZED EDUCATIONAL SERVICE SYSTEM
TESTS OF OPERATING EFFECTIVENESS
GENERAL COMPUTER CONTROLS PLACED IN OPERATION AND TESTS OF OPERATING EFFECTIVENESS
Changes to Existing Applications and Systems
Changes to Existing Applications and Systems - Control Objective:
Change Requests - Management should be involved in monitoring changes/upgrades to existing applications or systems to
ensure they operate as needed.
Control Procedures:
Test Descriptions:
Test Results:
In order to maintain continued support of their
application software provided by SSDT, ITCs
are required to install new releases within 30
days of the software release date.
A cyclical redundancy check (CRC) of the
USAS, USPS and SAAS/EIS object files at
ACCESS was compared to the CRCs of the
object files at NWOCA.
No exceptions noted.
The SSDT distributes release notes
explaining the changes, enhancements and
problems corrected. Updated user and
system manuals for the applications are also
made available.
Inspected the release notes and updated
manuals for the most recent releases.
No exceptions noted.
Documentation for the current version of the
operating system and new releases are
provided on the HP web site.
Inspected the online manuals for the operating
system at the HP web site.
No exceptions noted.
Control
Objective Has
Been Met
IT Security
IT Security - Control Objective:
Security Management - Management should ensure the implementation of access control policies, which are based on the
level of risk arising from access to programs and data.
Control Procedures:
Test Descriptions:
Test Results:
The ACCESS has established an acceptable
use policy to outline management's policies
regarding computer security and access.
Inspected the acceptable use policy to confirm
user responsibilities are documented.
No exceptions noted.
Authorization from ACCESS management is
required before setting up an account for
ACCESS staff members.
Confirmed a signed Access Computer Release
form was on file for all current ACCESS
employees.
No exceptions noted.
Control
Objective Has
Been Met
22
AREA COOPERATIVE COMPUTERIZED EDUCATIONAL SERVICE SYSTEM
TESTS OF OPERATING EFFECTIVENESS
IT Security - Control Objective:
Security Management - Management should ensure the implementation of access control policies, which are based on the
level of risk arising from access to programs and data.
Control
Objective Has
Been Met
Control Procedures:
Test Descriptions:
Test Results:
User access is confirmed annually with user
entity management through a positive
confirmation process. ACCESS tracks the
status of the confirmation and performs any
necessary follow-up communication to
facilitate a response from the user entity.
Inspected the following documentation related
to the confirmation process:
The following user entities did not respond to
the most recent positive confirmation
request:
In addition, a variety of reports are
automatically generated each month to assist
the user entities in management of their
accounts.







Columbiana Exempted Village SD
Mollie Kessler
Sebring Local SD
Struthers City SD
United Local SD
Inspected the following documentation related
to the monthly generation of user entity access
reports:


Detection control alarms are enabled through
OpenVMS to track security related events,
such as break-in attempts and excessive
login failures. The events are logged to audit
journals for monitoring of potential security
violations.
Communication between the ACCESS
and their user entities.
Directory listing that shows the date and
time each user entity completed the
verification.
Command procedure used to generate the
monthly user entity reports.
DECScheduler job parameters for the
monthly user entity reports.
Inspected the enabled security alarms and
audits.
No exceptions noted.
23
AREA COOPERATIVE COMPUTERIZED EDUCATIONAL SERVICE SYSTEM
TESTS OF OPERATING EFFECTIVENESS
IT Security - Control Objective:
Security Management - Management should ensure the implementation of access control policies, which are based on the
level of risk arising from access to programs and data.
Control Procedures:
Test Descriptions:
Test Results:
A command procedure executes each night to
extract security violations from the audit log
and create summary and detail reports called
the security monitor report.
Inspected the following information related to
the security monitor report to confirm these
reports are produced and available for review
daily:
No exceptions noted.
The security monitor report is generated daily
and is e-mailed to the executive director and
LAN manager.



Control
Objective Has
Been Met
DECScheduler job parameters for the
security monitor report.
Example of a security monitor report.
Command procedure used to generate the
report.
Independently confirmed with the process for
review of the security monitor report with the
executive director and LAN manager.
Anti-virus software runs on the MailMarshal
server. Definitions are updated automatically
and infected items are quarantined to help
prevent and detect computer viruses.
Inspected the following information, relating to
the Sophos anti-virus software, to confirm antivirus software is actively scanning for viruses:



No exceptions noted.
NetIQ MailMarshall Configurator for virus
scanners policy elements.
NetIQ MailMarshal Configurator for
inbound anti-virus e-mail policy.
Listing of virus detections for 30 days in
May and June 2013.
Inspected the anti-virus update information
from the Sophos event log and anti-virus
settings from the Sophos scheduling screens.
24
AREA COOPERATIVE COMPUTERIZED EDUCATIONAL SERVICE SYSTEM
TESTS OF OPERATING EFFECTIVENESS
IT Security - Control Objective:
System Level Access Controls - Access to the computer system, programs, and data should be appropriately restricted.
Control
Objective Has
Been Met
Control Procedures:
Test Descriptions:
Test Results:
Use of wild card characters in proxy accounts
is restricted to ensure proxy accounts are
specifically defined to prevent blanket access.
Inspected the proxy listing to confirm wild card
characters were not used.
No exceptions noted.
Password parameters are in place to aid in
the authentication of user access to the
production system. Passwords used by
individual profiles are in agreement with the
password policies established by ACCESS.
Extracted information from the user
authorization file to identify:
Ninety-one accounts (4%) out of a population
of 2,535 enabled user accounts had a
password lifetime greater than ACCESS'
standards.
The OECN_RPC logical has been set to
prevent users of the web applications from
logging in with expired passwords.
Log-in parameters have been set to control
and monitor sign-on attempts.
 User accounts with a password minimum
length less than ACCESS’ standards.
 User accounts with a password lifetime
greater than ACCESS’ standards.
Inspected the above exception reports to
identify relevant exceptions. Inquired with the
LAN manager regarding the appropriateness
of the listed accounts.
These accounts consisted of system and
application accounts, library accounts,
inquiry only accounts (for prior year fiscal
data), and training accounts.
There were no user accounts with a
password lifetime greater than ACCESS'
standards.
Inquired with the LAN manager regarding the
status of the OECN_RPC logical to determine
whether the VMS process has been set to
prevent logins with expired passwords.
Web-application only users are not subject to
password expiration parameters.
Inspected the log-in parameter settings.
No exceptions noted.
No other exceptions noted.
25
AREA COOPERATIVE COMPUTERIZED EDUCATIONAL SERVICE SYSTEM
TESTS OF OPERATING EFFECTIVENESS
IT Security - Control Objective:
System Level Access Controls - Access to the computer system, programs, and data should be appropriately restricted.
Control
Objective Has
Been Met
Control Procedures:
Test Descriptions:
Test Results:
A program, HITMAN, constantly monitors
terminal activity and logs off inactive users.
The program is part of the startup command
ensuring the program is consistently executed
at startup.
Inspected the HITMAN parameters (prime and
non-prime) to confirm they were set to
automatically logoff inactive users.
Several images for check and purchase
order processing have been excluded from
termination. The only terminal protected is
the operator’s terminal.
Inspected the startup file to confirm the
HITMAN utility is part of the startup
procedures.
Fifteen accounts have been excluded from
termination. They consist of the following:






ACCESS postmaster account (1).
ACCESS employee accounts (8).
System/process automated accounts (2)
OECN Accounts (2).
Student application administrative
account (1).
Treasurer account (1). This account
belongs to a retired treasurer who
provides consulting services to other
school districts. The account was
subsequently removed from the HITMAN
protection list.
No other exceptions noted.
A timeout parameter provided through the
OECN web access menu system logs off
users after a period of inactivity.
Inspected the OECN web terminal log off
parameters for the audit significant
applications to confirm OME-RESA is
automatically logging off inactive web
application users.
No exceptions noted.
Access to production programs and data files
is properly restricted.
Identified and inspected production data files
with WORLD access and executables files
with WORLD write and/or delete access.
Identified and inspected user entity directory
files with ACLs.
No exceptions noted.
26
AREA COOPERATIVE COMPUTERIZED EDUCATIONAL SERVICE SYSTEM
TESTS OF OPERATING EFFECTIVENESS
IT Security - Control Objective:
System Level Access Controls - Access to the computer system, programs, and data should be appropriately restricted.
Control Procedures:
Test Descriptions:
Test Results:
A private internal network and firewall are
used to control Internet traffic and maintain a
logical segregation between user entities.
Open ports to the production server are
limited.
Inspected the network diagram to confirm
components of the network that control
Internet access.
No exceptions noted.
Control
Objective Has
Been Met
Inspected the firewall configuration to confirm
Internet traffic is restricted through the firewall.
In addition, confirmed the existence of a
private internal network.
Identified the firewall statements for the
production server and inquired with the WAN
manager regarding each port open to the
production server.
Network documentation is sufficient to
support implementation of firewall security
access rules. On an annual basis, user
entities are asked to confirm static mapping
for all addresses to equipment not located onsite at the ACCESS.
In addition, the WAN administrator documents
the IP address of each user entity directly on
the firewall configuration.
The confirmation must be authorized by the
entity superintendent or the superintendent’s
designee.
Remote access to the network is restricted
using a virtual private network (VPN). A VPN
account is required in order to access the
ACCESS network remotely.
Reviewed the firewall configuration, including
the access (conduit) list. Confirmed user entity
names are included with all IP addresses on
the firewall configuration access list.
No exceptions noted.
Reviewed all of the access statements in the
firewall that refer to equipment not managed
by ACCESS.
Inspected the conduit confirmation checklist to
ensure all user entities responded to the
request for confirmation of conduits.
Observed the WAN administrator attempt to
VPN into the ACCESS network using an
unauthorized username and password.
Subsequently observed the WAN administrator
attempt to access the network using the
correct username and password.
No exceptions noted.
27
AREA COOPERATIVE COMPUTERIZED EDUCATIONAL SERVICE SYSTEM
TESTS OF OPERATING EFFECTIVENESS
IT Security - Control Objective:
Application Level Access Controls - Access to particular functions within applications (e.g., approving payment of
vendors) should be appropriately restricted to ensure the segregation of duties and prevent unauthorized activity.
Control Procedures:
Test Descriptions:
Test Results:
Users are restricted to predefined logical
access identifiers that grant varying access
privileges based on requests from user entity
management.
Extracted a listing of all identifiers from the
user authorization file for evidence of the use
of identifiers to segregate access to the
applications.
No exceptions noted.
Control
Objective Has
Been Met
Inquired with the LAN manager regarding the
OSA utility and the process used to assign
application identifiers.
User accounts with the OECN_STUACC
identifier, that is used to create and delete
staff and teacher accounts as well as disable
student accounts, are confirmed with user
entity management on an annual basis.
Extracted accounts from the user authorization
file that were assigned the OECN_STUACC
identifier.
The following user entities did not respond to
the most recent positive confirmation
request:
Inspected the list of accounts and the
superintendent authorizations to confirm all
access was appropriately approved.





Columbiana Exempted Village SD
Mollie Kessler
Sebring Local SD
Struthers City SD
United Local SD
IT Security - Control Objective:
System Software and Utilities Access Controls - Use of master passwords, powerful utilities and system manager
facilities should be adequately controlled.
Control Procedures:
Test Descriptions:
Test Results:
The OECN_SYSMAN identifier that grants all
access privileges for all state developed
applications is restricted to authorized ITC
personnel.
Extracted accounts from the user authorization
file that were assigned the OECN_SYSMAN
identifier. Inspected the list of accounts.
No exceptions noted.
Control
Objective Has
Been Met
Confirmed the appropriateness of the listed
accounts with the LAN manager.
WORLD access to “key” system and security
files is restricted.
Inspected the system file directory listings for
WORLD write or delete access.
No exceptions noted.
Inspected the file protection masks on the
security files.
28
AREA COOPERATIVE COMPUTERIZED EDUCATIONAL SERVICE SYSTEM
TESTS OF OPERATING EFFECTIVENESS
IT Security - Control Objective:
System Software and Utilities Access Controls - Use of master passwords, powerful utilities and system manager
facilities should be adequately controlled.
Control Procedures:
Test Descriptions:
Test Results:
System level UICs are restricted to authorized
personnel as determined by ACCESS
management.
Identified the MAXSYSGROUP value.
No exceptions noted.
UICs belonging to the system group are
determined by the parameter value for
MAXSYSGROUP. UICs less than the
MAXSYSGROUP value have system level
privileges.
Control
Objective Has
Been Met
Extracted accounts from the user authorization
file to identify accounts with a UIC less than
the MAXSYSGROUP value.
Confirmed the appropriateness of the listed
accounts with the LAN manager.
Accounts on the system with elevated
privileges, defined as those accounts having
more than the minimum privileges to use the
system or participate in groups, is limited to
authorized personnel as determined by
ACCESS management.
Extracted accounts from the user authorization
file to identify accounts with elevated
privileges.
Use of an alternate user authorization file is
not permitted.
Inspected the value of the alternate user
authorization file parameter to determine
whether an alternate file is permitted.
No exceptions noted.
Inspected the listed accounts and inquired with
the LAN manager regarding the
appropriateness of the listed accounts.
No exceptions noted.
Inspected the system directory listings to
determine if an alternate user authorization file
existed.
Remote access to the firewall configuration
used to control Internet access is restricted
through password protection.
Inspected the firewall configuration to confirm
passwords were enabled.
No exceptions noted.
Observed the WAN administrator log into the
firewall to confirm a password is required to
access the firewall.
29
AREA COOPERATIVE COMPUTERIZED EDUCATIONAL SERVICE SYSTEM
TESTS OF OPERATING EFFECTIVENESS
IT Security - Control Objective:
Physical Security - Computer facilities and data should have appropriate physical access restrictions and be properly
protected from environmental dangers.
Control Procedures:
Test Descriptions:
Test Results:
The ACCESS uses an off-site hosting center
for their data center. Physical access to the
off-site computer facility and its contents is
restricted to authorized personnel and
includes the following access controls:
Visited the offsite computer facility to observe
the listed controls.
No exceptions noted.



Control
Objective Has
Been Met
Independently inquired with the LAN manager
and the facility technician regarding the
building security procedures.
Redundant power protection, including
line power and UPS power, with UPS
power being protected by diesel
generator.
Environmental controls and fire
protection.
Individually coded key cards, biometric
scanning, and tight physical security for
access to equipment.
IT Operations
IT Operations - Control Objective:
System Administration and Maintenance - Appropriate procedures should be established to ensure that the system is
properly maintained and monitored.
Control Procedures:
Test Descriptions:
Test Results:
The ACCESS performs certain routine jobs
for system maintenance through a scheduling
program called DECScheduler.
Inspected the DECScheduler listing of jobs.
No exceptions noted.
Control
Objective Has
Been Met
Inspected the OpenVMS system startup
printout to confirm DECScheduler is initialized
during the startup of the system.
30
AREA COOPERATIVE COMPUTERIZED EDUCATIONAL SERVICE SYSTEM
TESTS OF OPERATING EFFECTIVENESS
IT Operations - Control Objective:
System Administration and Maintenance - Appropriate procedures should be established to ensure that the system is
properly maintained and monitored.
Control Procedures:
Test Descriptions:
Test Results:
Requests for changes to user entity data must
be in writing. All changes are documented
and an e-mail is sent to the user explaining
the changes made. The change
documentation is retained by the fiscal
services liaison and includes the following:
Inspected the change documentation files for
each user entity. Inquired with the ACCESS
fiscal services liaison regarding the procedures
for changing user data.
No exceptions noted.
Reports are available for monitoring of
network performance by the WAN
administrator.
Inspected an example of performance reports
used by the WAN administrator to monitor
Internet and network traffic use.
No exceptions noted.
A service agreement with Service Express
covers maintenance and failures of the
computer hardware.
Inspected the Service Express Hardware
Service Agreement for services covered and
period of coverage.
No exceptions noted.
Data center equipment is covered by
insurance.
Inspected the insurance policy and payment
documentation for evidence of coverage.
No exceptions noted.
A hosting agreement with Data Recovery
Services, LLC covers housing of ACCESS
data processing hardware.
Inspected the hosting agreement with DRS.
Additionally, inspected the DRS invoices and
payment confirmation for period covered.
No exceptions noted.






Control
Objective Has
Been Met
User entity requesting the change.
Date and time of request.
Problem to be corrected.
ACCESS employee making the change.
Solution used to resolve the problem.
Correspondence between ACCESS and
the user entity outlining how the solution
was achieved. If correspondence is
verbal, screen prints of the change are
maintained.
31
AREA COOPERATIVE COMPUTERIZED EDUCATIONAL SERVICE SYSTEM
TESTS OF OPERATING EFFECTIVENESS
IT Operations - Control Objective:
Backup - Up-to-date backups of programs and data should be available in emergencies.
Control
Objective Has
Been Met
Control Procedures:
Test Descriptions:
Test Results:
Written procedures document instructions for
performing backups and for the proper
storage of backup tapes at both the on- and
off-site storage locations.
Inspected the documented backup procedures
to confirm procedures are available.
No exceptions noted.
Inspected the backup selections used to
perform the monthly backup to tape for the
Alpha.
Inspected the OECN Technology Solutions
Group daily incremental backup settings for
the Alpha to confirm the commands are
scheduled to run daily according to the
documented backup procedures.
Inspected an example of the daily backup
confirmations.
Backup tapes are stored in secure on- and
off-site locations and are rotated regularly.
Inspected the documented backup procedures
to confirm the frequency of the rotation of
backup tapes off-site.
No exceptions noted.
Inspected the off-site storage facility with the
LAN manager and confirmed the off-site
backup tapes agreed to the retention schedule
for off-site tape storage.
Inspected the on-site storage facility and
confirmed backup tapes were loaded in the
Alpha server.
32
AREA COOPERATIVE COMPUTERIZED EDUCATIONAL SERVICE SYSTEM
OTHER INFORMATION - UNAUDITED
SECTION 5 - OTHER INFORMATION PROVIDED BY THE SERVICE ORGANIZATION
INFORMATION TECHNOLOGY CENTER PROFILE
OHIO EDUCATION COMPUTER NETWORK
SITE DATA
Name:
Number:
Node Name:
Area Cooperative Computerized Educational Service System
(ACCESS)
13
ACCES0
Chairperson:
Dennis Dunham Superintendent
South Range Local Schools
Fiscal Agent:
Mahoning County Educational Service Center
Administrator:
John LaPlante
Executive Director
ACCESS
Address:
100 DeBartolo Place
Suite 222
Boardman, OH 44512
Telephone:
FAX:
330-965-2829
330-965-7901
Web site:
www.access-k12.org
33
AREA COOPERATIVE COMPUTERIZED EDUCATIONAL SERVICE SYSTEM
OTHER INFORMATION - UNAUDITED
OTHER SITE STAFF
Lisa Smith
Thomas Davies
Diane Fabian
Gretchen Martin
Eileen Pakula
Bonnie Manchester
Becky Sabino
Dale Santangelo
Kevin Homistek
Associate Director
Library services liaison
Student services liaison
Student services liaison
Fiscal services liaison
Fiscal services liaison
LAN manager – Linux
LAN manager – Windows
WAN administrator
34
AREA COOPERATIVE COMPUTERIZED EDUCATIONAL SERVICE SYSTEM
OTHER INFORMATION - UNAUDITED
HARDWARE DATA
Central Processors and Peripheral Equipment
CPU Unit 1
Model Number
Installed
Capacity/Density/Speed
CPU:
Alpha Server ES45
Lines/Ports:
8
Memory Installed:
Disk:
Disk:
Disk:
Disk:
Disk:
Disk:
Disk:
Disk:
$1$DGA1
$1$DGA2
$1$DGA3
$1$DGA4
$1$DGA5
$1$DGA6
$1$DGA7
$1$DGA8
Units:
Units:
Units:
Units:
Units:
Units:
Units:
Units:
1
1
1
1
1
1
1
1
Disk Space Available:
Disk Space Available:
Disk Space Available:
Disk Space Available:
Disk Space Available:
Disk Space Available:
Disk Space Available:
Disk Space Available:
Tape Drive
MSL 6030 2 Ult 460 Dr FC Tape
Library
4 GB
31.93GB
192.95GB
44.66GB
27.72GB
29.77GB
36.55GB
31.61GB
58.41GB
35
AREA COOPERATIVE COMPUTERIZED EDUCATIONAL SERVICE SYSTEM
OTHER INFORMATION PROVIDED BY THE SERVICE ORGANIZATION - UNAUDITED
USER ENTITY SITE DATA
IRN
USER ENTITY
COUNTY
046425
Beaver Local SD
050906
USAS
USPS
SAAS/EIS
OTHER*
Columbiana
X
X
X
X
Columbiana Career Center
Columbiana
X
X
X
X
046417
Columbiana County ESC
Columbiana
X
X
X
X
045328
Columbiana Exempted Village SD
Columbiana
X
X
X
X
046433
Crestview Local
Columbiana
X
X
X
X
043919
East Liverpool City SD
Columbiana
X
X
X
X
043927
East Palestine City SD
Columbiana
X
X
X
X
045443
Leetonia Exempted Village SD
Columbiana
X
X
X
X
044735
Salem City SD
Columbiana
X
X
X
X
046458
United Local SD
Columbiana
X
X
X
X
045039
Wellsville Local
Columbiana
X
X
048298
Austintown Local SD
Mahoning
X
X
X
X
048306
Boardman Local SD
Mahoning
X
X
X
X
043703
Campbell City SD
Mahoning
X
X
X
X
048314
Canfield Local SD
Mahoning
X
X
X
X
X
048322
Jackson Milton Local SD
Mahoning
X
X
048330
Lowellville Local SD
Mahoning
X
X
X
X
X
048280
Mahoning County ESC
Mahoning
X
X
X
X
009996
Mahoning County High School
Mahoning
X
X
X
X
051243
Mahoning County JVSD
Mahoning
X
X
X
X
148999
Mahoning County Unlimited Classroom
Mahoning
X
X
X
008251
Mahoning Opportunity Center
Mahoning
X
X
X
143453
Mollie Kessler
Mahoning
X
X
X
048348
Poland Local SD
Mahoning
X
X
X
X
048355
Sebring Local SD
Mahoning
X
X
X
X
048363
South Range Local SD
Mahoning
X
X
X
X
048371
Springfield Local SD
Mahoning
X
X
X
X
36
AREA COOPERATIVE COMPUTERIZED EDUCATIONAL SERVICE SYSTEM
OTHER INFORMATION PROVIDED BY THE SERVICE ORGANIZATION - UNAUDITED
USER ENTITY SITE DATA
IRN
USER ENTITY
COUNTY
USAS
USPS
044859
Struthers City SD
Mahoning
X
X
048389
West Branch Local SD
Mahoning
X
X
X
X
048397
Western Reserve Local SD
Mahoning
X
X
X
X
045161
Youngstown City SD
Mahoning
X
X
X
X
134072
Youngstown Community School
Mahoning
X
X
X
X
013083
Biomed Science Academy
Portage
X
TOTALS:
33
SAAS/EIS
OTHER*
X
X
32
26
33
OTHER* - Applications other than USAS, USPS, and SAAS/EIS, used by the user entitiles.
37
This page intentionally left blank. AREA COOPERATIVE COMPUTERIZED EDUCATIONAL SERVICE SYSTEM (ACCESS)
MAHONING COUNTY
CLERK’S CERTIFICATION
This is a true and correct copy of the report which is required to be filed in the Office of the
Auditor of State pursuant to Section 117.26, Revised Code, and which is filed in Columbus, Ohio.
CLERK OF THE BUREAU
CERTIFIED
AUGUST 22, 2013
88 East Broad Street, Fourth Floor, Columbus, Ohio 43215-3506
Phone: 614-466-4514 or 800-282-0370
Fax: 614-466-4490
www.ohioauditor.gov