Summary
Summary
| Report Number: | 2009-011 |
| Report Title: | Department of Corrections - Offender Based Information System (OBIS) - Information Technology Audit |
| Report Period: | 11/2007 - 04/2008 |
| Release Date: | 09/19/2008 |
The Offender Based Information System (OBIS) is maintained by the Department of Corrections (Department) for the joint use of the Department and the Parole Commission. The Department uses OBIS to record data, generate reports, and support its decisions in the daily management of more than 96,000 inmates and 156,000 offenders supervised in the community as of February 2008. The Department relies upon OBIS to track every aspect of an offender’s life cycle, from inmate intake to management during the court-ordered sentence, through post-release supervision. In addition to being used by the Department for internal management, data in OBIS is used by Statewide law enforcement and criminal justice entities to serve public safety. Our audit of OBIS focused on evaluating information technology (IT) controls for the period November 2007 through April 2008.
The results of our audit are summarized below:
Finding No. 1: Certain Department security controls applicable to OBIS needed improvement.
Finding No. 2: Contrary to Section 119.071(5)(a), Florida Statutes, the Department used certain employee social security numbers (SSNs) without specific authorization in law or without having established the imperative need to use the SSN for the performance of its duties and responsibilities as prescribed by law.
Finding No. 3: The Department lacked effective procedures for addressing data exchange errors generated during the upload of inmate data during inmate reception processing.
Finding No. 4: Aspects of the Department’s application controls within OBIS needed improvement. We are not disclosing specific details of the issues in this report.
Finding No. 5: The Department’s information security program needed improvement to document, in a more comprehensive manner, management’s expectations for safeguarding IT resources.
Finding No. 6: Program change controls for OBIS needed improvement.
Finding No. 7: Quality control reviews for application changes and the subsequent moving of program changes to production were performed by staff who were not organizationally independent of the programming staff.
Finding No. 8: The Department had not designated positions of special trust and had not performed adequate background checks, including fingerprinting, of contractors and some employees occupying positions with sensitive IT responsibilities and access privileges.
Finding No. 9: The Department lacked a formal management review process to ensure that inmate gain time adjustments were uniform throughout the Department.
The Secretary's response is included at the end of this report as APPENDIX A.