Summary

The Rehabilitation Information Management System (RIMS) and the Accessible Web-based Activity and Reporting Environment (AWARE) are case management systems used by the Division of Vocational Rehabilitation (DVR) and the Division of Blind Services (DBS), respectively, to manage services for individuals with disabilities through division programs that provide assistance in achieving self-sufficiency. 

Our audit focused on evaluating the effectiveness of selected information technology (IT) controls applicable to RIMS and AWARE for the period August 2008 through November 2008 and selected actions through February 2009. 

The results of our audit are summarized below:

Finding No. 1:          The placement of the Chief Information Officer (CIO) within the Department’s organizational structure needed review and the scope of his authority for performing IT duties assigned in State law needed improvement to provide increased oversight of all Department IT functions. 

Finding No. 2:          The Department, DVR, and DBS had not clearly established the roles and responsibilities of the Department’s Information Security Manager (ISM) and the Division data security administrators. 

Finding No. 3:          The Department’s security program, including its security policies and procedures, needed improvement. 

Finding No. 4:          The Department had not prepared security plans and strategies for implementing appropriate cost-effective safeguards to reduce, eliminate, or recover from the identified risks to data, information, and IT resources.

Finding No. 5:          Although new employees received security awareness orientation and the Department had security awareness training materials available for all employees, training was not provided on a recurring basis.  In addition, the Department did not retain documentation of employee participation in security awareness training activities. 

Finding No. 6:          The Department did not have a Departmentwide disaster recovery plan that included procedures for annual testing and applied to all critical Department IT resources.

Finding No. 7:          The Department did not perform Federal background checks on DVR RIMS application contractors.  Department policies contained inconsistent guidance regarding whether contractors could be considered as working in positions of special trust. 

Finding No. 8:          Security administration procedures needed improvement.

Finding No. 9:          Some access capabilities relating to RIMS, AWARE, and the surrounding IT infrastructure did not enforce an appropriate separation of incompatible duties or were excessive.

Finding No. 10:       Access privileges, in some instances, were not timely removed or revoked for former employees and contractors.

Finding No. 11:       Certain security controls related to DVR and DBS data and IT resources, including RIMS and AWARE, needed improvement, in addition to the matters discussed in Finding Nos. 8 through 10. 

Finding No. 12:      Contrary to Section 119.071(5)(a)2.a., Florida Statutes, DVR collected and used certain employee social security numbers (SSNs) without specific authorization in law or without having established the imperative need to use the SSN for the performance of its duties and responsibilities as prescribed by law.

Finding No. 13:       The environmental controls in the DVR and DBS server rooms for RIMS and AWARE, respectively, were deficient.

Finding No. 14:       The Department had inadequate controls over the program change control process for RIMS and AWARE. 

Finding No. 15:       DVR customer service information in RIMS was incomplete because group services were not being entered into RIMS.  This omission diminished the completeness of RIMS case management data and the reliability and usefulness of reports generated from RIMS. 

Management's response is included in the report as Exhibit - A.