Texas State Library and Archives Commission
Tuesday, April 1, 2003
The Texas State Library and Archives Commission (TSLAC) Audit Committee met on Tuesday, April 1, 2003, at 1:00 p.m. at the Houston Public Library, Concourse Room, in Houston, Texas. The meeting was accessible via videoconference in room 314 of the Texas State Library and Archives Commission building in Austin, Texas.
Audit Committee Present:
Elizabeth Sanders, Audit Chairman
Sandra J. Pickett
Peggy D. Rudd, director and librarian
Edward Seidenberg, assistant state librarian*
Manuel Alvarez, director, Information Resources Technologies*
Ava Smith, director, Talking Book Program
Michael Heskett, director, State and Local Records Management*
Deborah Littrell, director, Library Development
Donna Osborne, director, Administrative Services*
Chris LaPlante, director, Archives and Information Services*
Michael Ford, Information Resources Technologies Division
Lee Sutherland, Information Resources Technologies Division*
Regina Miles, executive assistant
Gwen Land, internal auditor, Jefferson Wells International*
Bill Wilson, Himmel & Wilson Library Consultants
Dale Fleeger, Northeast Texas Library System
Lynne Handy, North Texas Regional Library System
Meller Langford-Allen, Houston Area Library System
Dwayne Brown, Houston Area
Audit Chairman Sanders convened the meeting at 1:00 p.m.
1. DISCUSSION OF INTERNAL AUDIT OF INFORMATION RESOURCES TECHNOLOGIES FUNCTION.
Gwen Land addressed the Audit Committee and summarized the findings of the audit. Ms. Land listed the following achievements of the department:
- The department's Strategic Plan supports TSLAC's overall Agency Strategic Plan.
- The department uses a formal Systems Development Life Cycle.
- The IRT Director has been identified as the "designated representative" for IT security and those duties are documented in the job description.
- TSLAC has implemented up-to-date Information Resources Security Policies.
- TSLAC has both a Disaster Response Plan and Disaster Recovery Plan for Information Resources.
- The Department of Information Resources (DIR) recently tested TSLAC's perimeter security. Results have not yet been released by DIR.
- IRT is currently providing Computer Security Awareness training to all TSLAC employees.
Ms. Land listed the following areas for improvement:
- A security risk analysis of information resources has not been performed and documented for presentation to TSLAC's executive management for approval.
- Formal procedures to add, modify, or delete user access to computer systems have not been developed.
- TSLAC has not required user passwords to be periodically changed in three years.
- Some IRT programmers have "write" access to production computer environments that should otherwise be restricted.
- The most current TSLAC computer data/program backups are not rotated immediately to the off-site storage facility.
- An independent, annual evaluation of TSLAC's information security program and TSLAC's physical security has not been performed.
- The IRT Disaster Recovery plan has not been tested.
- An automated Intrusion Detection System has not been installed at TSLAC.
- Security related polices and procedures regarding the use of TSLAC's Virtual Private Network have not yet been developed or approved.
- Emergency response procedures are not tested on an annual basis.
- A formal business impact analysis has not been performed.
- A "Disaster Recovery Strategy" has not been developed to appraise recovery alternatives and alternative cost-estimates.
- An implementation, testing, and maintenance management program is not available to address initial and ongoing testing and maintenance activities of the business continuity plan.
- An "unfriendly" log-on banner with the DIR's required elements does not appear upon initial TSLAC network login.
Audit Chairman Sanders asked for additional information on the finding that formal procedures to add, modify, or delete user access to computer systems were not being documented. Manuel Alvarez responded, stating that a procedure is in place but it was not yet in writing at the time of the audit. However, the procedure has since been put in writing.
Ms. Sanders asked for additional information on the finding that some programmers have "write" access to various production computer environments. Mr. Alvarez responded, stating that because of project requirements and staff shortages, the responsibilities were delegated to staff that might not otherwise have been granted access. As a result of the internal audit recommendation, the IRT department is currently developing written procedures that will outline guidelines for staff access. These procedures are expected to be completed by the end of April 2003.
Ms. Sanders asked for clarification on the finding that the most current TSLAC computer data/program backups are not rotated immediately to off-site storage. Mr. Alvarez responded that although a rotation system was put in place as of the end of February 2003, the most current (at the time of the internal audit) TSLAC computer data/program backups were rotated to off-site storage approximately one week after completion instead of immediately. The backups are now being rotated to off-site storage immediately after completion and verification.
Ms. Sanders asked for timeline details regarding the IRT Disaster Recovery Plan. Mr. Alvarez stated that modifications to the Plan were completed in February 2003. He expects to have scenarios for testing the Plan by August 31, 2003.
Commissioner Pickett asked for more information on the Virtual Private Network. Mr. Alvarez described the system in greater detail. The Network will replace the current dial-up system, and is a better way to increase the security of the agency's network. Mrs. Pickett asked if the system would be used only internally. Mr. Alvarez stated that it is for staff that need access to the internal network; it is not intended for publicly accessible servers.
Commissioner Holland moved to recommend the commission's acceptance of the Internal Audit of the Information Resources Technologies function. In the absence of Audit Committee member Chris Brisack, Audit Chairman Sanders seconded. Motion passed.
2. DISCUSSION OF OPTIONS FOR INTERNAL AUDIT SERVICES FOR FY04.
Donna Osborne addressed the Audit Committee and gave background on internal audit services and the proposal process. At its November 16, 2001 meeting, the Texas State Library and Archives Commission awarded a one-year contract for Fiscal Year 2002 internal audit services to Jefferson Wells International, with an option to extend the contract for one year. At the direction of the commission, the internal audit contract was extended for Fiscal Year 2003 services. The current contract also contains a clause allowing the agency the option to renew the contract for an additional one-year term should the commission desire to retain the current contractor. Jefferson Wells International submitted a proposal for Fiscal Year 2004 services for the commission's consideration.
Commissioner Sanders asked if any member of the Audit Committee had comments regarding the proposal. Commissioner Holland stated for the record that she felt her tenure on the commission was not long enough to afford her with enough background information on which to comment on the services of the current internal auditor.
Commissioner Pickett asked what the total professional fee amount was for previous years. Ms. Osborne stated that for Fiscal Year 2003, the total fee amount was $40,368 and for Fiscal Year 2002, the total fee amount was $36,156.
Commissioner Carr asked whether specific audits for Fiscal Year 2004 have been determined. Ms. Osborne responded, stating that preparations for the Internal Audit Plan typically begin in June. Following completion of the Risk Assessment, the audits for the next fiscal year will be determined (based on the Risk Assessment). Commissioner Carr asked Ms. Osborne if she was comfortable with the commission's considering approval of the internal audit proposal without knowing which audits will be conducted. Ms. Osborne stated that, yes, she is.
Audit Chairman Sanders stated that she was very satisfied with the work that Jefferson Wells International has done so far. Commissioner Holland moved to recommend the commission's approval of a one-year renewal of the internal audit contract with Jefferson Wells International. In the absence of Audit Committee member Chris Brisack, Audit Chairman Sanders seconded. Motion passed.
Commissioner Holland moved to adjourn the meeting of the Audit Committee; no second needed. Motion passed. With no further business, Audit Chairman Sanders adjourned the meeting at 1:20 p.m.
Peggy D. Rudd
Director and Librarian