IT Best Practice CHERRY
BEKAERF&
HOLLAND
CERTIFlEI,II:HIIC
ACCOI:N IAS'IS h
CON SCIIIA N TS
Mr. Danny L. Kolhage
Clerk of the Court
500 Whitehead Street
Key West, FL 33040
Dear Danny:
In planning and performing our audit of the financial statements of the governmental activities,
the business-type activities, each major fund, and the aggregate remaining fund information of
Monroe County Florida (the "County"), as of and for the year ended September 30, 2009, we
considered the County's internal controls in order to determine our auditing procedures for the
purpose of expressing our opinion on the financial statements and not to provide assurance on
the internal controls. Our assessment of the internal controls was limited to obtaining an
understanding of the internal controls sufficient to plan our audit and did not include tests of
control policies and procedures.
As part of our normal audit process we have identified certain matters that came to our attention
that we would like to communicate to you because we feel these items are opportunities for
strengthening internal controls and operating efficiency.
INTERNAL CONTROL AND OPERATING EFFICIENCY ISSUES
IT BEST PRACTICE RECOMMENDATONS
A formal Information Security Policy and Procedure has not been developed and implemented
by the Finance Department. A procedure should be established to define requirements to
requesting and granting access, terminating access, and periodically reviewing access.
Additionally procedures should be implemented to define minimum requirements for password
security, confidentiality of information, and segregation of duties guidelines within the
application.
Access privileges to the Financial and Court Applications should be periodically reviewed by the
users' management to verify that the level of access still accurately reflects the minimum level
required for the user to perform their job function and accurately reflects an appropriate level of
segregation of duties within logical access.
Passwords for the Court and Financial Applications should be set to reflect best practices for
password security. Best practices require that passwords consist of a minimum of 8 characters,
expire every 90 days, maintain 5 password histories, and lock after 3 unsuccessful log in
attempts.
The local network is protected by a Cisco PIX 515 Fire wall; however, there is not an effective
mechanism in place to monitor the firewall logs for potential threats.
A risk assessment has not been performed and documented. A risk assessment is an
assessment of the risk faced by information technologies. This document should identify and
classify potential risks to the central IT infrastructure and resources, document obstacles
precluding elimination of these identified risks and then recognize the Clerk's acceptance of
those risks. A risk assessment should be updated with the results of audits, inspections, and
identified incidents. The scope should include risks related to the confidentiality, availability, and
integrity of critical data and resources.
LAN data provides Disaster Recovery services for the Court and Financial Applications at their
facility in San Antonio, Texas. While data is sent off-site to this location and recoverability
infrastructure is in place, a formal test of the Disaster Recovery Plan has not been performed.
The Clerk IT should visit the Disaster Recovery location and perform a recovery exercise.
A formal change control policy and procedure has not been established for the Court and
Financial Applications. This procedure should outline steps and documentation required to
authorize, test, approve, and implement changes into production for the Court and Financial
Applications.
Formal test plans should be created and maintained for each major change including version
upgrades to the Financial Application. The plan should include key functions of the application
for each department and/or module of the system.
If you have any questions or would like to have further discussions on any of the matters
discussed above, feel free to give Eddie Burke a call at 919-782-1040.
CHERRY, BEKAERT& HOLLAND, L.L.P.
u .mot.
Orlando, Florida
March 31, 2010
VA? ?Ao
CC Lance agr,_
/ane% fha /011