Fayette County Commissioner Angela Zimmerlink
said on Tuesday that further investigation is needed into an alleged
security breach caused when Commissioner Al Ambrosini directed IT
department head Kebin Holbert to increase access to the county computer
system for a financial consultant working for the county.
Referring to a letter from acting Controller
Jeanine Wrona, citing an “apparent breach of the security” in that
office's financial programs, Zimmerlink on Tuesday made a motion to
further an internal investigation.
In a letter dated May 14 to former
Controller Sean Lally, Wrona said the server for the New World System
was entered “through the back door by Information Technology without
permission of the controller or his deputies.”
Wrona and Zimmerlink said Ambrosini directed Holbert to give greater access to consultant Sam Lynch.
“As you know, the New World System is the
program through which we issue payments from county accounts and also
contains sensitive data on county employees, including Social Security
numbers,” Wrona wrote.
Lally resigned in May to accept a position in Monroeville.
“The security changes should not have been
authorized because it compromised the system and created exposure and
risk to the county's financial accounting system,” Zimmerlink said at
the commissioners' agenda meeting Tuesday.
Zimmerlink said Lynch does not require “full access” to the system.
“No county staff member should ever take the direction of one commissioner. One commissioner does not rule,” Zimmerlink said.
Zimmerlink made a motion, to be considered
when the board meets next week, to take “the necessary steps to further
investigate, which would include but not be limited to, discussion with
staff, review of back-door access, a memorandum of understanding to be
prepared between the county and contracted financial consultants and the
possibility of a computer risk analysis to be conducted.”
The commissioners unanimously agreed to place the item on the agenda.
“Bring on any investigation,” Ambrosini said.
“These are allegations at this point in
time. No one has done anything, at least pending further review. I do
think it's necessary that we conduct ... a computer risk analysis,”
Commissioner Vincent Zapotosky said.
Contacted after the agenda meeting, Holbert confirmed Wrona's account.
“Mr. Ambrosini told me to give (Lynch) what
he needs. He just said he did not have access and he needed access to do
something. I should have asked the other two commissioners,” Holbert
said.
“The system should be secure. (Employees)
changing a light bulb is one thing. If it's the financial store, that's
something different. ... Kebin was taken advantage of because he was
told to do something. He listened to a boss, instead of bosses,”
Zapotosky said.
“This is the hub of the financial accounting system for the county,” Wrona said.
Access is determined for each individual depending on the role they play in the county, she said.
“Somebody saying they want access to
everything — that doesn't mean you give it to them,” Wrona said. “If the
capability is there to change things without us seeing and not knowing,
we need to tighten that.
“I'm not saying any of them did anything illegal. But they opened us up to the possibility of that happening,” she said.
Ambrosini said Lynch, who often works out of the county, “had issues” with system access.
He said Lynch's permission level was
changed, along with that of several other county employees, affecting
their ability to “stay productive.”
“I told (Holbert) to restore permission. … We restored what Sam already had,” Ambrosini said.
He said he told Wrona that if she wanted the
controller's office to maintain responsibility for giving employees
access to the system, she should write a procedure. He said he has not
seen a policy draft.
He said he had Chief Clerk Amy Revak check
with other counties to see who manages permissions. Of the six counties
responding, he said, none listed the controller, he said.
Ambrosini said he will look into having the commissioners' office and the IT department making those decisions.
No comments:
Post a Comment