Page 2 - Password administration review-Guilford ES
P. 2

Emergency Services:  Password Administration Review






                                                                                       I5O Consulting Services
                                                                                                  August 2019

                                            EXECUTIVE SUMMARY


               Objective and Scope

               The objective of this engagement is to review and test the design and operational effectiveness
               intended for password administration for Guilford County’s Emergency Services (ES)
               department.  Departments at Guilford County are required to take appropriate measures to ensure
               that password controls are in place to provide reasonable assurance that low to no risk exist from
               unauthorized access to systems.

               To determine whether ES’s controls over password administration were effective, we examined
               the following:

                       a)  Ensure passwords are changed/reset in accordance with policy and procedures,
                       b)  Ensure password complexity exists per policy, and
                       c)  Ensure password access is delegated appropriately.



               Background

               Guilford County’s Emergency Services (ES) has established its own Technical Support group to
               facilitate and maintain the information technology for their subdivisions: Emergency
               Management, Emergency Medical Services, and the Fire Division.  The ES Technical Support
               group acts as an extension or component of Guilford County’s Information Services group.  ES
               Technical Support has implemented their own Active Directory forest to authenticate and
               authorize users and computers specific to the ES department.  The ES Active Directory forest has
               a two-way trust relationship with Guilford County’s Information Services group to maintain a
               relationship between the two domains and ensure resources can be accessed by appropriate users.

               On July 16, 2019, ES engaged I5O Consulting to review their password administration
               processes.  We identified several excellent policies, procedures and best practices within ES
               aligned with Guilford County’s Information Services (IS) group regarding the security of
               passwords.  We examined hundreds of users’ access to determine the effectiveness of ES’s
               control over maintaining and governing password activity.








                                                                                                            1
   1   2   3   4   5   6   7