Segregation of duties over TERMS and Munis access capabilities has not been designed to prevent an individual user from having conflicting access capabilities over an entire business transaction process (i.e., Accounts Payable, Human Resources). Additionally, District IT personnel have conflicting access capabilities to Human Resources business process functionality as denoted below:
- Ability to Enter New Vendors
- Approve Requisitions
- Roll requisitions to POs
- Prepare and Print AP Checks
- Prepare and post journal entry
- Create new employee
- Change compensation
- Prepare and print HR checks
General Security settings for AS400 operating system are not configured to provide reasonable assurance that access is limited to authorized individuals. Noted the following password configuration settings:
- Password Composition – one number required (Recommend a mix of alphanumeric and special characters)
- Password Length – 5 characters (Recommend minimum length of 8 characters)
- Password Expiration – 366 days (Recommend 180 days for normal users, 90 days for administrative users)
General Security settings for the TERMS application are not optimized to provide reasonable assurance that access is limited to authorized individuals. The following password configurations were noted:
- Password Minimum Length – 1 (Recommended Minimum 8)
- Password Expiration – Not Set (Recommended 180 days for user-level accounts and 90 days for system administration accounts)
- Password Complexity – Not Set (Recommended Alphanumeric and Special Characters)
- Password History – Not Set (Recommended 3)
- Account Lockout – Not Set (Recommended 5)
- Account Lockout Duration – Not Set (Recommended 5 minutes)