CCC: DAVID Attestation- Dated July 28, 2025

Summary

8 findings

1. Finding 1mediumdata access

   Printed and Electronic DAVID Personal Data Not Properly Safeguarded

   Criminal teammates were directed to place printed DAVID information in OSA (Obsolete, Superseded, or Administrative Value Lost) boxes when no longer needed, but those boxes were not physically secured from unauthorized persons. Additionally, teammates who telework were not required to black out their computer screens while accessing DAVID remotely, contrary to MOU Section V requirements for protecting personal information from unauthorized viewing.

   Recommendation: No formal recommendation was issued since compliance with the MOU is required; management was expected to correct the deficiencies.
   Management response: Criminal Management agreed with both issues. Corrective actions included issuing bulletin CDB 25-10 requiring screen blackout during remote DAVID access via Splashtop, ordering and deploying five cross-cut shredders in Criminal supervisor offices, and issuing bulletins CDB 25-04 and CDB 25-14 restricting printing and directing disposal of printed DAVID materials.
2. Finding 2mediumdata access

   DAVID User Access Not Deactivated Within Required Five Business Days

   MOU Section IV, Subsection B.8 requires user access and permissions to be updated within five business days of reassignment. One user was deactivated 55 working days after reassignment to a position that did not require DAVID access. The auditor verified the user did not access DAVID after reassignment.

   Recommendation: No formal recommendation was issued since compliance with the MOU is required; management was expected to correct the deficiency.
   Management response: IT Management agreed. The importance of timely security form completion was discussed with POCs and the IT Security team, and the DAVID Quarterly Audit Guideline was updated to clarify MOU requirements. Completed January 2025.
3. Finding 3lowpolicy

   DAVID Searches Missing Required Reason Codes

   The DAVID Quarterly Audit Guideline requires a reason code to be entered for every search performed. Of 67 DAVID searches reviewed during testing, four searches by one user included a case or citation number but lacked a required reason code. The auditor confirmed all four searches were for valid business purposes.

   Recommendation: No formal recommendation was issued since compliance with policies and procedures is required; management was expected to correct the deficiency.
   Management response: Criminal Management agreed. The specific user was reminded of the requirement to enter a purpose code, and a bulletin was sent to all Criminal teammates reminding them of the DAVID User Access Guideline. Completed March–May 2025.
4. Finding 4mediumdata access

   Existing Password Security Procedures Inadequate

   Some practices did not demonstrate effective password security. Teammates used the web browser's autofill feature to save DAVID login credentials and did not lock workstations when left unattended. Additionally, passwords were stored in an envelope kept in an unlocked desk drawer, creating risk of unauthorized access to DAVID.

   Recommendation: Update the Computer, Internet, and Email Usage Guideline to include detailed procedures for locking computers and storing passwords securely.
   Management response: IT Management agreed. The Computer, Internet, and Email Usage Guideline was updated to include requirements for locking unattended computers, prohibited password practices, and password storage requirements. The updated guideline was published on OfficeNet. Completed March 2025.
5. Finding 5lowpolicy

   DAVID Access Authorization Request Form Lists Incorrect Department

   One DAVID Access Authorization Request Form on file was not updated to reflect the teammate's correct department, representing an inaccuracy in the official access control documentation maintained by the Office.

   Recommendation: Update the DAVID Access Authorization Request Form to reflect the correct department for the affected teammate.
   Management response: IT Management agreed and updated the DAVID Access Authorization Request Form to reflect the correct department. Completed March 2025.
6. Finding 6mediumdata access

   DAVID User Permissions Inconsistent and Not Role-Appropriate

   DAVID user permissions were not consistently configured to match user roles. Five of 13 Criminal users had permission to search by vehicle make and model, which was unnecessary for their job duties. Additionally, both Criminal and Inspector General users had varying days and hours of access to DAVID rather than a standardized schedule.

   Recommendation: Update access for all teammates to reflect the correct user permission roles and access schedules.
   Management response: IT Management agreed. Access was standardized to Monday–Friday 7:00 a.m.–7:00 p.m. for Criminal and IG users, with defined permission roles (search/view motor vehicle record, search/view driver license record, view driver history) established as the new standard. User permissions and access were updated accordingly. Completed March 2025.
7. Finding 7mediumpolicy

   DAVID Procedures and Guidelines Incomplete, Outdated, or Undocumented

   Multiple DAVID process procedures were not documented, were incomplete, or did not reflect current operations. Undocumented areas included: updating agency contact information in DAVID within 10 calendar days, monitoring restricted DAVID network folder access, assigning and reviewing user permission roles, assigning a back-up DAC for quarterly reviews, and guidance for conducting standard searches and logging out. The DAVID Quarterly Audit Guideline also lacked proper segregation of duties, complete search procedures, and updated case/citation verification processes.

   Recommendation: Implement formal procedures for updating agency contact information (R7.1), convert the DAVID Quarterly Audit Guideline to a formal procedure (R7.2), update the guideline to reflect current processes (R7.3), implement a procedure for monitoring restricted folder access (R7.4), implement a procedure for assigning user roles and permissions (R7.5), and update the DAVID User Access Guideline to include search and logout guidance (R7.6).
   Management response: Criminal and IT Management agreed to all recommendations. The DAVID Quarterly Audit Guideline was converted to the DAVID Quarterly Audit Procedure (IT-OP0035) and a new DAVID POC Security Procedure (IT-OP0036) was created. The DAVID User Access Guideline was updated and republished on OfficeNet. Completed April 2025.
8. Observation Alowpolicy

   Fragmented DAVID Guidance and Lack of Policy Management Software

   Criminal and IT departments maintained independent versions of DAVID audit procedures; Criminal's older documents were confirmed obsolete but some Criminal users remained unaware of current documented procedures. Updates to DAVID procedures were communicated informally through Criminal Department Bulletins (CDBs) rather than being promptly reflected in formal procedure documents.

   Recommendation: Consider implementing policy management software (RA.1); consolidate DAVID guidance into a multi-departmental procedure (RA.2); ensure information in Criminal Department Bulletins related to DAVID is updated in associated procedures or guidelines on an ongoing basis (RA.3).
   Management response: Criminal and IT Management agreed to all three recommendations. For RA.1, management is evaluating the NeoGov 'Comply' module as an office-wide policy management solution (timeline to be determined). For RA.2, management elected to maintain three separate documents for security integrity reasons rather than full consolidation. For RA.3, the DAVID User Access Guideline is reviewed and updated following each bulletin issuance on an ongoing basis.