There Is No Recertification Process to Ensure LCS Reports Are Provided to Only Authorised

Final Report
/
Somerset County Council
 / Liquidlogic Children's Social Care System (LCS)
Issued to: / Kevin Nacey
Head of Property & Finance
Martin Gerrish
Group Manager, Advisory Finance
Darren Cole
Head of ICT
Rod Mitchell
CSC Practice Support and Systems Development Manager
Carey Sherman
Service Manager Business Support
Claire Winter
Acting Children and Families Operations Director
Gerry Cox
Chief Executive - SWAP Ltd. Partnership
Confidential / ICT Report
Application –Liquidlogic Children's Social Care System (LCS)
Management Summary
LCS, previously known as Protocol, is the Children’s Social Care Case management system and is one of the core line of business applications identified by the Council. Its primary function is to support the children’s social care key service provision to children in need, children in care, care leavers and children with protection plans. The LCS application is used by over fifty councils. New releases are made available twice a year to comply with the multitude of regulatory changes and to address the prioritised needs of the LCS Users Group. Somerset County Council’s (SCC’s) application is hosted in the County Hall server room and our last audit (2010-11) looked at system administration processes.
There are many challenges facing Children’s Services. Ofsted have rated the service as inadequate and the service has faced significant turnover in its senior leadership. Recruitment and retention of permanent social workers has alsobeen a major challenge since the Ofsted rating and the service is heavily dependent on the use of locums. Temporary staff in any context can contribute to data quality issues.
The demographic data entered into LCS, AIS for Adult Social Care and Capita One for schools is shared through a “snapshot browser”. The AIS number is automatically added to LCS if a match is found. The entering of common demographic data into three separate and distinct applications with different validations is inefficient and provides the potential for data integrity issues. Although recommendations to resolve these efficiencies are outside the scope of this review,it has the potential to impact on overall data integrity at SCC.
Summary of Significant Corporate Risks
The following table records the inherent risk (the risk of exposure with no controls in place) and the manager’s initial assessment of the risk (the risk exposure on the assumption that the current controls are operating effectively) captured at the outset of the audit. The final column of the table is the Auditors summary assessment of the risk exposure at Corporate level after the control environment has been tested. All assessments are made against the risk appetite agreed by the SWAP Management Board.
Areas identified as significant corporate risks, i.e. those being assessed as ‘high’ or ‘very high’ risk areas in line with the definitions attached should be addressed as a matter of urgency.
Risks / Inherent Risk Assessment / Managers Initial Assessment / Auditors Assessment
1. Application does not meet business and regulatory requirements. / High / Low / Medium
2. Unauthorised access and disclosure of sensitive information. / High / Low / High
3. Application availability cannot be assured. / High / Medium / High
Summary of Significant Findings
The following were identified as key findings for the service and therefore categorised, in accordance with the definitions attached, as a level '4' or '5' priority in the action plan.
Risk 1

• There is no recertification process to ensure LCS reports are provided to only authorised users.

(Repeat issue from SWAP’s 2010 Protocol Audit)

• As a result of timing differences, LCS does not in all cases accurately reflect the statutory status of Children. A daily discrepancy list is produced to identify cases where updates are required but it is not always actioned on a timely basis.
• LCS user access rights are not reviewed periodically to ensure the access provided is appropriate.

• The Corporate MetaCompliance Policy Management software, purchased to improve staff awareness to mitigate the risk of reputational damage and financial sanction, has not been fully deployed throughout Children’s Services.

Risk 2
● / Inactive LCS user ids are not being routinely reviewed and actioned on a timely basis. (Repeat issue from SWAP’s 2010 Protocol Audit).
● / Password rules do not comply with SCC standards (Repeat issue from SWAP’s 2010 Protocol Audit)
Risk 3
The Business Continuity plan assumes LCS can be recovered within a weekin the event of a disaster impacting SCC’s Data Centre.
Further details of audits’ findings can be viewed in the full audit report, which follows this Management Summary.
Conclusion and Audit Opinion
Partial
I am able to offer Partial assurance in relation to the areas reviewed and the controls found to be in place. Some key risks are not well managed and systems require the introduction or improvement of internal controls to ensure the achievement of objectives.
The LCS application is complex and uses a structured approach to break processes and statutory requirements into manageable steps that have to be completed in a prescribed order. There are a very large number of LCS users and the use of locums is prevalent. As a result there is a continuing struggle to ensure data quality, an example being the inability to provide an accurate count for Child Protection and Children in Care at any point in time without reference to a Discrepancy report.
Due to the nature of the data being entered, if a data entry or other error is found after a strategic decision has been made and workflow has been generatedin respect of a case, a complex process called a rollback has to take place to correct the data. This involves an automated facility followed by the manual re-entering of all data subsequent to that decision. Although great care is taken, the manual re-entering of data creates the potential for errors.
LCS reporting is provided by Microsoft’s SQL Server Reporting Services (SSRS). There are over 1,000 reports currently available from SSRS. There are no user profiles established in SSRS to manage access to reports to ensure only LCS users have access and users are only provided with reports that are relevant to their job responsibilities. In addition several hundred reports are automatically emailed to users who are still employed with SCC but may no longer work in Children's Services. Children’s Services have identified this risk and a working group has been established to review the number and usage of reports.
Recruitment and retention of permanent employees has been a major challenge since Ofsted rated Children’s Services as inadequate. The resulting extensive use of locums can result in reduced data quality and increases the workload for Business Support who administers access to LCS. Many of the recommendations from SWAP's 2010 Protocol Audit Report, which focussed on security administration and user authentication, have not been implemented. As a result the risk of unauthorised access remains and is made more significant by the use of additional locums.
The Business Continuity plan assumes LCS will be made available on a timely basis if there is a disaster impacting the ability of Southwest One to make the LCS application available to users. There is a corporate Disaster Recovery arrangement in place and the corporate back-ups arrangements provided by Southwest One are comprehensive and back-ups are off-site at the Taunton Deane Data Centre. However the close proximity of the two sites means it is not clear back-ups would be available in all disaster scenarios and it is not clear whether the current arrangements will ensure the timely recovery of the LCS application. Children’s Services and Adult Social Care are aware of this issue and have submitted an RFS to Southwest One to request improved resilience of the offsite backup.
Page 1 of 13
Detailed Audit Report
Objectives & Risks
The key objective of the service and risks that could impact on the achievement of this objective were discussed and are identified below.
Objective: / To ensure that the application operates securely with maximum system availability to provide accurate, timely and compliant data and management information, as a key enabler for effective service delivery.
Risks: / ● / 1. Application does not meet business and regulatory requirements.
● / 2. Unauthorised access and disclosure of sensitive information.
● / 3. Application availability cannot be assured.
Method & Scope
This audit has been undertaken using an agreed risk based audit. This means that:
● / the objectives and risks are discussed and agreed with management at the outset of the audit;
● / the controls established to manage risks are discussed with key staff and relevant documentation reviewed;
● / these controls are evaluated to assess whether they are proportionate to the risks and evidence sought to confirm controls are operating effectively;
● / at the end of the audit, findings are discussed at a close-out meeting with the main contact and suggestions for improvement are agreed.
This audit focused on data validity and integrity, controls over access to restricted information and application availability. Loss of availability of the LCS application would disrupt or prevent the Council from delivering front line services to children or a child at risk or in danger.
As part of this audit, SWAP met with users of the application at the management and staff levels and also visited a Care Home. SWAP also met with Business Support who are responsible for testing new releases, administering security and providing directives and support to business users. SWAP met with the team who are involved in a project to focus and enhance performance reporting.
SWAP provided questions to the vendor Liquidlogic for which answers were provided and met with Finance to understand how payments are made and reconciled to LCS. SWAP did not review payments to Foster Carers and the Homefinder application.
Reports are provided through SSRS and SWAP obtained an understanding of the security established over SSRS reports for LCS.
SWAP developed an analysis of security profiles which was provided to Security Administration and reviewed a sample of new LCS users to verify access was provided based on the receipt of supporting documentation, training was completed and data protection compliance was documented through MetaCompliance.
The physical and environmental controls at the County Hall data centre, where LCS is processed, were audited in 2012-13. SWAP reviewed the controls that mitigate an event or incident at the data centre which would result in the system not being available to Somerset Direct or Social Workers.
Findings
The following paragraphs detail all findings that warrant the attention of management.
The findings are all grouped under the objective and risk that they relate.
1. / Risk: 1. Application does not meet business and regulatory requirements.
1.1 / Generally the validation of data entered by LCS appears robust, however if it possible to enter a duplicate record in LCS bypassing the system alert to the social worker. In addition, an individual's age can be entered or changed to inappropriate values of over 200.
1.1a / It was agreed that the Service Manager, Business Support, request a report ofduplicate and potential duplicate records be developed, reviewed and actioned periodically. The lack of appropriate age validation should be addressed with Liquidlogic at the next user group meeting.
1.2 / There are well over 1,000 reports from LCS, many containing restricted information and many of which may no longer be required. It is an inefficient use of system resources to produce reports that may not be used. General access to LCS and Homefinder reports is through the SSRS URL available to all SCC users with appropriate Active Directory accounts. Certain reports are restricted and made available to only specific email addresses and over 200 reports are automatically emailed to specific email addresses. Although there is an LCS leavers process that notifies the SSRS administrator, there is no recertification process to ensure reports are being made available to only current authorised users. A working group has been established to review the reports, reduce the number and improve the quality of reports.
There are no reports of inappropriate LCS access attempts, unusual or excessive activity although the audit trail can, and has been, used to support investigations into inappropriate access. Note that Children’s Services access policy is to allow global access toall social workers to all children’s records.
These issues were reported in SWAP's 2010 Protocol Audit Report.
1.2a / It was agreed that the Manager, Business Support, request that the BSAT team institute a process that restricts access to reports to only LCSusers that require access.
1.2b / It was agreed that the Manager, Business Support, ensure LCS access and access attempts are reported, reviewed and where necessary acted upon.
1.2c / It was agreed that the Reports Working Group continue their review of reports to ensure reports are only produced if they meet a business need, are fit for purpose and are used on a routine basis.
1.3 / As a result of timing differences, LCS does not in all cases accurately reflect the statutory status of Children. Discrepancies sometimes exist between the CP and CLA status of a child as displayed by LCS versus the actual situation. A daily discrepancy list is produced to identify cases where updates are requiredhowever SWAP observed that discrepancies are not always being actioned on a timely basis, for which there may be operational reasons.
1.3a / It was agreed that the Operations Director ensure Operations Managers resolve discrepancies on a timely basis.
1.4 / There is no periodic review of LCS user access to ensure access rights are appropriate.
1.4a / It was agreed that the owner of LCS require periodic review the profiles and related access provided to individual users to ensure it is appropriate.
1.5 / The Corporate MetaCompliance Policy Management software is designed to mitigate the risk of reputational damage and financial sanction by improving policy awareness and by enforcing review and sign off on policies including Data Protection policies. However MetaCompliance has not been fully deployed throughout Children’s Services. The need to reinforce Corporate Guidelines was reported in SWAP's 2010 Protocol Audit.
1.5a / It was agreed that the IT Governance Manager ensures Children's Services employees and locums formally sign off on the Data Protection Policy through MetaCompliance.
2. / Risk: 2. Unauthorised access and disclosure of sensitive information.
2.1 / Routine reports of inactive LCS user ids are not being produced, reviewed and actioned on a regular basis, contrary to the agreed actions in the 2010 SWAP Protocol audit report. SWAP identified 225 user ids that were last used prior to October 1, 2014, some of which were last used over two years ago. In addition due to recent LCS enhancements, “not on system” users inactive user ids can be reactivated using the “forgotten password” feature which forwards a one-time password to the email address recorded for that user. The termination report provided by Human Resources is not reviewed and actioned.
2.1a / It was agreed that the Service Manager, Business Support, ensure user ids not used in a pre-determined period of time that are no longer required, are locked and access removed in order that access controls are not compromised by that or another user gaining unauthorised access via those credentials.
2.2 / In the implementation of new releases and performing troubleshooting, Liquidlogic can view production data in LCS, including restricted data. According to Liquidlogic there is no non-disclosure agreement in place. There may have been such an agreement when the contract was signed, however the contract has now been novated to Southwest One.
2.2a / It was agreed that the Service Manager, Business Support, require that Liquidlogic sign a Non-Disclosure Agreement.
2.3 / The password rules in effect do not comply with SCC standards. This was reported in SWAP's2010 Protocol Audit.In addition LCS provides no current facility to set an end date for Locums access.
According to IT Training and Security Administration, full user access is only provided after users have completed training. As a result in the past full user access is not always provided on a timely basis resulting in periods of less than full productivity. It is understood that changes were announced to this process but not fully implemented at the time of the review.
2.3a / It was not agreed that the LCS password rules comply with SCC standards.
2.3b / It was agreed that the Service Manager, Business Support, work with IT Training to redesign the current training process to make it more flexible and timely and to include some elements of on the job training. The overall goal should be to have new staff trained with full access to LCS in a very short period of time.