To begin with , remember that 2 of the commissioners told me that Cindy/Cyndi Gray would not have access to financial information or money in connection to the at-that-time temporary but vague position at the Expo (all while still doing her job as payroll). It does not appear that is the case, at least with payroll, but does she still have access in any form to Tyler? This should be still a major concern. What steps are being taken to limit her interactions in departments she is no longer in, or not in yet and has no need to oversee or access?
It may be because of my background training engineers in operating systems, of which security permissions are a large part. Hah, probably a lot of people don’t consider this too much, but here’s why I wonder in the case of Somervell County Government. A security audit done regularly (once a year?) would help ensure that Somervell County was on top of checking for security risks, vulnerabilities in the digital systems that safeguard taxpayer money. (See 6 best practices to perform a cybersecurity audit)
Presumably I thought the IT manager was the one in charge of security for ALL offices inside the annex, and the Expo. That would include making sure that, in the case of any financial software used (Tyler and the Golf Now POS system), that the permissions set for the people in any office are appropriate to their level of position. For example, I assumed before that someone like Cyndi Gray, who is now GM of the Expo, would not have any financial permissions and that she is removed from Tyler, since as of June 1, 2024, she is no longer in payroll. In fact, as a side note, although Nikki Weedon, the auditor is her boss, Gray is not budgeted in that department, but is in under Account 2024-010-440 . The auditor account is 2024-010-404 and includes not only Weedon’s salary but assistance salaries but NOT the Expo job. Since Weedon is only over Gray and not the Expo in general, Gray would have no need for access to Tyler at all.
I assume that once Gray left the position of payroll that someone or some department checked to see that she no longer has access to Tyler, not just no access to Payroll. The treasurer, Valerie Williams, does payroll now as well. Did an open records request to ask some information regarding this change. Note the access control lists in Tyler show that Williams, only, has admin access, which is as it should be. She is also one of the administrators for the system. Note that Nikki Weedon, who was voted in as manager of Gray, told me the information about who has access to Tyler from her department is *unavailable*. That leaves the question open about whether Gray is still in Tyler in any form, especially since she is not an auditor, nor in the auditing department, but rather has been made GM of the Expo.
I did an open records request of department heads and asked Michelle if she would help me route this request to the appropriate people (Note that these people can be approached directly but sometimes I am not sure where to send)
Treasurer’s office (includes payroll)
Here, also from the open records request that was made to the Treasurer, Clerks office, JP, Auditor, etc, is reply from Michelle Reynolds (did a screenshot from the XLS file she sent 6/24/2024)
Two other entities replied that they had no information on this. (Auditor, District).
Wade Busch, commissioner, checked that her laptop has been wiped of any payroll information, and definitely she no longer has access to payroll. In terms of a security audit, IT management would see that most likely since the data is in Payroll, she is not in Auditing.
Somervell County Commissioners Court has a voted upon resolution from December 19, 2023 in which it is clear that other departments that need to audit their own department inventory create a list and then turn it into the auditor. Note that the information is to be turned in TO the auditor and no place do I see whether the departments add the auditor directly to Tyler.
So, Somervell County has seen the need to do an audit from every department. I am suggesting, and have sent that suggestion to Busch, commissioner, that there should be a security audit as well for every department, with the head of each department showing what the roles and permissions are for each department to ensure no one has more permissions than needed, or better, have the IT Manager do the audit since ostensibly he is the one in charge of security and understands how the software works and should be configured.
Here, for example, is the Kentucky Department of Education explaining Role-based access controls.
Role Based Access Control is a system of controlling which users have access to resources based on the
role of the user. Roles are created and assigned a group of permissions. The Roles are then assigned to
users. Along with this role-based security model, Enterprise ERP (EERP/MUNIS) has adopted a deny-all-
except security policy, meaning users must be initially granted specific rights through his or her roles to gain access to secured resourcesA role is a function within an organization that has clearly defined responsibilities (typically a job title)
and a corresponding need to access specific data in EERP to carry out those responsibilities. Assigning
permissions to these roles allows administrators to more effectively manage user security settings. The
first step in creating roles is to identify common user functions.
As an example role in this document, we will use the role of APCLERK. The role, “APCLERK” represents
any user who would typically need to enter Accounts Payable invoices but does not need permissions to access any EERP Setup programs or any other EERP modules besides Accounts Payable.
That is why, in corporations at least, all security level situations are left to the IT Manager, who administrators the system and makes sure the security permissions are correct AND that no one is taking information anywhere that it does not belong or with someone that should not have access to it.
And that should go for the Go Golf Now POS system. Is there any way that Gray has administrative access to that system? Did the IT person install it in both places it is being used and set up the permissions for the people using it? Is it at all possible she installed it herself? Here’s what the Somervell county Personnel manual from 2022 says
What makes me think that the Information Manager is not in charge of installing software or at least has no knowledge of all of it is that he directed me to go to the auditor’s office about POS software. This was in response to a request showing who actually installed software, with the implication then that he did not. Why would the auditor be in charge of installing software at the Expo and Golf course, and especially when it appears the IT manager was left out of the loop?
There is nothing in this description that indicates the auditor needs to be an expert in security. To my mind, that is the role of the IT manager.
One other area I believe is related to security. Cyndi Gray currently has a key to the office in the secure section of the financial offices, caddy corner to the auditor. Why is that? She is General Manager in an entirely different department and budget designation with an office, and no longer works in payroll. Why would she have a key (and maybe a badge that would allow her to freely go in and out) of that section? The keys in general are kept in the judges area, and presumably there is a log done to endure people are not just randomly asking for keys and given out without a trail.
Summary, I believe Somervell County should do a security audit for each department to check permissions and who has access and whether they should be (ie, fixing it). If, for example, somehow Gray is still in Tyler, then she would be removed since she is not in payroll nor the auditing department. I also believe the language in the personnel manual should be tightened to show that the IT manager is the person in charge of installing software, after the permission of a manager, but done by IT.
I also believe that there should be a spelled out procedure in the manual for laptops to be checked when a person leaves a department or job to ensure any data not appropriate for that person to have is wiped, maybe as part of an exit interview. And then, perhaps, if it is a desktop, the desktop is also checked to be sure it is *cleaned* for the next person doing that job.
And, finally, having security procedures spelled out or available for reference is essential.
