Hilliard officials are implementing across-the-board policy changes to better protect the city's assets and digital information in accordance with a study Schneider Downs recently completed.

The $48,000 study was commissioned earlier this year at the request of city council and in reaction to the at-the-time alleged theft of cash from the city's two pool facilities by the former deputy director of the city's parks and recreation department, Heather H. Ernst. She entered a plea agreement Oct. 3 that included a guilty plea to theft in office.

The study looked at the city's operations beyond that of parks and recreation, providing recommendations for virtually every department in the city.

Hilliard Law Director Tracy Bradford said while the study showed where improvements could be made, it is not meant to show what actions and safeguards would work well for the city.

"The focus of the project was to identify areas where processes and procedures needed improvement," Bradford said. "The report doesn't tout all of the things we do well, which are considerable."

Doug Francis, director of communications and information technology, said prior to the study, the city's IT department did not manage access to computer networks within the city's other departments.

"(Access) was managed at (each) department level," Francis said.

The report from Schneider Downs indicated the city's information technology security policy was last revised in February 2008 and "does not define or enforce comprehensive requirements and standards for protecting the confidentiality, integrity and availability of the organization's information-technology assets."

The report also found, "System owners are not required to, nor do they perform, regular reviews of user accounts that can access critical information systems" and that "physical access to the primary data center ... is managed in an informal manner that does not require all visitors to document and present legitimate business purposes to the IT director for approval before access is authorized and granted."

"Our network access has increased tenfold (in the recent past)," said Francis, adding he has recently met with multiple department directors to establish a formal policy for employee access to the city's computer networks.

"The (existing) policies were not written down and I take responsibility for that," he said.

Moving forward, Francis said, IT representatives will have oversight of network access in all the city's departments, providing "a double set of eyes."

Within the finance department, the study showed, "There is not a formal accountability for city credit-card transactions or the ability to trace the individuals that use the credit card." The study recommended credit cards be issued to individuals rather than a department.

The study also indicated, "All finance department personnel have access to add and delete users and change privileges within the system (which) can lead to inappropriate approval of purchase requisitions and purchase orders." It recommended system administration would best be executed by the city's IT department.

Finance Director David Delande said he is continuing to work with Schneider Downs concerning the recommendations.

"I'd like to have them all addressed by the end of the year," Delande said.

Concerning the city's parks-and-recreation department, the study found, "There is no method in place to adequately record the number of participants who utilize high-traffic facilities such as the aquatic centers or community and senior centers, so revenues may be matched."

Bradford said the city is "investigating mechanisms to track attendance at the pools and the number of participants attending their numerous classes and programs, which may include the installation of turnstiles."

The study also found "Registration and collection of funds for most programs are conducted by third-party service providers (with) an agreement in place to provide a percentage of the proceeds to the city. No control exists to verify that payments received from third-party providers are accurate ... the city may not be collecting all the revenue owed."

In response, the administration will ask City Council for $65,000 in next year's budget to cover the cost of implementing a new pass-through account system to record all such transactions, Bradford said.

Councilman Les Carrier, who has been a past critic of the administration's financial practices, said the changes "are a good first step."

kcorvo@thisweeknews.com

@ThisWeekCorvo