Skip to Content
Case Study 3 min read
Understanding IT security risks helps Orange County, California, position for the future.

 Image of people meeting

The client

Orange County is a regional service provider and planning agency whose core businesses include public safety, public health, environmental protection, regional planning, public assistance, social services, and aviation. With a population of nearly 3 million, it is the sixth most populous county in the United States. The county is comprised of 31 departments and six special districts with a total operating budget of over $6 billion annually. It has a current workforce of over 17,000 authorized positions.
 

The challenge

Orange County had contracted with several IT managed service providers for significant portions of its IT operations. In addition, the county had recently upgraded its accounting and human resources system (CAPS+). While these changes were occurring, Orange County management in the Auditor Controller’s office and CEO’s office recognized the need for a comprehensive enterprise system risk assessment to ensure that adequate controls were in place to protect sensitive data as required. With more and more residents increasingly turning to the web for information and increasing use of employee self-service, the need for IT security and risk reviews of Orange County’s online systems were paramount. The county’s transition to managed services required a mechanism to control the impact of these transitions against the access and security of sensitive data.
 

The solution

Our team performed an enterprise system security audit of their major ERP system, CAPS+ (including financial, procurement, human resources, and payroll). The audit included an evaluation of the general controls supporting the CAPS+ system as well as other ancillary systems and databases maintaining sensitive data. The objectives of the security audit were to assess the potential risks to the CAPS+ environment and the adequacy of the county’s controls, policies, and processes, as well as to provide recommendations for mitigation tactics and strategies for possible vulnerabilities, threats, and risks discovered during the assessment process. The assessment was measured against the National Institute of Standards and Technology (NIST) framework.

The ERP security audit was a multiphased process, featuring numerous staff interviews, and it required a collaborative, coordinated effort for assessing controls across the county and its departments. With project constraints including legislative commitment, the availability of county IT staff, and time and budgetary concerns, there was a high demand to work effectively and efficiently while providing thorough communication to all IT vendor, contractor, and county stakeholders.

Through interviews, county-provided sample documentation, and hands-on testing and vulnerability scans, we were able to provide a formal configuration evaluation for Orange County, measured against the NIST framework. Plante Moran’s assessment team identified opportunities for process and control improvements as well as recommendations to reduce risk. The assessment focused on areas of technology risk within current IT processes and activities performed by the county’s Auditor-Controller Information Technology (A-C/IT) department, as well as the associated infrastructure controls maintained by the CEO Information Technology (OCIT) department, which has oversight over the managed service providers.
 
“Plante Moran provided a comprehensive third-party review and enterprise system security audit of our major ERP system, CAPS+. The team was extremely flexible to our schedule as the county went through a managed service transition that considerably impacted the project. Plante Moran brought outstanding project management to the engagement and each team member demonstrated their knowledge and capabilities related to the security audit assessments.”
 
 
 — Phillip Daigneau, Director Information Technology, Auditor-Controller, county of Orange

The benefit

Orange County valued our experience with other county and local government entities, as well as its cybersecurity experience as a whole. We provided a strong and flexible technology team that contributed a significant on-site presence, knowledge, and continuity amid the county’s changes in managed service vendors – all while completing the project on time and meeting project goals.

During the engagement, stakeholders were informed of the key project issues as they revolved around identifying areas of risk, remediation, response, and recovery. The areas of risk and recommendations identified provided a forum for open dialog across the entity spanning numerous departments within the county. The security audit provided a road map of improvements that has since been placed into an implementation plan. Based on the findings, the county is now working to develop more comprehensive documentation, policies, and procedures on obtaining access to the applications and environments. Once the audit recommendations have been implemented, the county will be better situated for any changes in the environment or staff reallocation.

Additionally, our team imparted tools and knowledge, beyond the assessment, which allowed the county to understand the risk assessment process and apply it to future areas and future projects.