Aug. 13--Fayette County Commissioner Angela Zimmerlink said on Tuesday that further investigation is needed into an alleged security breach caused when Commissioner Al Ambrosini directed IT department head Kebin Holbert to increase access to the county computer system for a financial consultant working for the county.
Referring to a letter from acting Controller Jeanine Wrona, citing an "apparent breach of the security" in that office's financial programs, Zimmerlink on Tuesday made a motion to further an internal investigation.
In a letter dated May 14 to former Controller Sean Lally, Wrona said the server for the New World System was entered "through the back door by Information Technology without permission of the controller or his deputies."
Wrona and Zimmerlink said Ambrosini directed Holbert to give greater access to consultant Sam Lynch.
"As you know, the New World System is the program through which we issue payments from county accounts and also contains sensitive data on county employees, including Social Security numbers," Wrona wrote.
Lally resigned in May to accept a position in Monroeville.
"The security changes should not have been authorized because it compromised the system and created exposure and risk to the county's financial accounting system," Zimmerlink said at the commissioners' agenda meeting Tuesday.
Zimmerlink said Lynch does not require "full access" to the system.
"No county staff member should ever take the direction of one commissioner. One commissioner does not rule," Zimmerlink said.
Zimmerlink made a motion, to be considered when the board meets next week, to take "the necessary steps to further investigate, which would include but not be limited to, discussion with staff, review of back-door access, a memorandum of understanding to be prepared between the county and contracted financial consultants and the possibility of a computer risk analysis to be conducted."
The commissioners unanimously agreed to place the item on the agenda.
"Bring on any investigation," Ambrosini said.
"These are allegations at this point in time. No one has done anything, at least pending further review. I do think it's necessary that we conduct ... a computer risk analysis," Commissioner Vincent Zapotosky said.
Contacted after the agenda meeting, Holbert confirmed Wrona's account.
"Mr. Ambrosini told me to give (Lynch) what he needs. He just said he did not have access and he needed access to do something. I should have asked the other two commissioners," Holbert said.
"The system should be secure. (Employees) changing a light bulb is one thing. If it's the financial store, that's something different. ... Kebin was taken advantage of because he was told to do something. He listened to a boss, instead of bosses," Zapotosky said.
"This is the hub of the financial accounting system for the county," Wrona said.
Access is determined for each individual depending on the role they play in the county, she said.
"Somebody saying they want access to everything -- that doesn't mean you give it to them," Wrona said. "If the capability is there to change things without us seeing and not knowing, we need to tighten that.
"I'm not saying any of them did anything illegal. But they opened us up to the possibility of that happening," she said.
Ambrosini said Lynch, who often works out of the county, "had issues" with system access.
He said Lynch's permission level was changed, along with that of several other county employees, affecting their ability to "stay productive."
"I told (Holbert) to restore permission. ... We restored what Sam already had," Ambrosini said.
He said he told Wrona that if she wanted the controller's office to maintain responsibility for giving employees access to the system, she should write a procedure. He said he has not seen a policy draft.
He said he had Chief Clerk Amy Revak check with other counties to see who manages permissions. Of the six counties responding, he said, none listed the controller, he said.