State Data Center: First steps to address longstanding security risks, much more to do

Executive Summary


Over the last nine years, security weaknesses at the state data center have put confidential information at risk. These weaknesses continued because the state abandoned initial security plans, did not assign security roles and responsibilities, or provide sufficient security staff. The Governor, Legislature, and Chief Information Officer have taken the first steps to fix these problems, but the solutions will take time, resources, and cooperation from state agencies..

Critical security issues were never resolved at the data center

Data CenterData center management and staff are meeting day-to-day computing needs of state agencies relying on its services. However, critical security issues identified throughout the past nine years were never resolved.

Security problems affect multiple components of the data center’s layered-defense strategy intended to make it more difficult for unauthorized users to compromise computer systems.

These weaknesses increase the risk that computer systems and data could be compromised, resulting in leaked confidential data such as social security numbers and medical records information.

Data center was never fully configured for security

Management got a good start on security planning, but during data center consolidation management abandoned the plan thinking they would complete some steps at a future time. Once the data center became operational, staff was overburdened and unable to make meaningful progress toward resolving critical security issues or implement security systems they purchased.

These adverse conditions continued because management did not assign overall responsibility or authority to plan, design, and manage security. In addition, they did not provide the necessary staffing to implement and operate security systems.

First steps have been taken to resolve longstanding data center problems

Data Center 2The Govenor, Legislature and Director of the Department of Administrative Services took steps in the last six months to address data center staffing and organizational issues.

Two key steps that occurred were the state Chief Information Officer (CIO) became responsible for data center operations and the state Chief Information Security Officer was moved to the data center and tasked to oversee its overall security function.

These actions increased management’s focus on security at the data center. However, it will take additional time, perseverance, significant resources, and cooperation to resolve all known weaknesses.

Some computer operations were stable but disaster recovery was only partially tested

Data Center 3Apart from security, data center staff provides important operational support to agencies, including routine backups and monitoring computer processing. Data center staff made significant strides to resolve prior disaster recovery weaknesses identified by earlier audits. Their innovative approach was to partner with the Montana State Data Center to establish an alternate site to store and process data.

However, additional work needs to be done to ensure data at that site is secure, update recovery plans, and test the system.

Recommendations

We recommend agency management take steps to reconfigure data center security to provide the layered-defense strategy needed to protect state data systems. To accomplish this, management should clearly define security roles, responsibility and authority to carry out the plans and provide sufficient staff.

We also recommend management update and fully test disaster recovery plans and ensure data is secure at the remote site.

Agency Response

The agency agreed with all of the audit findings and recommendations. The response includes specific plans to correct longstanding security weaknesses and improve overall security organization, plans and staffing.

Their full response is attached at the end of the audit report.

Featured IT Audit New Audit Release

Auditing critical state information systems: Behind the Scenes

The Legislature just approved our request for two more IT auditors to increase our ability to examine the thousands of IT systems in the state. We now have three teams of IT auditors- a 50% increase over the previous two! We make the best of our limited resources by focusing our skilled professionals on the systems most critical to the finances and operations of state government.

We will soon start recruiting for more IT auditors so if you’re interested watch the Secretary of State website in August when applications open.

OurNeal IT Audit Manager, Neal Weatherspoon, was recently featured in the Summer 2015 newsletter of the Willamette Valley chapter of ISACA, an association of IT audit and security professionals.

Auditors at Work Featured IT Audit

IT Audits help trigger budget action

In addition to a cyber attack, two of our audits helped prompt a state agency to request more resources for computer security and for better oversight of computer projects, as reported by the Portland Tribune.

Trib_IT_auditOur audits always include a security component and we prepare a confidential report on the weaknesses we find. State law allows confidential reporting to deny the information to hackers. Read our 2010 audit on security.

We recently issued an audit on IT Project Management, and concluded that inadequate resources would hamper the oversight by the Department of Administrative Services. Read our 2015 audit.

IT Audit

Major IT Projects: Continue Expanding Oversight and Strengthen Accountability


Major IT Projects: Continue Expanding Oversight and Strengthen Accountability


The new effort to monitor and control system development, “stage gate,” is a significant step in the right direction. However, the following weaknesses should be addressed:

  • DAS has not fully staffed or defined stage gate processes
  • Stage gate efforts may not sufficiently detect or prevent significant system development problems state agencies have experienced
  • Some state agencies lack expertise to manage large IT projects
  • Consequences of failure to meet stage gate requirements are unclear.
IT Audit