Over the last nine years, security weaknesses at the state data center have put confidential information at risk. These weaknesses continued because the state abandoned initial security plans, did not assign security roles and responsibilities, or provide sufficient security staff. The Governor, Legislature, and Chief Information Officer have taken the first steps to fix these problems, but the solutions will take time, resources, and cooperation from state agencies..
Critical security issues were never resolved at the data center
Data center management and staff are meeting day-to-day computing needs of state agencies relying on its services. However, critical security issues identified throughout the past nine years were never resolved.
Security problems affect multiple components of the data center’s layered-defense strategy intended to make it more difficult for unauthorized users to compromise computer systems.
These weaknesses increase the risk that computer systems and data could be compromised, resulting in leaked confidential data such as social security numbers and medical records information.
Data center was never fully configured for security
Management got a good start on security planning, but during data center consolidation management abandoned the plan thinking they would complete some steps at a future time. Once the data center became operational, staff was overburdened and unable to make meaningful progress toward resolving critical security issues or implement security systems they purchased.
These adverse conditions continued because management did not assign overall responsibility or authority to plan, design, and manage security. In addition, they did not provide the necessary staffing to implement and operate security systems.
First steps have been taken to resolve longstanding data center problems
The Govenor, Legislature and Director of the Department of Administrative Services took steps in the last six months to address data center staffing and organizational issues.
Two key steps that occurred were the state Chief Information Officer (CIO) became responsible for data center operations and the state Chief Information Security Officer was moved to the data center and tasked to oversee its overall security function.
These actions increased management’s focus on security at the data center. However, it will take additional time, perseverance, significant resources, and cooperation to resolve all known weaknesses.
Some computer operations were stable but disaster recovery was only partially tested
Apart from security, data center staff provides important operational support to agencies, including routine backups and monitoring computer processing. Data center staff made significant strides to resolve prior disaster recovery weaknesses identified by earlier audits. Their innovative approach was to partner with the Montana State Data Center to establish an alternate site to store and process data.
However, additional work needs to be done to ensure data at that site is secure, update recovery plans, and test the system.
We recommend agency management take steps to reconfigure data center security to provide the layered-defense strategy needed to protect state data systems. To accomplish this, management should clearly define security roles, responsibility and authority to carry out the plans and provide sufficient staff.
We also recommend management update and fully test disaster recovery plans and ensure data is secure at the remote site.
The agency agreed with all of the audit findings and recommendations. The response includes specific plans to correct longstanding security weaknesses and improve overall security organization, plans and staffing.
Their full response is attached at the end of the audit report.