Audit Release: Progress has been Made to Address Security Weaknesses at the State Data Center, but Improvements are Still Needed


Report Highlights

Security at the Enterprise Technology Services State Data Center (data center) has improved due to organizational and staffing changes and the increased role of the Enterprise Security Office. Several longstanding security challenges have been addressed, yet more work remains to further refine and improve security capabilities and to address other areas where roles are not sufficiently defined. The operating environment for the data center remains stable and appropriately controlled. Disaster recovery capabilities have improved, although prioritization of recovery order needs to occur to ensure that the most critical state systems can be restored timely in the event of a major disaster.

Background

The data center is comprised of an extensive inventory of computer operating system platforms and networks. It provides centralized computer services such as networking, email, backup, and server services for more than 100 state agencies, boards, and commissions. Since the creation of the data center in 2006, numerous prior audits have identified significant security weaknesses. Starting in 2015, organizational changes moved overall responsibility for the data center to the Office of the State Chief Information Officer (OSCIO) and expanded the staffing and role of the Enterprise Security Office.

Purpose

Because of the critical services the data center provides, we audit it every two to three years. This audit followed up on the status of prior audit findings and evaluated the current security framework and stability of the operating environment.

Key Findings

We found:

  1. The OSCIO has made significant progress in improving security at the data center through security planning and staffing, vulnerability assessments, security event monitoring, and anti-malware and patching processes. Further progress is needed to refine these processes and better track vulnerability remediation.
  2. Some security areas require improvement, including privileged access, asset and configuration management, and security incident response. Work is underway to improve Windows privileged access.
  3. Day-to-day computing remains stable and disaster recovery capabilities have improved. While additional disaster recovery capabilities are being built, data center customers need to prioritize which systems should be recovered first in the event of disaster.

Recommendations

We recommend improvements in defining roles and responsibilities, refining vulnerability scanning and security event monitoring, monitoring privileged access, and disaster recovery prioritization.

The Department of Administrative Services and the OSCIO agreed with all of our recommendations. The agency’s response can be found at the end of the report.

Read the full report here.

Featured New Audit Release

Methods (to our Madness): How IT audits help keep your $$$ safe

Recently, the Secretary of State Oregon Audits Division released an IT audit of GenTax, the software system that Oregon’s Department of Revenue uses to process tax payments and returns. This month, I sat down to talk to Erika Ungern, an 18 year veteran of the Audits division and the lead for the audit.

Why was the GenTax system selected for an audit?

A lot of the work we do on the IT team supports financial auditors. They need to know that the information they use for their audits is reliable. GenTax is a fairly new system – the Department of Revenue completed the last of four rollouts in November 2017 – so it was a good time to take a look.

What was the goal of this audit?

We were auditing to answer the question: Does the system do what it needs to do? That meant primarily looking to see if there are application controls in place so data remains complete, accurate, and valid during input, processing and output. In this case, GenTax is the software DOR uses to process tax returns and payments – which is something all taxpayers may be interested in.

What sort of criteria do you use to assess how well the controls are in place?

We currently use the Federal Information System Controls Audit Manual, or FISCAM. It’s a standard methodology for auditing information system controls in federal and other governmental entities. It provides guidance for evaluating the confidentiality, integrity, and availability of information systems. The information included in FISCAM ties back to National Institute of Standards and Technology (NIST) publications.

How did you go about gathering information?

This audit, like all IT audits, started with interviews and a review of agency policies and procedures. We need to know how agencies have implemented the technology and how staff are using it. We test different pieces of the technology depending on the answers we get. For instance, if we hear that the agency has specific controls in place, we’ll test those controls. If they tell us they don’t have controls, then that’s our finding. For instance, a lot of agencies don’t have strong disaster recovery controls in place for IT systems. That was the case for this one. We check back on their progress in follow-up audits.

Was there anything unique about this audit?

It was somewhat unique in that we were looking at a system that DOR purchased, and both DOR and the vendor are actively involved in supporting the software. Agencies used to build their systems all in-house, and when we would do an audit, we would only talk to agency personnel. When we do an audit of purchased software, system changes are sometimes made exclusively by the vendor, and our audit questions focus on how the agency makes sure those changes are correct, since we are not auditing the vendor’s change management procedures. In this case, DOR and the vendor both make changes to the system, so we asked both agency and vendor personnel about their processes to ensure the changes were correct.

Another new thing was reporting some results that didn’t hit the materiality threshold. This audit reported on a few things that only affect a small percentage of returns the software processes, like the fact the software doesn’t currently provide notification when taxpayers make a mistake in reporting withholding on their returns that causes them to overpay taxes. These results may end up going hand in hand with the performance audit of DOR’s culture that’s going on right now.

Any other thoughts on auditing for IT auditors, or auditors in general?

You know, IT audits are like a lot of other audits. Getting good results is all about asking the right questions. You don’t always know what they are when you start, but do your best to figure them out!

Read the full audit HERE

Members of the audit team included:
Will Garber, CGFM, MPA, Deputy Director
Teresa Furnish, CISA, Audit Manager
Erika Ungern, CISSP, CISA, Principal Auditor
Sherry Kurk, CISA, Staff Auditor
Sheila Faulkner, Staff Auditor

Accountability and Media Auditors at Work Featured

Oregon Department of Education: Computer Systems Ensure Integrity of Data, But Other Processes Need Improvement

Executive Summary


The Oregon Department of Education (department) oversees the education of over 560,000 students in Oregon’s public K-12 education system. The annual distribution of the State School Fund of $3 billion and federal funding of about $750 million help fund Oregon’s public education.
The department’s computer systems reasonably ensure the integrity of data used to distribute the State School Fund and appropriately process school district claims for federal funding. However, improvements are needed to provide better security for computer systems and student data, manage changes to computer systems, and ensure systems can be restored in the event of a disaster.

Read full report here.

Computer systems ensure integrity of student and school data

Department staff use the Consolidated Collection System to analyze and aggregate school and student data. They use information from this system to allocate monies to Oregon’s schools and education service districts. Computer systems reasonably ensured the integrity of student and school information through automated processes that accurately identify students and detect potential data errors. In addition, department analysts use system information to validate student and school data.

Computer systems appropriately receive and process School district claims for federal funding

The department uses the Electronic Grant Management System and the Federal Cash Ordering System to receive and process requests for federal program expenditure reimbursements. We found that computer controls reasonably ensure that these systems could appropriately receive and process school district claims for federal funding. These systems ensure grant claims do not exceed available balances and reject claims that otherwise would be ineligible for reimbursement.

Security measures for computer systems were insufficient

Although the department provides important protection measures for security, improvements are needed to better secure their computer systems and data. Weaknesses we identified relate to the department’s processes for planning, configuring, managing, and monitoring information technology security components. As such, the department does not provide an appropriate layered defense to protect agency computer applications. Thus, confidential student level information is at increased risk of disclosure or compromise.

Management of changes to computer systems needs improvement

The department has formal processes and tools for managing changes to their systems, but staff do not always fully utilize them. Independent and technical reviews of computer code changes did not always occur and processes were not in place to ensure only approved code could be placed in production. These weaknesses increase the risk that developers could introduce unauthorized or untested changes to the systems.

System files and data are appropriately backed up but procedures for timely restoration after a disaster are absent

The department has processes in place to back up critical data and can restore individual files as needed. However, department management and staff have not fully developed and tested a comprehensive disaster recovery plan capable of restoring critical systems and data in the event of a disaster or major disruption. Without a disaster recovery plan, the department cannot ensure it can timely restore operations in the event of a disaster.

Recommendations

We recommend that Department of Education management ensure resolution of identified security weaknesses, improve processes for changing computer code, and fully develop and test processes for restoring computer systems after a disaster.

Agency Response

The full agency response can be found at the end of the report.

Featured IT Audit New Audit Release

Methods (to our Madness): A 2 Minute Primer on IT Auditing, Through the Lens of an Employment Audit

Periodically, we will highlight some of the methods used in a recently released audit. Every performance audit is unique and can require creative thinking and methodologies to answer our audit objective. Some of these methods could be replicated or present valuable lessons for future projects.

Given some of Oregon’s high profile computer system failures, the global risk of IT security and the age of some Oregon agencies’ legacy computer systems, it is easy to see the importance of the Secretary of State’s team of Information Technology (IT) auditors. But what exactly do IT auditors do?

Here are some lessons learned and basic steps taken in IT auditing that I learned from Erika Ungern, Principal Auditor, and Matthew Owens, Senior Auditor in a conversation about their recently released IT audit, which found that computer programs for unemployment tax returns and claims at the Oregon Employment Department need attention.

When doing an IT audit, always test the data

In the Oregon Employment Department audit, the audit team followed a typical process for IT audits, including identifying the computer systems to evaluate, examining the process and expected controls of those systems, and testing the data to make sure that the systems were operating as intended.

When I asked the team if they always do the final step of testing the data, their faces lit up. (I’m not sure if it was due to the excitement of thinking about data or shock that I would even ask such a question). They replied in near unison that yes, you always have to test the data. Even if everything looks good on paper, the only way you can know if a system is working is to test it.

Compared to an ideal world, the Department’s computer systems fell short

COBIT and FISCAM are two criteria frameworks that describe an ideal world for government IT systems. IT auditors can measure a computer system against these frameworks to identify areas for improvement.

When IT auditors do this, they look at different points in the system and the controls that they would expect to find at each point. They look at the inputs. What is supposed to get into the system? They look at what the system does. How does it process or manipulate the data? And they look at the output. What happens at the end? Is there a report? Is the data transferred to another system? Or, as is the case here, is the output hundreds of millions of dollars in payments for unemployment claims?

At each point, they look for controls, or processes and checks built into the system or staff operations, that can prevent, detect or correct errors and ensure accuracy. For example, system “edits” are intended to ensure that unemployment insurance claims are not paid to recipients whose claim applications were denied.

The audit team looked at two of the Department’s systems and found that they were set up to handle routine claims and to process most employer tax payments automatically. However, the systems were old. Changes were not well documented and workarounds had been developed. Sometimes the team had to look at the computer code to understand what was going on. Uncorrected system problems could lead to some tax returns bypassing automated checks or requiring manual verification. The team proceeded to the next step to test the data and find examples of cases that were bypassing the system.

Data testing created an example for the Department to replicate

Employers submit unemployment insurance tax return data in two ways, one at the detailed employee wage level and one at the summary payroll level. The audit team took these two data sources and performed various analyses. In one instance, the audit team recalculated taxable wages to identify employers who may have under-reported (or over-reported) taxable wages, which in turn led to under or overpaying unemployment taxes. This analysis was so useful that the Department asked the audit team for a step-by-step explanation (see below) so that they could replicate it.

Finding million dollar issues now could save even more during a busy recession

Based on this analysis, the team found that nearly 2,000 employers had overpaid taxes by approximately $850,000 in 2014 and had not been notified. One non-profit overpaid by $17,000. They also found potentially $2.9 million in underpayments that had not been collected. While these amounts are a small portion of the overall tax collections, they could increase dramatically when unemployment increases, such as during a recession. Additionally, as evidenced by the non-profit example, missing these errors could have a large impact on small employers.

The Employment Department was not catching these discrepancies because they were not looking at generated reports they may have been able to help them identify these issues.

Lessons learned: document as you go along

When I asked the team what lessons they had learned, they told me to document the steps you are taking as you do your data analysis. Hm, I think I have heard that advice before.

Breaking down the methodology

Here is a step-by-step look at how the team analyzed the data for incorrect unemployment insurance tax payment:

  1. The team took individual wage data and created a calculated field that rerecorded any amount of wages over $35,000 as $35,000 (since $35,000 was the taxable limit). Any value under $35,000 retained its original value.
  2. They summarized the data to get a total of calculated taxable wages for each employer.
  3. They filtered the table to show only taxable employers.
  4. The team then compared the taxable wages field with another field of payroll reported by employers. To do this, they created a new field that subtracted the taxable wages from the payroll field.
  5. They followed up on the results for any employer where the difference was greater than one dollar.
  6. They calculated a potential overpayment or underpayment of taxes using the employer’s assigned tax rate.

 

 

CZ_photo

Caroline Zavitkovski, OAD Senior Performance Auditor, MPA

Auditing and Methodology Data Wonk Featured IT Audit

State Data Center: First steps to address longstanding security risks, much more to do

Executive Summary


Over the last nine years, security weaknesses at the state data center have put confidential information at risk. These weaknesses continued because the state abandoned initial security plans, did not assign security roles and responsibilities, or provide sufficient security staff. The Governor, Legislature, and Chief Information Officer have taken the first steps to fix these problems, but the solutions will take time, resources, and cooperation from state agencies..

Critical security issues were never resolved at the data center

Data CenterData center management and staff are meeting day-to-day computing needs of state agencies relying on its services. However, critical security issues identified throughout the past nine years were never resolved.

Security problems affect multiple components of the data center’s layered-defense strategy intended to make it more difficult for unauthorized users to compromise computer systems.

These weaknesses increase the risk that computer systems and data could be compromised, resulting in leaked confidential data such as social security numbers and medical records information.

Data center was never fully configured for security

Management got a good start on security planning, but during data center consolidation management abandoned the plan thinking they would complete some steps at a future time. Once the data center became operational, staff was overburdened and unable to make meaningful progress toward resolving critical security issues or implement security systems they purchased.

These adverse conditions continued because management did not assign overall responsibility or authority to plan, design, and manage security. In addition, they did not provide the necessary staffing to implement and operate security systems.

First steps have been taken to resolve longstanding data center problems

Data Center 2The Govenor, Legislature and Director of the Department of Administrative Services took steps in the last six months to address data center staffing and organizational issues.

Two key steps that occurred were the state Chief Information Officer (CIO) became responsible for data center operations and the state Chief Information Security Officer was moved to the data center and tasked to oversee its overall security function.

These actions increased management’s focus on security at the data center. However, it will take additional time, perseverance, significant resources, and cooperation to resolve all known weaknesses.

Some computer operations were stable but disaster recovery was only partially tested

Data Center 3Apart from security, data center staff provides important operational support to agencies, including routine backups and monitoring computer processing. Data center staff made significant strides to resolve prior disaster recovery weaknesses identified by earlier audits. Their innovative approach was to partner with the Montana State Data Center to establish an alternate site to store and process data.

However, additional work needs to be done to ensure data at that site is secure, update recovery plans, and test the system.

Recommendations

We recommend agency management take steps to reconfigure data center security to provide the layered-defense strategy needed to protect state data systems. To accomplish this, management should clearly define security roles, responsibility and authority to carry out the plans and provide sufficient staff.

We also recommend management update and fully test disaster recovery plans and ensure data is secure at the remote site.

Agency Response

The agency agreed with all of the audit findings and recommendations. The response includes specific plans to correct longstanding security weaknesses and improve overall security organization, plans and staffing.

Their full response is attached at the end of the audit report.

Featured IT Audit New Audit Release