Audit Release: Severe Deficiencies in Disaster Recovery Program and Insufficient Information Technology Planning Pose Substantial Risks to Beneficiaries and the State


Report Highlights

The agency charged with administering the Public Employees Retirement System, or PERS, should improve Information Technology (IT) strategic planning efforts to ensure that IT investments return the most value and minimize risk. Additionally, PERS should immediately correct deficiencies with existing disaster recovery plans so the agency can effectively respond to catastrophic events that would prevent the use of existing IT hardware and software. PERS is working to update current plans and implement a recovery site, but a more urgent effort is needed.

This audit includes an assessment of critical security controls and the agency’s IT security management practices. PERS should improve security management roles and training, as well as correct weaknesses in inventory management, configuration change management, vulnerability management, and controlling administrative accounts.

Background

PERS has over 365,000 members and is responsible for administering employee pension programs for state agencies as well as approximately 900 local governments. PERS provides $310 million in retirement benefits each month. The agency’s Information Services Division provides PERS with information technology, such as pension benefit calculation software, to support agency operations.

Purpose

The purpose of this audit was to determine whether PERS could improve IT security and IT strategic planning efforts and to assess the agency’s preparedness to restore critical IT systems in response to a disaster.

Key Findings

PERS’s IT strategic planning lacks sufficient detail to help ensure IT investments return the most value, pose the least amount of risk, and are completed timely. Insufficient planning has contributed to mismanagement of some agency initiatives.

While PERS has identified a method to issue most pension payments in the event of a disaster, it has not fully addressed changes in payment processing by the Oregon State Treasury. The agency’s disaster recovery plans pose serious risks because they are insufficient to restore critical IT systems. Furthermore, the agency has not tested those plans and has not yet complied with legislative mandates to acquire an alternative recovery site and improve disaster recovery planning. The agency’s strategy to re-issue the prior month’s payments poses risk of benefit payment errors and has never been tested.

Recommendations

Our report includes ten recommendations to PERS to implement improved IT strategic planning and to take immediate action to remedy weaknesses in its disaster recovery plans. In addition, we make six recommendations to PERS and the Office of the State Chief Information Officer related to Critical Security Controls.

PERS agreed with all of our recommendations. The agency’s response can be found at the end of the report.

Read full report here.

Featured New Audit Release

Oregon Employment Department: Computer Programs for Unemployment Tax Returns and Claims Need Attention

Executive Summary


Oregon Employment Department computer programs correctly process most individual unemployment insurance claims and associated employer tax returns, but these outdated computer programs should be replaced. Additional work is also needed to improve security, processes for changing computer code, and disaster recovery capability.

Computer programs correctly handle most unemployment benefit claims and tax statements, but should be replaced

oed_post_pulloutOregon Employment Department (Employment) computer systems handle routine unemployment claims accurately. Systems also process most employer quarterly unemployment tax returns appropriately. However, due to system limitations, Employment staff must identify and manually correct some unemployment claim errors. In addition, some unemployment tax returns bypass automated routines that provide needed scrutiny to detect and correct errors.

These computer programs are inflexible, poorly documented, and difficult to maintain. Considering these factors, Employment should take steps to replace them with more robust and maintainable computer code.

Computer security problems increase risk that data could be compromised

Coordinated use of multiple security components is necessary to protect the integrity of computer systems and their data. Although Employment management and the state’s data center have done much to protect Employment’s computer systems, improvements are needed.

Areas of most concern include ensuring users have the appropriate level of access to computer programs, monitoring actions of users having the most powerful access to systems, and addressing state data center security weaknesses we identified in previous audits.

Processes to better control changes to computer code are needed

Our 2003 and 2012 audits noted problems managing programming changes to these systems. These conditions remain largely unchanged, and increase the risk that programmers could introduce unauthorized or untested changes to the system.

Although these weaknesses are long-standing, Employment managers and staff recently began work to resolve them. They currently have a project to acquire a software solution that could significantly enhance their ability to address many of the identified problems.

Disaster recovery capability is greatly improved, but Employment should ensure plans and processes are complete

Responsibility for recovering the use of computer systems in the event of a disaster is shared with the state data center where these computer systems are hosted. In 2014, the data center entered into an agreement with the state of Montana to place copies of Oregon’s computer systems and data inside Montana’s data center.

This innovative approach to disaster recovery significantly improves Employment’s ability to resume operations in the event of a disaster but additional work is needed to ensure these systems and data are secure and can be made fully operational when needed.

Recommendations

We recommend that management take steps to improve processes for detecting and correcting unemployment tax return errors, improve system documentation, resolve security weaknesses, and fully develop and test disaster recovery procedures.

Agency Response

The agency’s response to the report is included at the end of the audit report.

 

Photo courtesy of © Dana Rothstein | Dreamstime Stock Photos

Featured IT Audit Noteworthy

Audits in the News: August 3rd

We here in the audits division are proud that the work we do makes a difference. Our work attracts the attention of the legislature, statewide news sources, and even local media outlets. Local media coverage of our audits is just another way we communicate with the people of Oregon about the work that we’re doing on their behalf to make government better. This is part of an ongoing series of posts rounding up recent instances in which the Oregon Audits Division makes a cameo in the local news.

The Oregonian/OregonLive.com – Ethics reforms after Kitzhaber: Which bills passed? Which bills didn’t?

Read the story here.

“More than a dozen measures dealing with ethics reforms emerged in the Legislature this year after an Oregon first: the resignation of Gov. John Kitzhaber amid a federal influence-peddling investigation. But just three bills passed, part of a measured approach championed by Gov. Kate Brown and top legislative Democrats … Senate Bill 9 orders the secretary of state to conduct an audit of state agencies’ handling of public records, and to report recommended changes.”

This audit is currently underway, with a scheduled release date of Nov. 20, 2015.

Medford Mail Tribune – Our View: Legislature left unfinished business on ethics

Read the story here.

“As lawsmakers look toward the short 2016 session, which also happens to be an election year, ethics reforms should figure prominently on their to-do list … Only three ethics bills passed … The third orders the secretary of state to conduct an audit of how state agencies handle public records and to recommend changes.

This audit is currently underway, with a scheduled release date of Nov. 20, 2015.

Portland Tribune – A victory for the Department of Administrative Services

Read the story here.
“Twelve new employees will work to fix problems identified in audits of state cyber security and IT operations, which the state has been slow to address. For example, the state has yet to fix some of the vulnerabilities auditors identified at the state data center in 2012. The data center is housed at the Department of Administrative Services, which is the central technology provider for state government and some municipal governments in Oregon.”

The audits division’s 2012 audit of the data center can be found here.
Another data center audit, conducted in 2010, can be found here.

Auditors at Work Audits in the News Featured

Major IT Projects: Continue Expanding Oversight and Strengthen Accountability


Major IT Projects: Continue Expanding Oversight and Strengthen Accountability


The new effort to monitor and control system development, “stage gate,” is a significant step in the right direction. However, the following weaknesses should be addressed:

  • DAS has not fully staffed or defined stage gate processes
  • Stage gate efforts may not sufficiently detect or prevent significant system development problems state agencies have experienced
  • Some state agencies lack expertise to manage large IT projects
  • Consequences of failure to meet stage gate requirements are unclear.
IT Audit