This audit was conducted to assess critical security controls and the Department of Revenue’s (DOR) information technology (IT) security management program. We concluded the agency should update its security management program to reflect recent statewide changes to IT security governance structures, as well as correct weaknesses in inventory management, vulnerability management, control of administrative accounts, configuration change management, and audit logging processes.
DOR handles sensitive information, including taxpayer personal information and tax data. The agency, in collaboration with the Enterprise Security Office at the Office of the State Chief Information Officer (OSCIO), is responsible for implementing a security management program to ensure the confidentiality, availability, and integrity of the information with which it is entrusted.
The purpose of this audit was to determine whether DOR has implemented an appropriate IT security management program and the basic cyber security controls necessary to ensure cyber defense readiness.
- DOR had implemented a security management program, but associated plans and procedures have not been updated to reflect current staffing levels and reorganization of statewide security by the OSCIO.
- DOR lacks specific policies and fully automated controls for many elements of the basic security controls identified by the Center for Internet Security. These basic controls should be implemented in every organization to reduce the risk that attackers could compromise systems and data.
We recommend DOR improve its security management program and remedy weaknesses we identified in the basic controls defined by the Center for Internet Security.
DOR agreed with all of our recommendations. The agency’s response can be found at the end of the report.