News: CJ Exclusives

Audit: State IT System Vulnerable To Security Breaches

Auditor cites potential security gaps, praises CIO for working to address vulnerabilities

A newly released state audit has revealed shortcomings in the state government information technology system that could compromise security.

“There have not been breaches,” State Auditor Beth Wood said. “There have been a lot of instances where people were trying to get in.” Wood added that the state took too much time reacting to the vulnerabilities.

“The state’s [chief information officer’s] office doesn’t have a plan for risk management,” Wood said. “You really don’t have them setting performance metrics to make sure our data can’t be breached.”

The auditor’s office recommends that the state CIO direct the department’s Enterprise Security and Risk Management Office to adopt a comprehensive and well-documented risk management framework. It also recommends the CIO direct ESRMO to establish and post performance measures on the department’s website as required by law.

Other recommendations request the state CIO to direct:

  • the risk management office to begin annual assessments of each agency and each vendor to determine compliance with state security standards;
  • the risk management office to complete a comprehensive strategy for agencies to conduct security assessments and communicated that strategy to all agencies;
  • personnel to address and resolve immediately vulnerabilities detected during scans of systems within established deadlines.

The auditor’s office also suggests that the General Assembly consider modernizing the state’s IT security law.

Wood said that the state CIO has no authority over a lot of local organizations with information systems that are tied into the state’s system. Those include local school systems connected to the state Department of Public Instruction’s system, local clerks of court offices linked with the state Administrative Office of the Courts, and county agencies tied into the Department of Health and Human Services.

The lack of sufficient safeguards puts state and personal information at risk, Wood said. That includes Social Security numbers, bank accounts, medical information, criminal records, and tax information, she said.

“There is a lot of our private personal stuff that could be used to either steal money or steal our identities,” Wood said.

Keith Werner, state chief information officer, generally agreed with the auditor’s findings and recommendations. In an eight-page letter to Wood, Werner laid out measures his office is taking or will take to address the shortcomings of the state IT system.

Werner noted that many of the issues began at a time the IT system was divided among a host of state agencies. Last year, the General Assembly established a Cabinet-level Department of Information Technology in an attempt to centralize IT efforts and modernization.

Wood said she was pleased with Werner’s response.

“The new CIO is very appreciative of the work,” Wood said. “He was on to some of this before our audit started. … This is good news for me as a taxpayer.”