SALEM — Only recently have the Governor, Legislature and state Chief Information Officer taken the first steps to address security weaknesses at the state’s data center that have persisted for nine years, according to a Secretary of State audit released today.
The audit reviewed security of the data center operated by the Department of Administrative Services’ Enterprise Technology Division. State agencies use the data center’s complex and extensive inventory of computers and networks to run hundreds of their programs. A breach in state systems could result in significant loss of sensitive data about Oregonians, such as tax or medical records and social security numbers that could be used in fraud or identity theft.
The report identifies six critical security problems that have never been resolved, although auditors issued warnings dating back as far as 2006. The problems include inadequate management of system configurations, insufficient monitoring of networks and users with special system access, inadequate incident tracking, and obsolete hardware and software. Collectively, the problems heighten the risk to computer programs and information at the data center.
Auditors concluded that the state has been unable to improve security because management abandoned initial data center security plans, did not assign security roles and responsibilities, or provide sufficient security staff. As a result, efforts to improve security often ended in partially implemented solutions. Even if alerts sounded, in many cases no one had the authority or responsibility to resolve them.
“Oregon must do more to protect its data systems,” said Secretary of State Jeanne P. Atkins. “The risks identified in this audit make it clear the urgency we face.”
The report noted that organizational changes to improve security occurred in the last six months. The state Chief Information Officer now answers directly to the Governor. In addition, the 2015 Legislature formalized the state Chief Information Officer’s responsibility for information technology throughout all state agencies, including the data center. This also brought the data center under the direct responsibility of the Chief Information Officer. These changes heightened attention on security and managers are now starting to build the security function into the data center as originally planned.
Auditors stated that the organizational changes were appropriate and necessary but also indicated that resolving the many longstanding security weaknesses will require significant resources, time and perseverance, along with the cooperation of other state agencies. Auditors noted that they will be starting an audit of security issues in agency computer programs, and also return to the data center in two years to report on its progress.
Auditors also recognized management for the unique agreement with the state of Montana to quickly restore operations after a serious disaster or disruption by copying its systems and records to Montana’s State Data Center. This approach could assist data center recovery but auditors noted additional work remained to replicate some systems and fully test the plans.
Read the audit here.
The audit team consisted of William Garber, Neal Weatherspoon, Teresa Furnish and Amy Mettler.
##
Image may be NSFW.
Clik here to view.
Image may be NSFW.
Clik here to view.
The post Audit Finds Weaknesses in State Data Center appeared first on The Oregon Secretary of State Newsroom.
