Problems unresolved since state data center opened

TRIBUNE FILE PHOTO - State data servers, similar to these, need better security to protect information, according to a new audit by the secretary of state's office.SALEM — A decade after lawmakers consolidated state computer operations, a new audit says there is still much to do to resolve security weaknesses in the State Data Center.

The audit was released Tuesday by the secretary of state. It acknowledges progress in the past few months by lawmakers, Gov. Kate Brown and the Department of Administrative Services, the parent agency of the data center.

“These actions increased management’s focus on security at the data center,” the audit says. “However, it will take additional time, perseverance, significant resources, and cooperation to resolve all known weaknesses.”


The Audits Division report is the 12th that flagged security weaknesses since the center became operational in 2006, the year after lawmakers created it to consolidate operations of the largest state agency users.

In addition to a 2008 report from an outside consultant, four of the audits were confidential, including one in 2012 that accompanied the release of a public audit.

The public audit only hinted at security vulnerabilities. It focused on improper handling of media tapes and incomplete or not fully tested recovery programs used after events such as major computer crashes.

DAS and the secretary of state declined to release details of the 2012 confidential audit despite a request earlier this year from the Pamplin Media Group/EO Media Group Capital Bureau. They said such a disclosure would amount to an invitation for hackers to attack security weaknesses that have not yet been resolved.

“These weaknesses increase the risk that computer systems and data could be compromised, resulting in leaked confidential data such as Social Security numbers and medical records information,” the new audit says.

Hackers in 2014 accessed the databases of the secretary of state and the Employment Department. Hackers also accessed data from the center earlier this year, although a DAS spokesman says the breach was unrelated to the ongoing security problems identified by auditors.

This year, lawmakers designated the state’s chief information officer as responsible for security at the State Data Center — and required that 10 percent of the center staff and the operating budget for security will be under the chief information security officer. Lawmakers also approved more money for staffing, although not the full amount requested by DAS, which can return to seek more in the 2016 session.

The audit concludes:

“We recommend agency management take steps to reconfigure data center security to provide the layered-defense strategy needed to protect state data systems. To accomplish this, management should clearly define security roles, responsibility and authority to carry out the plans and provide sufficient staff.

“We also recommend management update and fully test disaster recovery plans and ensure data is secure at the remote site.”

Agency response

The written response by Alex Pettit, the state’s chief information officer within DAS: “We agree with the findings and recommendations made by the secretary of state auditors.”

Among the steps Pettit outlined that will be taken by the end of the year:

• A security operations center within the data center focused on monitoring and responding to security incidents.

• Additional staff to speed up the transition of outdated equipment and programs.

• A program manager focused on completion of security projects, many of which in the past have been only partially completed.

• Revised policies focused on monitoring, response to incidents, and who has access to data and at what levels.

• A third-party assessment of security risks, something specifically sought by Gov. Brown.

Pettit also says that recovery plans after a disaster will be fully tested.

Incomplete or never-carried-out testing of such plans was faulted in the current audit and in several past audits. Pettit’s response says Oregon is working with the data center in Montana to test and update plans, but it will be in phases over several years.

Also like past audits, the current audit says security weaknesses dating back to the 2006 start-up of the data center were never resolved, largely because of lack of staff or lack of follow-through that was no one’s specific responsibility.

In keeping with its practice when the Audits Division finds a pattern of problems within a program or agency, the current audit says there will be a follow-up review of whether security weaknesses have been resolved.

The audit also says that state auditors will take a separate look at security practices by state agency computer users themselves.

“This activity will be ongoing with requirements still to be defined,” says the response by Pettit. “As requirements still need to be collected from each agency, it is difficult to estimate completion at this time.”

Additional reporting contributed by Hillary Borrud.

This email address is being protected from spambots. You need JavaScript enabled to view it.

(503) 385-4899