Audit: Agencies still face IT security vulnerabilities
The audit also found weaknesses in security awareness training and network security
SALEM — Longstanding information technology security weaknesses continue at several state government agencies, according to a state audit released Wednesday.
The Secretary of State's Office, after spending a year auditing 13 state agencies for information technology security, warned in a report that the failure of the state to implement changes increased the risk of a "security incident."
"Overall, planning efforts were often perfunctory, security staffing was generally insufficient, and critical security functions were not always performed," the audit states. "These weaknesses collectively increase the risk of a security incident at one or more of the agencies."
Citing the "sensitive nature of security," the office sent confidential letters detailing specific security concerns to each agency, according to the audit.
The 13 agencies selected represent a cross-section of state government, according to the audit. They varied in size and type and include several agencies that maintain sensitive personal data, such as the Oregon Health Authority and the Oregon State Police.
All of the agencies the audit scrutinized fared poorly when it came to managing user accounts to ensure no unauthorized users had access to internal information; and all agencies had issues with "patching," or fixes to remedy the vulnerability of operating systems and software to viruses or hacking. Anti-virus software was missing or outdated at some agencies.
The audit also found weaknesses in security awareness training and network security.
Auditors also found that the state's Chief Information Officer hasn't given agencies adequate standards and oversight, and doesn't have processes in place to ensure compliance with state standards and federal security requirements.
Alex Pettit, the chief information officer, largely agreed with the audit's findings.
Pettit, in a letter released with the audit Wednesday, identified some ways the office is trying to address the issues. For example, it is continuing to develop by mid-2017 a program to regularly scan most agencies and to provide new training on security issue for state employees.
The office is also working on a risk assessment, followed by an "enterprise security plan," both of which the office expects to be complete by next summer.
Auditors noted it will take money and perseverance to address security concerns at state agencies.
The audit noted that more work is also needed to meet the requirements of Gov. Kate Brown's executive order in September to consolidate the state's IT security functions under the CIO's umbrella.
Brown's order did not allocate more staff to the CIO, according to the audit, although IT security staff from all state agencies not led by an independently elected official or part of the public university system were to be assigned to the CIO through a "job rotation" agreement.
Those employees in rotation will continue to be compensated by their respective agencies, according to the order.
"Ultimately, the Governor, the OSCIO agency directors, and the Legislature must cooperate to create, fund, endorse and implement a statewide security plan," the audit states.
The CIO has also worked to update its standards, and Pettit said in his letter that his office will identify "critical resource gaps" to bring to the attention of the governor and legislature.
The audit examined the following state agencies: The Oregon Health Authority; the Oregon Department of Justice; the Oregon Department of Transportation; the Oregon Parks and Recreation Department; the Oregon Department of Revenue; the Oregon State Police; the Oregon Youth Authority; the Department of Consumer and Business Services; the Oregon Education Department; the Oregon Department of Forestry; and the Oregon Department of Fish and Wildlife.