Secretary of State Bev Clarno’s office released its latest audit on July 3, this one on the state of cybersecurity in the Department of Administrative Services, the state’s central administrative agency. The picture the audit painted wasn’t a pretty one.
It found the agency’s cybersecurity efforts lacking, so much so that “as a result, DAS systems and data may be at risk for unauthorized use, disclosure, or modification.”
Auditors found that, among other things, DAS lacks a formal security management program. As a result, it has no framework for continuing evaluation of risk, putting effective procedures in place and then monitoring to see that they work as intended.
In fact, auditors noted, the agency doesn’t have an inventory of authorized and unauthorized software being run on its computers. DAS does have a tool that could create such a list, but for some reason does not use it.
Also bad news: There are more than 80 different software applications in use at DAS, but all but 16 of them are managed by not information technology staff, but by others in the various divisions. That helps explain why some divisions have the ability to install unapproved software.
Worse, the lack of cybersecurity is already causing problems. Files at the Department of Human Services were compromised in January 2019 when an employee opened a “phishing” email. The Secretary of State’s campaign finance and business registry websites were both hacked before Dennis Richardson held that office.
DAS officials agreed with the seven recommendations made in the report and noted that the 2019 Legislature already has allocated money for an agencywide assessment of its IT capability and security. The assessment will allow DAS to create a program for managing both software and hardware, officials said.
Unfortunately, DAS officials don’t expect to complete four of the seven recommendations until 2023, assuming the Legislature gives it the money in 2021 to do so.