Data Breach Risk Is High at Colorado Agencies, Audit Says

Auditors have found flaws in Colorado’s cyber-security program that put the state government at “high risk” of system compromise or data breach, according to a report released this week.

State auditors contracted a private security firm to test the security of agencies’ computer systems and were able to identify a “significant number of serious vulnerabilities in the state’s networks and applications.”

The breach team was able to gain unauthorized access to several state computer systems and thousands of people’s personally identifiable information, including Social Security numbers, phone numbers, birth dates, user names and passwords. Among the compromised data, information was obtained for government employees.

To fix such a security compromise, if it occurred, could cost the state as much as $15 million, the audit estimated.

The audit also said hundreds of security vulnerabilities were found in the state’s computer systems, 22 percent of which were deemed high risk.

“The Office of Cyber Security has failed to ensure that the state has the processes,
procedures and technology necessary to identify, respond to and analyze cyber-security incidents occurring within computer systems of the state and institutions
of higher education,” the audit concluded.

The Governor’s Office of Information Technology agreed to the audit’s many recommendations for improvement, a few of which included a strategic plan for the Office of Cyber Security, better leadership and a more effective process for breach incident reporting. The audit said that its security testing should have resulted in 40 to 60 incident reports, but in actuality only brought four incidents during the testing window from April through September.

Sixty percent of state agencies and departments also hadn’t submitted information security plans to the Office of Cyber Security as required by law.

Dara Hessee, the Office of Information Technology’s chief of staff, told The Denver Post that the agency “takes cyber-security very seriously, and we intend to remedy the issues identified in the audit report as quickly as possible.”

Many of the recommendations will be implemented by July 2011 or sooner, according to the audit. Hessee told the newspaper it would take $40 million to put in place a satisfactory cyber-security plan. The Office of Cyber Security spent just $429,000 in fiscal 2010.

Lawmakers who spoke to the newspaper called the breach findings scary and disturbing.