A recent audit of the Michigan Department of Technology, Management and Budget (DTMB) identified gaps and deficiencies in how state IT networks are managed and secured, prompting on-the-spot corrections and ongoing work to formalize internal written protocols, improve access controls and begin IT policy process improvement.
The Michigan Office of the Auditor General (OAG) undertook the performance audit, released in March, to assess the state network and cybersecurity, including the “availability, confidentiality and integrity” of network and data, and how the agency’s network, computers and data are defended from breaches.
“Protecting a computer network entails a series of defensive mechanisms at various layers of security (the concept of defense in depth). Network security is just one of those layers. Although we identified 14 findings, we concluded that DTMB was moderately effective or moderately efficient for each of the four audit objectives,” Kelly C. Miller, the OAG’s state relations officer, told Government Technology via email.
Miller indicated the audit was a result of the agency’s “annual risk assessment process” in which it identified network and cybersecurity as “high risk areas,” and was not prompted by an event or incident.
“The audit findings are significant because the design and administration of the state of Michigan’s network impacts the security of the state’s overall IT resources and data,” Miller added, noting OAG believes DTMB agrees improvements are necessary — a positive sign.
In a March 16 letter to DTMB Director and state CIO David DeVries, state Auditor General Doug Ringler informed the agency it would have 60 days to “develop a plan to comply” with the audit’s recommendations. DTMB Director of Communications Caleb Buhs told GT via email that the agency is already preparing the “audit remediation plan,” due by May 15.
Buhs emphasized that data in the state’s network remains secure due to multilayered protection, as well as investments made in these protections in recent years.
“This audit, over a very specified functional area, highlighted incongruence between our dated policy and our evolving enterprise IT environment. We remain diligent and continue to evolve our tactics, techniques and procedures as the threat evolves,” Buhs told GT.
The audit, which has been considered by legislators during the past two weeks, made nine findings that rose the level of “reportable condition,” and five that were more serious, identifying “material” conditions. Among these five conditions, OAG found DTMB:
In other findings, OAG revealed it conducted a phishing exercise on 5,000 randomly sampled employees in 18 executive branch departments and the executive office. It found 32 percent opened the targeted email; 25 percent clicked a link within it; and 19 percent entered credentials.
Buhs said the state does its own phishing tests of employees and contractors, including one campaign last fall that included all 53,491 state employees. In the test, only 18 percent of employees clicked the link, and 10 percent “proactively” forwarded the email to the state cybersecurity team.
Current state standards for ongoing training for security personnel require annual role-based training, he added. These training requirements were satisfied by staff, Buhs said, and a more comprehensive process following industry standards for documenting the training has been instituted. Additionally, an improved statewide security awareness program had been put in place with a new security training contract in March 2017.
In a review of network device life cycle management processes, OAG found 19 percent of 3,876 devices were no longer supported by the vendor; and 5 percent were running unsupported operating systems. DTMB said it evaluated and will replace “the majority of these devices as needed.”
The question of privilege, or who gets network access, is not an uncommon one in state and local governments. Upon scrutinizing administrative access, OAG found five accounts remained active after a user no longer worked for the state; four users with “access beyond what was required” to do their jobs; and one user with multiple accounts due to an employment change. Additionally, DTMB was unable to document management approval of access rights for 11 of 14 users reviewed.
OAG recommended DTMB “fully establish and implement effective administrative access controls over network devices.” DTMB agreed, said it has been “working on improvements to access controls,” and executed “many access corrections on the spot.”
DTMB is also conducting an IT policy improvement initiative expected to be complete in June, Buhs said.
This was DTMB’s second related audit in about 14 months. In January 2017, an OAG audit faulted DTMB strategies for helping state agencies identify critical “red card” systems and infrastructure, and plan for disaster recovery in an emergency.
In most instances relevant to designing and administering a secure IT network, Buhs said DTMB is taking the right measures, but may not have been properly documenting them. In other instances, he said, standards “have not been updated to reflect the enterprise aspect of the mission, or the current industry business practice.”
“We have been reviewing and updating our IT policies and technical standards to make them better align to industry best practices,” Buhs said.