An audit by the Oregon Secretary of State's office finds vulnerabilities in the systems of 13 state agencies, but an executive order from the Governor assigns more authority over security to the CIO's office.
A new audit of state computer systems by the Oregon Secretary of State’s office found that most of the 13 agencies it reviewed lacked adequate security plans, processes or staffing to complete fundamental security functions to protect information systems and data.
The document also noted longstanding vulnerabilities in the state’s computer systems. State officials who worked on the audit declined to be quoted directly but said it revealed definite deficiencies that need to be addressed.
CIO Alex Pettit, who has held the post since early 2014, said his office generally agrees with the findings but that a Sept. 12 executive order (EO) from Gov. Kate Brown gives his office new “authority over the security of the 80-some agencies."
Released Wednesday, the audit assessed seven security functions: security planning and staffing, vulnerability management, network security, user account management, security patching and anti-virus, outdated operating system replacement, and security awareness training at 13 state departments.
The agencies, including Revenue, Corrections, Parks and Recreation, and the state police, were chosen because they comprised a representative cross-section of state departments.
The audit, conducted between September 2015 and September 2016, found most agencies reviewed did not provide adequate security for computer programs and data. All showed weaknesses in at least two survey areas, and more than half had weakness in six of the seven areas.
All 13 agencies had security weaknesses in user account management and security patching and anti-virus, while 11 agencies were found to be using outdated operating systems.
Only seven agencies were found to have deficiencies or vulnerabilities in network security, the least problematic survey area.
Citing confidentiality requirements, audit team members declined to provide specific examples of vulnerabilities or deficiencies discovered, or to name agencies that experienced these issues.
The audit recommended the Office of the State CIO (OSCIO) collaborate with state agencies to make plans to fully implement the requirements of the governor's executive order: develop sufficient statewide standards and processes for oversight to ensure the security of computer systems; work with agencies to remediate specific weaknesses identified in the audit; and work with the governor, legislature and agency directors to ensure staffing and resources are available to implement security measures at the agency level.
In a statement, Oregon Secretary of State Jeanne P. Atkins said the audit found this is a critical time for more leadership and oversight from the OSCIO to ensure security of the state’s computer systems.
“We also need the Legislature and the governor’s office to continue engaging on this mission so that the CIO has adequate support as more and more government services are provided online,” Atkins said. Specifically referencing the state's posture relative to security, she added: “We’re behind. I think there’s no doubt about that.”
But the audit also highlighted a long-existing pattern of vulnerabilities in state computer systems.
“For more than 15 years, audits of state agency systems and controls have identified significant security weaknesses with computer systems and controls at state agencies,” the audit’s authors wrote.
State officials provided Government Technology with two earlier audits.
A 2015 audit of Oregon's data center, operated by the Department of Administrative Service, found security weaknesses had put confidential information at risk during the previous nine years.
Among its recommendations were developing and maintaining configurations and processes for monitoring systems to detect unauthorized changes and ensuring users remain authorized, and replacing unsupported network equipment and obsolete operating systems.
A 2010 data center audit found that most security issues identified in previous audits “could be successfully mitigated without new or overly complex technical solutions,” yet continued to exist.
Among the 2010 audit's recommendations was that the shared services governance structure be revised to facilitate timely resolution of security issues.
Pettit said in an official response letter Tuesday that his office generally agreed with the latest audit’s findings. As mandated in the executive order, the OSCIO will complete an "enterprise-wide security risk assessment" by mid-2017, followed immediately by the development of an Enterprise Security Plan, according to Pettit.
The OSCIO agreed on almost all of the audit's points, mentioning, for example, that implementation of an Enterprise Vulnerability Management Program, under development for more than a year, has been accelerated.
An exception was the charge it had "not yet provided sufficient and appropriate IT security standards and oversight."
The OSCIO "generally" agreed with this, and said in the response letter it collaborated with 11 state agencies to rewrite Information Security Standards that will be published this year. Next year, the letter said, policy and guidance standards are also being redone, and will be published next year in conjunction with the release of the new Enterprise Security Plan.
In an interview, Pettit said Oregon's track record was his biggest concern after reading the audit, “that fundamentally the state has not been making progress in this area.”
“I think that right there was the most alarming thing to me and is also the most encouraging thing, because now we’ve certainly changed how this is going to be done,” Pettit said, referring to the executive order.
The EO outlined a process to unify IT security functions and transferred executive department state agency security functions to the OSCIO through June 30. It directed agencies to work with the OSCIO's new security group to create and implement security plans, rules and policies, and to cooperate with OSCIO in its risk assessment and remediation.
Auditors noted OSCIO has "developed proposed milestones related to security and education awareness, risk assessments and vulnerability scanning."
But they said few details exist as to how the CIO and agencies will achieve the EO's requirements.
The EO, auditors wrote, transfers security functions from agencies to the CIO without adding staffing or resources to support the shift. This, they said, could "lead to confusion" for staffers transferred to OSCIO but still directed by their agencies for daily functions.
"It’s pretty hard not to agree with some things when they’ve been citing them over and over," Pettit said in an interview, referring to the new audit. "Having said that, the other piece of some note, the OSCIO has only had the authority to mitigate some of these things for 10 weeks now."
Pettit said his office will do "a complete inventory," assessing everything from the ages of systems, hardware and software to the ingress and egress of online traffic.
He praised the EO which he said he hopes the Legislature will make permanent, and said it "empowers us to mitigate the risk the state is subject to by having access to the data.”
"We’ve been able because of the protections we have in place, we've been able to prevent ... any significant loss or elimination. But that doesn’t stop that it’s an ongoing war for us. It’s a constant struggle to protect our systems and our information and our citizens' data," Pettit said.