Secretary of State Bev Clarno’s office released its latest audit on July 3, this one on the state of cybersecurity in the Department of Administrative Services, the state’s central administrative agency.

The picture the audit painted wasn’t a pretty one.

It found the agency’s cybersecurity efforts lacking, so much so that “as a result, DAS systems and data may be at risk for unauthorized use, disclosure, or modification.”

Auditors found that, among other things, DAS lacks a formal security management program. As a result, it has no framework for continuing evaluation of risk, putting effective procedures in place and then monitoring to see that they work as intended.

In fact, auditors noted, the agency doesn’t have an inventory of authorized and unauthorized software being run on its computers. DAS does have a tool that could create such a list, but for some reason does not use it.

Also bad news: There are more than 80 different software applications in use at DAS, but all but 16 of them are managed not by information technology staff, but by others in the various divisions. That helps explain why some divisions have the ability to install unapproved software.

Worse, the lack of cybersecurity is already causing problems.

Files at the Department of Human Services were compromised in January 2019 when an employee opened a “phishing” email.

The Secretary of State’s campaign finance and business registry websites were both hacked before Dennis Richardson held that office.

DAS officials agreed with the seven recommendations made in the report and noted that the 2019 Legislature already has allocated money for an agency-wide assessment of its IT capability and security.

The assessment will allow DAS to create a program for managing both software and hardware, officials said.

Unfortunately, DAS officials don’t expect to complete four of the seven recommendations until 2023, assuming the Legislature gives it the money in 2021 to do so.

Recommended for you

(0) comments

Welcome to the discussion.

Keep it Clean. Please avoid obscene, vulgar, lewd, racist or sexually-oriented language.
Don't Threaten. Threats of harming another person will not be tolerated.
Be Truthful. Don't knowingly lie about anyone or anything.
Be Nice. No racism, sexism or any sort of -ism that is degrading to another person.
Be Proactive. Use the 'Report' link on each comment to let us know of abusive posts.
Share with Us. We'd love to hear eyewitness accounts, the history behind an article.