Audit: Oregon Data Security Still Needs Fixing

March 8, 2010

An audit by the Oregon Secretary of State’s office says there has been little progress in fixing serious gaps in the state’s data security systems.

Auditors wrote in the report that the weaknesses could jeopardize the security of residents’ personal information, such as tax returns, Social Security numbers, drivers license information and confidential medical records.

“Many security weaknesses continued to exist simply because nobody was given the authority or responsibility to resolve them,” auditors wrote. “Others languished because State Data Center management had not developed an adequate security plan with associated standards and procedures to provide appropriate security expectations or requirements.”

Audits Division Director Gary Blackmer told the Statesman Journal newspaper in Salem that the center’s systems were compared with industry best practices.

“A determined hacker has a better chance in a weaker system,'” Blackmer said. “The likelihood of it is hard to predict but the consequences would be great.”

The Legislature created the center in 2005 by consolidating 12 data centers operated by individual state agencies.

Since then, the Audits Division has released reports critical of the center’s security in September 2006, July 2008 and February 2009. The state also hired the U.S. Department of Energy’s Pacific Northwest National Laboratory to assess the vulnerability of the center. Its October 2008 report confirmed the security concerns.

Auditors wrote last April to Oregon’s Department of Administrative Services management about security weaknesses in the Statewide Financial Management Application and the Oregon State Payroll Application.

In their latest report, auditors focused on why long-standing weaknesses that could easily be fixed were not.

They said managers should eliminate a “shared governance structure” they called “a maze of boards, committees and subcommittees … that has delayed improvements.”

In a response published with the audit, DAS Director Scott Harra disagreed with that recommendation.

Department spokesman Lonn Hoklin said individual state agencies need to be involved in security decisions because they end up paying for them, and because they change the way they do business.

“Oregon’s information assets are safe,” Hoklin said. “They’re resting behind a very sophisticated security system that offers multiple levels of security.”

Senate President Peter Courtney, D-Salem, said he was surprised by the report.

“Usually when an audit comes out people work hard to improve,” Courtney told the Statesman Journal. “That’s not happening here, and when I hear it’s because of bureaucracy, that will send me right out the window.”

Harra said some audit recommendations already have been adopted, such as hiring an expert last October to lead the center’s security program.

Anna Richter Taylor, spokeswoman for Gov. Ted Kulongoski, said he believes the data is secure and is pleased with the progress the data center is making on strengthening protections.

“Obviously there are always recommendations in an audit for ways to strengthen what we do,” she said.

The Audits Division plans another report on the issue in a year.

Was this article valuable?

Here are more articles you may enjoy.