Audit: Oregon PERS isn’t prepared if disaster hits

An audit released Wednesday by Oregon Secretary of State Dennis Richardson found the Public Employees Retirement System, or PERS, struggles to proactively manage IT resources or projects and is failing to protect its critical Information Technology (IT) systems from a disaster.

Auditors found that PERS management has not developed long-term disaster recovery plans and that existing short-term plans have never been fully tested, according to a news release from Richardson’s office.

“As a result, should a disaster strike, PERS may be unable to issue almost $400 million in monthly payments and associated tax withholdings,” the announcement said.

Auditors also found that insufficient IT strategic planning has contributed to the mismanagement of other PERS initiatives, such as implementing a disaster recovery program as outlined in the PERS 2015-2020 Strategic Plan.

For years, PERS has identified needed improvements for the agency’s disaster recovery program, but PERS has made little progress and failed to even use most of the money approved by the legislature to address these very issues.

The findings are outlined in the audit report, entitled: “Severe Deficiencies in Disaster Recovery Program and Insufficient Information Technology Planning Pose Substantial Risks to Beneficiaries and the State.”

“Given that PERS issues billions of dollars of payments each year, the agency should be prepared to weather disasters,” Richardson said. “Unfortunately, we found that PERS has not taken the necessary steps to ensure they can restore critical IT systems in the event of a disaster.”

“It is good that PERS has a short-term strategy,” said Audits Director Kip Memmott. “But until plans are fully developed and tested, thousands of beneficiaries are at risk of not being paid their monthly benefits, should a disaster occur.”

In addition to the audit, the team conducted a cybersecurity assessment of the agency’s IT security management and five foundational security controls: hardware inventory, software inventory, secure configurations, vulnerability assessments, and access management.

The assessment found opportunities to improve the agency’s overall IT security management program as well as all five foundational controls.

Due to the state’s move to a unified cybersecurity approach with the 2017 passage of Senate Bill 90, PERS needs to work with the Office of the State Chief Information Officer, where appropriate, to ensure the security of its computer systems and information.

Auditors made 10 recommendations to PERS to implement improved IT strategic planning and to take immediate action to remedy weaknesses in its disaster recovery plans. In addition, auditors made six recommendations to PERS and the Office of the State Chief Information Officer to improve cybersecurity controls.

Read the full audit on the Secretary of State website.