Audit: Security improving at state’s data center

Oregon Secretary of State Dennis Richardson released an audit Thursday of the Office of the State Chief Information Officer. It found significant strides have been made in addressing longstanding security weaknesses at the Enterprise Technology Services state data center.

The state data center hosts mission-critical systems and provides services to more than 100 state agencies, boards, and commissions, including networking, email, mainframe, and server services.

These systems often contain confidential information, such as personal income tax returns, Social Security numbers and driver’s license information. Because of this, the Oregon Audits Division conducts regular audits of the center every two to three years.

Prior Secretary of State audits found significant problems related to the state data center’s cybersecurity program, with little progress being made to address these critical issues between audits.

This most recent audit, however, found many of these longstanding problem areas have improved. For example, the OSCIO instituted regular scans to identify security holes at the data center and installed a new system to monitor network traffic.

The findings are outlined in the Secretary of State’s report entitled: “Progress Has Been Made to Address Security Weaknesses at the State Data Center, but Improvements Are Still Needed.”

“We acknowledge and commend the progress made to help secure the state’s computing environment,” Richardson said. “But since the work to secure Oregon’s data systems is never done, more improvements are needed.”

The audit found that significant progress has been achieved through increasing emphasis on security planning and staffing, improved vulnerability assessments, security event monitoring, anti-malware, and patching processes.

The audit noted that all these areas still would benefit from additional attention. Other areas showed little progress and continue to need substantial improvement, including privileged access, asset and configuration management, and security incident response management.

Auditors made 11 recommendations, including improvements in defining roles and responsibilities, refining vulnerability scanning and security event monitoring, monitoring privileged access, and prioritizing disaster recovery efforts with customers.

Read the full audit on the Secretary of State website.