Archive for Monday, December 9, 2013

Audit finds ‘chronic weaknesses’ in state agencies protecting confidential information

December 9, 2013


— State agencies need to do a better job protecting sensitive information stored on their computer systems, a new audit said.

The information technology audit found "chronic weaknesses" in several security controls, including weak passwords and software vulnerabilities. That has left several state agencies vulnerable to hackers gaining access to confidential data or breaches from within.

"After three years of auditing this area, we have seen little improvement across agencies," said Justin Stowe with the Legislative Post Audit Division.

The audit evaluated eight agencies: the Department of Administration, Department for Aging and Disability Services, Department for Children and Families, the Department of Health and Environment, Kansas Attorney General, Kansas Bureau of Investigation, Kansas Highway Patrol and Kansas Public Employees Retirement System.

The audit said confidential information that could be housed in these agencies includes Social Security numbers, tax return information and other personally identifiable information.

Of those agencies, only KPERS had an adequate outcome in all three tests of the security management process, which is where risks and controls are regularly tested and monitored, the audit said.

Specific weaknesses in each of the agencies weren't detailed in the public audit for fear of causing further security problems, Stowe said.

Auditors, officials from the various agencies and members of the Joint Committee on Information Technology met behind closed doors to discuss the report.

The audit said that five agencies had from 10 percent to 26 percent of staff using weak passwords. Some passwords identified were Password1234, Summer53, Marine62 and Potato#2.

Fifty percent of staff didn't know what made a strong password; 25 percent didn't know that they shouldn't share their password with anyone; and 23 percent didn't understand that viruses could be transferred to their work station from a portable device such as their smart phone, the audit said.

One agency did not have anti-virus software installed on eight computers; three agencies didn't have an adequate process to manage all mobile devices; and only one agency had an adequate process to continue operations in the event of an emergency, the audit said.


William Weissbeck 4 years, 6 months ago

If you think the private sector is different, you are very mistaken. Banks are hacked all the time. The difference? The private sector hires armies of IT and MBA's to draft procedures. But those procedures often require new software, new hardware and frequent supervision which all require more money. I take it that you aren't ready to have you taxes raised to have government's IT on the same level as say JPMorganChase? Besides, there some guy in an apartment in Moscow that already has your records.

Beator 4 years, 6 months ago

By careful selective choice, the private sector can be avoided. The government cannot be avoided. There is no choice. Unless you choose to be put in jail.

William Weissbeck 4 years, 6 months ago

Not really. Read those fine print disclosures. You've been sold. And I dare say, you probably don't check out the IT set up at your medical providers or your employer. Once you enter the stream of commerce, it's pretty hard to hide out in your cabin in the woods. I find these "libertarian" arguments quite odd. You think because you have certain freedoms to choose that that somehow gives you the right to force the government to opt out of you. Do you like getting your annual notice to renew your plates by mail or web? How about that reminder that you DL is about to expire? Direct deposit of you tax refund? This isn't a cafeteria where you can get the Jell-O, but demand they take out the little pieces of fruit.

Beator 4 years, 6 months ago

I prefer choice. Choice is a spice in life.



4 years, 6 months ago

I suspect that Anonymous would have found a lot more.

Commenting has been disabled for this item.