Oregon’s Data Center Has Major Weaknesses, Says Report from Atkins

Wednesday, August 26, 2015

GoLocalPDX News Team

A new report from the Secretary of State Jeanne Atkins' Office claims that the data center operated by the Department of Administration continues to have major weaknesses. The problems going back nine years continue to potentially expose the most confidential records and data of Oregonians.

The report warns that the "State agencies use the data center’s complex and extensive inventory of computers and networks to run hundreds of their programs. A breach in state systems could result in significant loss of sensitive data about Oregonians, such as tax or medical records and social security numbers that could be used in fraud or identity theft," said the statement.

"Oregon must do more to protect its data systems,” said Secretary of State Jeanne P. Atkins. "The risks identified in this audit make it clear the urgency we face."

Multiple Problems

The report released identifies multiple ares of critical security problems that have never been resolved, although auditors issued warnings dating back as far as 2006. The problems include:

1) inadequate management of system configurations

2) insufficient monitoring of networks and users with special system access

3) inadequate incident tracking, and obsolete hardware and software.

Collectively, the problems heighten the risk to computer programs and information at the data center.

The report is highly critical of the existing situation and the lack of attention to the ongoing problems.

Auditors concluded that the state has been unable to improve security because management abandoned initial data center security plans, did not assign security roles and responsibilities, or provide sufficient security staff. As a result, efforts to improve security often ended in partially implemented solutions. Even if alerts sounded, in many cases no one had the authority or responsibility to resolve them.

Data Systems

"Oregon must do more to protect its data systems,” said Secretary of State Jeanne P. Atkins. "The risks identified in this audit make it clear the urgency we face."

The report noted that organizational changes to improve security occurred in the last six months. The state Chief Information Officer now answers directly to the Governor. In addition, the 2015 Legislature formalized the state Chief Information Officer’s responsibility for information technology throughout all state agencies, including the data center. This also brought the data center under the direct responsibility of the Chief Information Officer. These changes heightened attention on security and managers are now starting to build the security function into the data center as originally planned.

Auditors stated that the organizational changes were appropriate and necessary but also indicated that resolving the many longstanding security weaknesses will require significant resources, time and perseverance, along with the cooperation of other state agencies. Auditors noted that they will be starting an audit of security issues in agency computer programs, and also return to the data center in two years to report on its progress.

Auditors also recognized management for the unique agreement with the state of Montana to quickly restore operations after a serious disaster or disruption by copying its systems and records to Montana’s State Data Center. This approach could assist data center recovery but auditors noted additional work remained to replicate some systems and fully test the plans.

The audit team consisted of William Garber, Neal Weatherspoon, Teresa Furnish and Amy Mettler.