October 9, 2012

Personal information vulnerable on state computer systems, auditors find

Print More
Laptop computer by mmole on Flickr

Photo by mmole on Flickr

By Sam Smith
Sam@MarylandReporter.com

The Maryland Department of Information Technology (DoIT) lacks adequate oversight over the protection of personal information contained in IT systems of various state agencies and this could jeopardize the privacy of citizens, auditors found.

A legislative audit released Tuesday also found that the Maryland Personal Information Protection Act that governs how businesses protect personal information does not cover state agencies, including the protection of individual social security numbers.

Although state law says that it is the responsibility of the IT department to monitor and enforce agency compliance with the information security policy, that responsibility has been delegated to each individual agency. The audit recommended that DoIT implement a process to enforce agency compliance, but the department said it does not have resources to do so and will continue to leave compliance up to each individual agency.

However, DoIT will add Personal Information Protection Act compliance to its security policy for the agencies.

Department says it lack resources to monitor agencies

At the suggestion of the auditor, DoIT will update its information security policy to provide additional guidance and assistance that it can provide the agencies. DoIT’s response also stated that it will update the policy when new technology becomes an emerging threat to IT systems.

Five state agencies that were evaluated in the audit report each handle personal information of one kind or another.  The Comptroller’s Office, Department of Health and Mental Hygiene, Department of Public Safety and Correctional Services, Department of Human Resources and Maryland Department of Transportation were all included in the audit as being state agencies that are in need of improved system protection processes.

Security breaches have happened in other states

The audit states that system breaches are common in government agencies around the country, but it did not cite any that occurred in Maryland. Certain information about IT vulnerabilities were left out of the report to prevent them being exploited.

In 2011, The Privacy Rights Clearinghouse tracked 535 breaches in the United States that compromised 30.4 million personal records. “One of the most significant data breaches identified for 2011 involved the compromise of data on 3.5 million individuals held by the State of Texas,” the report said. “The breach occurred when this data was left unencrypted on publicly accessible servers. Texas government officials attributed the breach to numerous failures to follow security procedures.”

Other IT breaches occurred in Utah and Alaska agencies.

A study by The Ponemon Institute and Symantec found that the average cost of data breach to an organization in 2010 was $7.2 million. The average cost of a compromised record at that time was $214.

Risks not reduced to “acceptable level”

The audit said that none of the five agencies had an implemented risk management processes that help reduce risks to an “acceptable level.” Only one of the five agencies, the comptroller, has documented security levels for all of its information systems, which is vital to evaluating risks to data confidentiality.

All five of the agencies said in their responses that they will work on implementing risk management process for their systems, as well as develop security levels for their systems.

Another security risk is storing information on state-owned portable devices such as laptops and smart phones without the proper encrypted protection. The Department of Health and Mental Hygiene and the Department of Human Resources had not implemented encryption practices that will protect confidential information in the case of lost or stolen portable devices.

Both agencies are taking steps to rectify the situation, they said. The health department emphasized that no confidential information was found on the 10 laptops that were reviewed.

Security software being installed

DHMH is installing security software on all hard drives, laptops and removable media throughout the agency. The Human Resources said it is creating portable media encryption hardware and will have an encryption management system implemented statewide by next February.

The audit also mentioned the need for DoIT to install data loss prevention programs to help prevent the accidental or malicious loss of data in the systems.

However, DoIT maintains that the department does not have the “skilled resources” necessary to implement such solutions. Until the department has the resources, the individual agencies are responsible for preventing data loss.

  • When it comes to an individual’s personal information stored on Government (or private sector) PC’s…There is no “acceptable level of risk” !

  • hungrypirana

    State law makes DoIT responsible for five domains, the most expansive being a requirement for developing, maintaining, revising, and enforcing information technology policies, procedures, and standards. Yet State law (Finance and Procurement, Division I, Title 3A, Section 312) allows DoIT to delegate 100% its responsibilities back to State departments and agencies.

    It makes one wonder whether the governor has any control over DoIT’s priorities (and the degree DoIT may be held accountable for failure) because the law allows absolute delegation. Frankly, however, I don’t blame DoIT for delegating computer security
    enforcement back to the Departments, because the audit shows there’s little foundation
    to establish an enforcement structure, much less enforce anything. And
    DoIT management would be taking big risks if it were to appear to take
    on Departments’ enforcement responsibilities.

    And, insofar as the audit report….

    Findings in the legislative auditor’s report demonstrate the five Departments sampled haven’t developed even the most rudimentary IT controls embodying IT risk management, risk assessment, and implementation of security techniques. And the failure of those five departments have led to a major scope limit to the auditor’s work that should have been cited in the report but wasn’t. I wish the auditor would have told it like it is and said in his report that Departmental IT security is unauditable.