New performance audit finds state made improvements in removing data from surplused devices
This performance audit examined how effectively state agencies remove data from IT devices before surplusing them. Auditors tested a sample of surplused IT devices for confidential information. They also compared 20 agencies’ data disposal policies and procedures to state law, requirements mandated by the Office of the Chief Information Officer (OCIO), and National Institute of Standards and Technology (NIST) best practices. The audit identified very few instances of confidential data on surplused devices. It found that agencies have improved their practices and reduced the risk of disclosing confidential information. However, most agencies’ policies and procedures did not fully incorporate state requirements and best practices. This audit recommends all Washington agencies annually review their surplus and disposal policies and procedures, as revise them as necessary to ensure state requirements are met. Additionally, agencies should ensure those policies and procedures also include approved methods for the surplus and destruction of mobile devices.
Recent audit looked at contracts for vendor-hosted IT applications
The audit looked closely at IT security assurances included in a selection of state contracts for information technology (IT) applications the state procures from third-party vendors to support critical state functions. Most state agencies use contract management practices that fall short of what is needed help ensure vendors are using strong cybersecurity. The reasons are in part because they need better support in the form of clear guidance, standards and draft language to use in their contracts. Even with good IT security in place, incidents and security breaches can still happen. The audit also examined contractual provisions selected state agencies have included in vendor contracts to protect the state in case of a data breach. It made a series of recommendations to improve the guidance and support given to state agencies, and suggested leading practices that agencies can use as they develop and monitor contracts in the future.
Performance audits work to improve service to the public
We provide the public and state leaders with independent, objective evaluations of the effectiveness, economy and efficiency of public services, at both the state and the local level. We publish a report setting out the actions agencies take to implement our recommendations.
We have now published more than 100 performance audit reports. Click to view a list of all Performance Audit division reports including those published from 2007 onwards. Use the "search text" box on that page to find specific topics within that list.