The security of Washington’s information technology (IT) systems is very important to the state and its people. Government officials need the data stored in these systems in order to effectively and efficiently serve residents. People expect the state to keep their personal and confidential data safe. Our Office conducted three audits to see how well Washington state agencies are performing in this area.
The first audit featured here looked at how agencies securely remove data when they dispose of surplus IT equipment. In addition, two other performance audits, also published in December 2018, looked at how the state fares in very different cyber-security arenas. We describe all three reports briefly on these pages, with links to read all three. Each offered recommendations to audited agencies to help them improve.
Report CreditsReport Number 1022845
State Auditor’s Office contacts
Scott Frank – Director of Performance Audit
Shauna Good – Principal Performance Auditor
Patrick Anderson – Lead Performance Auditor
All three audits assessed state agencies against state requirements and leading practices. Each project found agencies could do more, particularly in improving the way they document policies and procedures that can help keep data and equipment safe from data breaches and other cyber-attacks.
Confidentiality is key to preventing attacks on state IT systems by those seeking to do harm. For this reason, the reports do not, for the most part, name audited agencies. Furthermore, state law protects detailed information about the cybersecurity of state agencies.
Each audit used different techniques and benchmarks to assess the selected agencies in various key areas:
Their compliance with state law and policies
Whether they had policies and procedures in place to help protect data in the state’s systems
How well they were prepared to withstand cyber-attack
How well they monitored compliance with security controls
All three audits were conducted primarily by State Auditor’s Office employees, both auditors and IT security specialists, with help from specialized contractors.
The first performance audit is titled Safe Data Disposal: State reduces the risk of disclosing confidential information. It assessed whether the state had made improvements in keeping confidential data safe when getting rid of old computers and similar data-storing equipment, such as cell phones and printers. It focused on the destruction of data before the hardware was sent through the surplus program of the Department of Enterprise Services. We based the new work on results of an audit published in 2014. That audit, titled Safe Data Disposal, estimated that 9 percent of the state’s surplussed IT equipment still contained confidential or operational data. You can read the earlier report on our website.
The new audit examined equipment surplussed from 28 state agencies. It also looked at the policies and procedures a selection of the 28 agencies used to manage their IT surplus programs, to see how complete their documentation was.
The audit found significant improvement over the 2014 results. Less than 2 percent of surplussed computers contained non-confidential data, and less than 1 percent contained confidential data. One reason for the improvement: more agencies remove and destroy hard drives before computers even leave their buildings. The results were even better for other types of IT devices. However, the audit found gaps in policies and procedures. Issues included:
Failing to include a step verifying data had been completely wiped
Not training the employees tasked with equipment disposal
Lacking clear policies on disposing of other types of IT equipment
The second performance audit is titled Continuing Opportunities to Improve State Information Technology Security – 2018 (Cyber 4). It assessed security at three agencies. It evaluated whether they can make their IT systems more secure, and better align their IT security practices with state requirements and leading practices.
The audit found strengths in agencies’ security, but also areas where they can improve security by addressing two broad areas. First, by fixing identified vulnerabilities and second, by improving the way they implement and document the security controls they use. Agencies often did not tailor their documentation to meet their needs, even though state standards require them to do so. These agencies should increase their compliance with these and other state requirements. The report suggests agencies consider using certain Critical Security Controls, promoted by the Center for Internet Security (CIS), to further to improve security.
The third performance audit is titled Contract Assurances for Vendor-hosted State Information Technology Applications. It looked at a selection of contracts state agencies had signed with vendors that provide IT services and operate systems critical to the state. The applications perform a variety of essential tasks, such as processing payments and linking residents to needed services.
The audit assessed three aspects of seven state IT contracts:
Whether they included appropriate provisions to address the state’s IT security requirements
Whether the agencies followed leading practices to ensure vendors complied with the IT security requirements in their contracts
What contractual provisions selected state agencies included in vendor contracts to protect the state in case of a data breach
The audit found mixed results in the small sample reviewed. Most contracts required vendors to comply with the state’s general IT security standards. However, only one included the agency’s specific standards, while two did not require vendor compliance with either state or agency IT security requirements. When it came to ensuring vendors complied with contract requirements, most agencies required vendors to adhere to the state’s IT standards, but none verified compliance in accordance with contractual provisions. The results were better concerning contractual protections for the state in case of a data breach. All seven contracts included contractual language to protect the state in case of a data breach. Three vendors carried a cyber-liability insurance.