A recent audit of the Governor’s Office of Information Technology found inconsistencies in how security practices are defined and implemented across agencies, which could lead to cybersecurity risks.
“Individuals understand security very differently. And so what one organization might feel is good security might be different from another,” Anders Erickson, a principal at the third-party organization that conducted the audit, told the Legislative Audit Committee on Monday. “Without clear, decisive direction from OIT, security is reduced because there’s confusion over who is responsible for security related controls and oversight.”
OIT is the state’s centralized information technology department, which manages IT resources for most executive branch agencies. It is responsible for making sure those agencies have resilient cybersecurity practices.
GET THE MORNING HEADLINES DELIVERED TO YOUR INBOX
The public audit report identified two primary concerns with OIT’s operation. The office hasn’t clearly defined statewide security roles that align with the responsibilities outlined in state statute. And the office hasn’t properly educated people on updated information security policies.
Agencies typically establish a “business owner” for each IT system to manage its security. OIT has not consistently defined what constitutes a “business owner,” however, and has used the term inconsistently. Business owner generally refers to the person who is in charge of data.
“This role of business owner is used haphazardly, so it’s really difficult to understand whether they are referring to a business owner at an enterprise level, an agency level or a system level,” Erickson said.
Auditors found that business owners were not defined for 384 OIT-managed applications, including 73 essential systems. In some agencies, like the Colorado Department of Natural Resources and the Colorado Department of Labor and Employment, auditors found more than one described business owner in the OIT inventory or through discussions with personnel.
The auditors recommend that OIT sets and communicates that definition.
Julia Richman, OIT’s deputy executive director, said the office generally agrees with most of the audit’s recommendations but said the work it does is often more nuanced than is suggested by a clear-cut recommendation.
“Different agencies are funded and staffed differently. So they asked for flexibility in defining what business owners and what product owners look like,” she said. “And so for some agencies, that means that they have a defined person that relates to a system or an ecosystem of systems, and in some agencies that means … it’s ancillary work for someone.”
The auditors also found that OIT had not effectively communicated some new security standards. Nearly 80% of employees tested across five agencies did not complete quarterly security training in a timely manner. OIT did not provide an explanation for that training discrepancy.
“Educating users on their cybersecurity responsibilities is critical to ensuring the reliability and protection of state information systems and data,” the auditors wrote. “Without this training, staff may not be aware of the current security requirements and therefore, may not implement the requirements.”
Out-of-date education could leave employees unprepared to respond to phishing, ransomware attacks and other current methods of cybersecurity attacks.
OIT said that last training cycle, it reached a 93% completion rate. The office contends that each agency is responsible for ensuring completion.
The audit also had 10 confidential findings, which were shared with members of the Legislative Audit Committee during a closed meeting.