Report No. 2007-48
September 2007

Complete Audit Report

Missing Security Controls Leave Confidential Data and Technology Resources Susceptible to Risk

This audit reviewed the management and control of information technology resources at the Department of Elementary and Secondary Education (DESE). Auditors found DESE and Information Technology Services Division (ITSD) management have not taken necessary steps to maintain effective controls to protect the confidentiality, integrity and availability of data and the information technology resources supporting the mission and operations of the department.

Management has not required reviews of user accounts

DESE and ITSD management do not have a process in place to perform periodic reviews of user access to data and other information resources to determine whether access rights remain commensurate with job responsibilities. As a result, terminated employees had access to DESE information technology resources, user accounts remained active after not being accessed or used for specified time periods and users have been assigned to more than one user account. Reviewing user accounts and access rights is necessary to reduce the risk that unauthorized alterations of these rights will go undetected and to ensure access rights are aligned with current job duties. (See page 6)

Security program is not fully implemented

Important security controls have not been in place because DESE and ITSD management have not fully established a security program on which department-wide security policies, standards, and procedures can be formulated, implemented, or monitored. DESE and ITSD management developed and documented certain policies for specific security controls. However, management has not completed the process of establishing and documenting policies and procedures for all key security controls nor approved all policies which have been developed. (See page 10)

Risk assessment program is not fully implemented

Identifying and assessing information security risks are essential steps in determining what controls are required and what level of resources should be expended on controls. DESE and ITSD management have not established a comprehensive risk management and assessment program. An ITSD official said DESE and/or ITSD staff perform risk assessments when developing new systems, but do not perform regular risk assessments over the entire system or network. (See page 18)

Business continuity and disaster recovery plans need to be tested

DESE and ITSD officials have documented a business continuity plan and a disaster recovery plan. However, these plans have not been tested, according to DESE and ITSD officials. Without testing the business continuity and disaster recovery plans, DESE and ITSD management cannot confirm the accuracy of individual recovery procedures and the overall effectiveness of the plans. (See page 19)

Complete Audit Report