Success Notification Overlay
Failure Notification Overlay
The Office of Missouri State Auditor

Scott Fitzpatrick

Auditor Logo Susan Montee

Report No. 2008-49
August 2008
Complete Audit Report


Missing Security Controls Leaves Technology Resources Susceptible to Threats and Vulnerabilities

This audit reviewed the management and control of information technology resources at the Missouri Department of Transportation (MoDOT). Auditors found MoDOT management has not taken some necessary steps to fully maintain effective controls to protect the confidentiality, integrity and availability of data and the information technology resources supporting the mission and operations of the department.

Risk assessment program is not implemented
MoDOT management has not established or documented risk management and assessment policies and procedures. A risk assessment helps identify potential threats and vulnerabilities or weaknesses that could be exploited and to ensure appropriate controls are implemented to mitigate these vulnerabilities. (See page 5)

Disaster recovery plan needed
MoDOT personnel have documented, approved and implemented a business continuity plan. However, Information Systems Division personnel have not established a disaster recovery plan to ensure the availability of technology resources. Without an operational disaster recovery plan, management does not have assurance that computer operations could be promptly restored in the event of a significant disruption to normal system operations. (See page 5)

Security management program is not fully implemented
A security management program provides a framework for managing risk, developing security policies, assigning responsibilities, and monitoring the adequacy of an agency's security controls. MoDOT management has developed and documented policies and procedures for some security controls. However, management has not completed the process of establishing and documenting policies and procedures for other key security controls. Accepted standards state policies are necessary to set organizational strategic directions for security and assign resources for the implementation of security. (See page 6)

Complete Audit Report
Missouri State Auditor's Office
moaudit@auditor.mo.gov