JEFFERSON CITY, Mo. (April 5, 2018) Missouri State Auditor Nicole Galloway today released a report examining the Statewide eProcurement system, known as MissouriBUYS. The Office of Administration (OA) uses the web-based purchasing system to solicit bids and secure vendors for goods and services; as of January 1, more than 18,000 vendors were registered for the program. The audit examined the cyber security measures and data integrity of the MissouriBUYS program, which received a rating of "good."
Implementation of MissouriBUYS has been in progress since the state awarded the contract for the system in March 2015 to replace the previous On-Line Bidding and Vendor Registration system. The State Auditor's Data Analytics Technical Audit unit examined operating practices and cybersecurity safeguards for the new system.
The audit found the MissouriBUYS system was vulnerable to the risk of unauthorized or inappropriate activity because 39 user accounts of terminated agency employees were not disabled in a timely manner, including three users who still had access to the system for more than a year after termination. Four other unneeded accounts assigned to system provider support personnel also had not been removed.
The audit raised concerns there had been insufficient reviews of users' access to data and user access rights, and that existing security policies and procedures were not documented. The audit also found that controls could be strengthened to restrict the capability to export vendor registration data to only those individuals who need such access to perform their jobs. In addition, the audit found the OA had not formally documented or tested contingency plans to help facilitate recovery of the system, if needed.
A complete copy of the audit report is available online.