By Bill Cummings
The Register Citizen, Torrington, Conn.
HARTFORD, Conn. — The state Department of Correction should update its disaster plan and strengthen control over information technology data, state auditors said in a new report.
DOC was specifically faulted for allowing broad access to its data center, where the most sensitive and controlled data is stored and maintained.
“We identified individuals who do not have a job-based need to access the data center [executive staff, maintenance, and other non-IT staff members],” auditors said in the report. “Excess data center access could result in an unintended event that could impact operations.”
The report, which described conditions at DOC as of February 2023, said: “There appears to be insufficient staff training. DOC staff appear to be unaware of the importance of the controls necessary to protect the department’s information technology assets.”
The DOC partially disagreed with the finding.
“IT staff is aware of the importance of protecting the information and mitigates with the card access (recording) controls,” DOC said in a written response to the audit’s finding. “Access to Data Center for non-IT staff is required, i.e., maintenance, engineering, security, others will be reviewed and removed as necessary.”
One of the state’s largest departments, DOC is responsible for housing and caring for thousands of inmates at correctional institutions spread across the state. A DOC spokesperson did not respond to a request for additional comment on the audit.
Information technology controls
Auditors noted DOC staff did not “appear” to be adequately trained in the importance of installing controls to protect IT assets.
“Staff may incorrectly believe that agency level administrative controls, such as the development of policies, are the responsibility of the Department of Administrative Services/Bureau of Information Technology Solutions,” auditors said, referring to another state agency which oversees many of the state’s core functions.
But the report stressed DOC “should ensure it maintains sufficient policies to mitigate threats to agency information technology assets and ensure compliance with regulations and laws relevant to its environment.”
The agency agreed with the finding. “Staff needs to be educated on the policy content and processes established,” DOC said.
Threat assessment
Auditors also looked at potential sources of threats facing DOC’s IT system and concluded the agency’s security plan needed improvement.
“Our review noted the need for improvement to threat assessment procedures for DOC information technology systems, including potential sources of threats and expected responses,” auditors wrote. “Periodic threat assessments help an organization better understand the criticality of the data stored, processed, and transmitted within its data center, and the likelihood and impact of threat events to the agency’s ability to ensure confidentiality, integrity, and availability of system data.”
The audit added DOC “has not adequately trained its staff on the importance of controls necessary to protect the department’s information technology assets. The Department of Correction should improve its threat assessment procedures to address the criticality of assets, potential threats, and the likelihood of an adverse event compromising the confidentiality, integrity, and availability of those assets.”
The agency agreed with the finding. “Staff training is needed, and a threat assessment plan is necessary,” DOC said.
Update disaster plan
The audit also found DOC’s disaster plan needed to be updated.
“We noted the absence of important elements necessary for the plan’s optimum effectiveness, including prioritizing critical systems, identifying individuals responsible for conducting restoration, procedures to follow when necessary, and ensuring current copies of the plan are available at each recovery site,” the auditors said. “We also observed that personnel were not aware of the department’s disaster recovery plan.”
Auditors said the “lack of a comprehensive disaster recovery plan could contribute to delays in the recovery process should an incident occur. The DOC should develop a comprehensive disaster recovery plan which enables staff to appropriately respond to disasters and ensures ongoing operational stability. The department should make the updated plan available to all appropriate personnel.”
The agency partially disagreed with the finding.
“The disaster recovery plan is partially completed, and it is being revised and improved as new system/technology is implemented,” the agency said.
In response, auditors said “we acknowledge the existence of a disaster recovery plan. However, we recommend that the plan be updated and sufficiently robust to include all critical systems and the requirements necessary to ensure their availability.”
IT systems not current
Auditors also said some of DOC’s information technology systems were not current.
“A well developed and properly executed maintenance schedule helps ensure the confidentiality, integrity, and availability of information,” auditors said. “Upgrading IT systems to the latest stable version helps to ensure that systems fail less often, are protected from known exploits, and may enhance compliance with vendor or regulatory requirements.”
Auditors added “reliance on unsupported software increases risk over the confidentiality, integrity, and availability of information in the department’s custody. There appears to be a lack of management oversight.”
The agency partially disagreed with the finding.
“Many devices are being patched,” DOC staff said. “A regular maintenance schedule is difficult to establish as DOC is a life, safety, and security agency in operation 24/7/365.”
In response, auditors acknowledged “DOC is using patches on many devices. However, it is important to note that any unpatched device is vulnerable. The department should ensure that all its devices are up to date and secure. We recommend a formalized and regular review process to ensure that access to the data center is granted only to current employees, and to those who explicitly need it as part of their job duties. DOC should remove access to staff members who do not need it to execute their job duties.”
___
(c)2024 The Register Citizen, Torrington, Conn.
Visit The Register Citizen, Torrington, Conn. at www.registercitizen.com
Distributed by Tribune Content Agency, LLC.