Report Summary
Department of Administration
Information Technology Security Controls
Financial Audit Division Report 10-35 |
Released November 4, 2010 |
Conclusion
The Department of Administration generally had adequate security controls to protect the confidentiality, integrity, and availability of its data and computer systems from threats originating outside its internal network. However, we identified five weaknesses in internal controls.
Findings
- The Department of Administration had not adequately managed its information security risks and lacked some written agreements with the Office of Enterprise Technology.
- The Department of Administration had not adequately assessed, prioritized, reported, and remediated vulnerabilities.
- The Department of Administration had not assessed its monitoring needs nor did it proactively review security events.
- The Department of Administration lacked change control procedures for its firewall rules.
- The Department of Administration had not periodically recertified some access privileges, and some information technology staff shared passwords.
Audit Objective and Scope
The audit objective was to answer the following question:
- Did the Department of Administration have adequate security controls to protect the department’s computer systems and data from external threats?
We assessed controls as of September 2010.