Report Summary
Department of Labor and Industry
Information Technology Security Controls
Financial Audit Division Report 10-37 |
Released December 21, 2010 |
Conclusion
The Department of Labor and Industry generally had adequate security controls to protect the confidentiality, integrity, and availability of its data and computer systems from threats originating outside its internal network. However, we identified five weaknesses in internal controls.
Findings
- The Department of Labor and Industry did not conduct formal risk assessments.
- The Department of Labor and Industry’s security plan template did not address some important security controls, and the department did not complete a security plan for all its critical technologies.
- The Department of Labor and Industry did not update or patch the operating systems of some devices, leaving them susceptible to vulnerabilities.
- The Department of Labor and Industry did not restrict computer traffic flow within its internal network nor did it restrict the ability to log in to critical computers to security administrators.
- The Department of Labor and Industry did not implement formal change management processes to ensure that it adequately documented, assessed, tested, and approved proposed changes before implementing those changes in the technology environment.
Audit Objective and Scope
The audit objective was to answer the following question:
- Did the Department of Labor and Industry have adequate security controls to protect the department’s computer systems and data from threats originating outside the internal network?
We assessed controls as of November 2010.