|Financial Audit Division Report 12-11||Released May 22, 2012|
The Office of Enterprise Technology established internal controls that were generally adequate to identify and resolve security vulnerabilities; however, the office had not adequately communicated some parts of its vulnerability management standard, and training materials did not address all requirements of the standard.
The state did not comply with the Enterprise Vulnerability Management Security Standard. Agencies had generally not classified the criticality of devices (computers, systems, and networks) based on the confidentiality, integrity, and availability requirements of their data, as required by the standard. Also agencies did not consistently report certain events to the Office of Enterprise Technology, and some agencies did not effectively conduct scans and prioritize the remediation of their vulnerabilities. The Office of Enterprise Technology also did not provide state agencies with certain metrics related to agencies’ device criticality, as required by the standard.
The audit objective was to answer the following questions for the period from July 1, 2010, through July 31, 2011:
We assessed controls between July 2010 and July 2011.