Three Performance Audits Offer the State Guidance on Improving IT Security

Each audit used different techniques and benchmarks to assess the selected agencies in various key areas:

• Their compliance with state law and policies
• Whether they had policies and procedures in place to help protect data in the state’s systems
• How well they were prepared to withstand cyber-attack
• How well they monitored compliance with security controls

All three audits were conducted primarily by State Auditor’s Office employees, both auditors and IT security specialists, with help from specialized contractors.

The first performance audit is titled Safe Data Disposal: State reduces the risk of disclosing confidential information. It assessed whether the state had made improvements in keeping confidential data safe when getting rid of old computers and similar data-storing equipment, such as cell phones and printers. It focused on the destruction of data before the hardware was sent through the surplus program of the Department of Enterprise Services. We based the new work on results of an audit published in 2014. That audit, titled Safe Data Disposal, estimated that 9 percent of the state’s surplussed IT equipment still contained confidential or operational data. You can read the earlier report on our website.

The new audit examined equipment surplussed from 28 state agencies. It also looked at the policies and procedures a selection of the 28 agencies used to manage their IT surplus programs, to see how complete their documentation was.

The audit found significant improvement over the 2014 results. Less than 2 percent of surplussed computers contained non-confidential data, and less than 1 percent contained confidential data. One reason for the improvement: more agencies remove and destroy hard drives before computers even leave their buildings. The results were even better for other types of IT devices. However, the audit found gaps in policies and procedures. Issues included:

• Failing to include a step verifying data had been completely wiped
• Not training the employees tasked with equipment disposal
• Lacking clear policies on disposing of other types of IT equipment

Read a two-page summary of this report (PDF).

The second performance audit is titled Continuing Opportunities to Improve State Information Technology Security – 2018 (Cyber 4). It assessed security at three agencies. It evaluated whether they can make their IT systems more secure, and better align their IT security practices with state requirements and leading practices.

The audit found strengths in agencies’ security, but also areas where they can improve security by addressing two broad areas. First, by fixing identified vulnerabilities and second, by improving the way they implement and document the security controls they use. Agencies often did not tailor their documentation to meet their needs, even though state standards require them to do so. These agencies should increase their compliance with these and other state requirements. The report suggests agencies consider using certain Critical Security Controls, promoted by the Center for Internet Security (CIS), to further  to improve security.

Read the full report (PDF).

The third performance audit is titled Contract Assurances for Vendor-hosted State Information Technology Applications. It looked at a selection of contracts state agencies had signed with vendors that provide IT services and operate systems critical to the state. The applications perform a variety of essential tasks, such as processing payments and linking residents to needed services.

The audit assessed three aspects of seven state IT contracts:

• Whether they included appropriate provisions to address the state’s IT security requirements
• Whether the agencies followed leading practices to ensure vendors complied with the IT security requirements in their contracts
• What contractual provisions selected state agencies included in vendor contracts to protect the state in case of a data breach

The audit found mixed results in the small sample reviewed. Most contracts required vendors to comply with the state’s general IT security standards. However, only one included the agency’s specific standards, while two did not require vendor compliance with either state or agency IT security requirements. When it came to ensuring vendors complied with contract requirements, most agencies required vendors to adhere to the state’s IT standards, but none verified compliance in accordance with contractual provisions. The results were better concerning contractual protections for the state in case of a data breach. All seven contracts included contractual language to protect the state in case of a data breach. Three vendors carried a cyber-liability insurance.

Read the full report (PDF). Read a two-page summary of results (PDF).

All three audits reached broadly similar conclusions, and the recommendations published or made directly to the audited agencies reflect these concerns:

• The state must protect its data, from the time it is obtained until it is destroyed
• Technological change and emerging risks require continued vigilance
• Security practices must meet state requirements, and should be supplemented with leading practices where necessary

The Safe Data Disposal audit also issued guidance that is applicable to all Washington state agencies:

• Annually review policies and procedures
• Ensure state requirements are applied
• Include state-approved methods for erasing data on mobile devices