The state's lack of computer security may make citizens' personal information vulnerable, according to an audit released Tuesday. The state's internal auditors described information technology security as a longstanding problem in
"It's time that we really address this," said Rep.
The audit determined that 75 state agencies are running 353 computer systems that contain sensitive data.
By law, agencies are required to submit three-year information technology plans, but auditors determined that not all agencies were following that law because "agencies think they are time consuming and provide little value to them."
The audit also found little oversight of that requirement, noting that the state's "Chief Information Technology Architect did not follow up on missing plans, and in one year did not send necessary templates and instructions to all agencies."
The audit also determined that 17 of the 45 agencies that hold data considered "high risk" had not had an independent evaluation of their security in the past three years.
Compliance requirements prohibit his office from outsourcing security work to the private sector, so Byers said his agency would have to look to recruit experts from outside the area and bring them to
"That will not be an easy task at our current wages," Byers said.
Auditors found that computer security employee pay ranges from
"It's difficult to find really good IT people in the private sector that are going to come in and work for these salaries," Lynn said. "These are really low for the kinds of positions that are out there."
"I don't think there was a time when the state had a very solid, well-thought-out approach to security," Frank said.
The most secure agencies, Frank said, tend to be those like the state treasurer and the state pension system, that auditors nicknamed "ATM" agencies or "the ones you can pull money out of."
But other agencies operate computer systems that have personally identifiable information that could be used by identity thieves. The state's computer system is disjointed, and security levels vary widely from agency to agency, auditors said.
"I think it's time for the state to really take a look at a rational, organized approach to security," Frank told the committee.
The state's lack of computer security may make citizens' personal information vulnerable, according to an audit released Tuesday.
The state's internal auditors described information technology security as a longstanding problem in