Audit finds security improved at Oregon’s data center, but it still needs work
An audit published this week by the Oregon secretary of state found the state government’s data center has improved considerably on its cybersecurity practices, which had long been criticized by oversight officials. The center, managed by the Enterprise Technology Services division of the office of the chief information officer, is responsible for more than 100 of the state government’s critical systems, including state employee email, residents’ income tax returns, motor-vehicle records and files kept by dozens of state agencies.
“We acknowledge and commend the progress made to help secure the state’s computing environment,” Oregon Secretary of State Dennis Richardson said in a press release. “But since the work to secure Oregon’s data systems is never done, more improvements are needed.”
The last comprehensive audit of the data center, in 2015, faulted ETS for numerous security weaknesses that put confidential information of state workers and residents at high risk of breaches or cyberattacks. That report found that the data center, which opened in 2008, was running on obsolete network equipment with out-of-date operating systems and did not maintain complete inventories of its authorized device configurations, protocols designed to raise firewalls around computing systems or update security settings.
Auditors also revealed that while day-to-day functions at the data center were typically stable, it had never fully tested itself for how it would recover from a natural or manmade disaster. A subsequent audit of governmentwide cybersecurity functions in 2016 showed that the CIO’s office, then occupied by Alex Pettit, was ill-equipped to handle the state’s cybersecurity needs because it did not effectively collaborate with other bureaus. An executive order signed by Gov. Kate Brown mandated the consolidation of cybersecurity functions under the CIO’s office. (Pettit resigned in April and moved to a role in Richardson’s office; Terrence Woods now serves as interim CIO.)
The audit released Thursday reports that the CIO’s office has made a few strides in improving the data center’s security position, while still lagging in other areas. The facility is commended for hiring more specialized cybersecurity staff to conduct regular vulnerability scans and monitor for network intrusions, as well as manage the installation of patches and other updates to the state’s Windows servers. The 2015 audit found, but did not publicly disclose that the data center was not conducting vulnerability scans at all.
While scans are conducted now, the data center still falls short on other things like incident response and the delegation of security work, the new audit continues.
“In other areas, roles are less clear or have not been sufficiently assigned,” the report states. “For example, roles should be better clarified for security incident response and for review and monitoring of privileged access membership and activities. In addition, overall information security responsibilities at the data center are not clearly defined.”
Record-keeping continues to be a problem for Oregon, too. When auditors asked the Enterprise Security Office for details about how many network alerts were tallied, they were given rough guesses.
“Staff could not provide actual numbers for the number of offenses and alerts received from the system because they are not adequately tracking activities associated with monitoring and reporting potential problems,” the audit reports. “In addition, analysts change rules periodically to eliminate or reduce false positives and improve the system’s pattern recognition abilities. However, there are no formal processes followed to ensure only needed changes are made or that changes are effective.”
The audit also finds that the data center has not implemented regular reviews of users with privileged, high-level access to state computer systems.
But one spot where the data center has made great leaps is in the age of its equipment. About 80 percent of its server and network assets is now less than five years old; in 2015, only 43 percent of the center’s equipment was that young. The data center has also phased out devices that run on unsupported operating systems.
The audit concludes with 11 recommendations, starting with a clarification of security roles and developing accurate metrics for incident monitoring. Auditors also suggest the data center’s managers review the list of privileged users and monitor their actions, which is required by a statewide security plan. It also recommends the state legislature appropriate more funds for the replacement of antiquated equipment and outdated software.