There have been “significant deficiencies” in Kentucky’s information technology, according to a report published Wednesday by Kentucky Auditor Mike Harmon that found an incomplete disaster-recovery plan and insufficient restrictions on access to computers connected to the state’s networks.
The audit, reviewing the fiscal year that ended June 30, faulted the Commonwealth Office of Technology for not communicating with other state agencies as they developed internal disaster and continuity plans. An IT consolidation process the state began in 2014 gave COT ownership of agencies’ servers, networks, and security controls. But the audit found COT has not been more helpful to its fellow agencies as they draw up their disaster-recovery processes.
“Although the development of [business continuity] plans is still an agency-level responsibility, COT has not provided any policies, procedures, or other guidance for agencies related to their development,” the report reads. “After the initial services are established for an agency, COT provides no further communication with the agencies, written or verbal, about back-up and recovery services being provided.”
The report states that COT “has not provided comprehensive information concerning backup and recovery service levels established with consolidated agencies,” an issue that also popped up in Harmon’s fiscal 2017 audit of the agency.
Part of the problem may lie with the agencies that COT supports. In 2017, the IT agency started a process of identifying all state-government servers that did not have required backup processes, eventually finding about 2,500 machines. “Agencies have been slow to respond, but COT has decreased this to nearly 2,000 servers,” the audit reads.
It also states that COT is finishing a migration of the state’s enterprise network to a new infrastructure that will back up all connected servers. And in its response to Harmon’s findings, COT wrote that it is revising its continuity and recovery plan, and also scheduling a tabletop exercise to test it.
But Kentucky’s server consolidation process has gone through fits and starts. The state’s IT modernization journey began in 2012 with an executive order from then-Gov. Steve Beshear that directed agencies to move their servers to a centralized facility, but did not give COT much authority to upgrade the machines. A law passed last May gave COT greater powers, including more direct control over all state-government IT and making the chief information officer’s role a cabinet-level position.
The current CIO, Charles Grindle, told StateScoop last year that the consolidation effort will eventually move more than 1,000 physical servers and 3,000 virtual servers the state’s primary and alternate data centers, and that the new network infrastructure would be “operational capable” by November 2018. He also said COT is in the process of moving all of its end-users to Windows 10 environments.
But an additional finding in the audit reports that COT still has lots of work to do on its new Windows environment, including setting security permissions for users and getting a complete inventory of the machines in use.
“COT does not have a complete list of all servers they manage and maintain for the Commonwealth,” the report reads. Although the audit credits COT’s help desk for developing tools that could identify devices on the state network, those tools were not being used when auditors completed their review.
Meanwhile, the audit found that settings on some of the Windows servers allowed “unnecessary access” to shared folders housing sensitive or confidential information, and that COT had not acted to restrict those permissions, potentially raising Kentucky agencies’ vulnerabilities to a data breach or exposure.
“If a machine is not configured to properly restrict access, then an intruder could potentially use this available resource to attempt to gain access to the network,” the audit states. “This could negatively impact the financial statements if confidential data is stolen, which could result in substantial mitigation and legal fees for the agency and/or taxpayer, as well as loss of taxpayer trust and damage to the agency’s reputation.”
A spokeswoman for the Kentucky Finance and Administration Cabinet, COT’s parent agency, wrote in an email statement late Wednesday that the office “is currently in the process of reviewing today’s report and looks forward to the opportunity of issuing a formal response in the days ahead.”
And while not a subject of the audit, Grindle, who was hired in December 2017, has drawn scrutiny to the IT office for his friendship with Gov. Matt Bevin and a $215,000 raise he received last year that made him the highest-paid state CIO in the country.
In interviews with Kentucky media, Bevin has called Grindle’s $375,000 salary “a steal,” pointing to the CIO’s background as a decorated Army colonel. Grindle’s current pay was made possible thanks to rushed legislation last April that exempted his job from the statutory limit on state-government salaries of $163,992. Grindle defended the move to StateScoop last year.
“The legislature made a decision,” he said. “If we want to move the organization forward you have to put the right people in.”