State

Mississippi audit finds ‘disregard’ for cybersecurity across state

More than 40 percent of state entities did not bother responding to a required survey about IT and data security practices, the state auditor said.

By Benjamin Freed

October 9, 2019

(Getty Images)

The first-ever governmentwide survey of Mississippi’s cybersecurity policies returned unsettling results, with large volumes of residents’ personal data not being protected, several not having written procedures about how to respond to a cyberattack, and dozens of state agencies ignoring the legally required review altogether.

The findings were revealed in an Oct. 1 report by Mississippi Auditor Shad White, whose office sent out the survey to 125 state agencies, boards, commissions and universities that connect to the state government’s computer network to determine if they are in compliance with the state’s enterprise security program.

The program, which has been revised several times over the last few years, was codified under a 2017 law that put Mississippi’s Department of Information Technology Services in charge of governmentwide IT and data security. That law also put the Office of the State Auditor in charge of ensuring that state-government entities met the security program’s requirements.

But of the 125 entities that received a survey, 54 did not reply at all, and of those that did, more than half fail to meet at least 75 percent of the state’s cybersecurity requirements. Those results, White’s office wrote, suggest a culture in which “many state entities are operating like state and federal cyber security laws do not apply to them.”

While Mississippi’s enterprise security program puts ITS in charge of managing and coordinating statewide policies regarding IT and data security, it also places more than a dozen requirements on agency heads. While some of those edicts are broad, like overall responsibility for the safeguarding of IT assets under their purview, there are also mandates to develop internal IT security plans, conduct internal assessments to ensure workers are complying, and including cybersecurity requirements when soliciting new technology contracts.

Of the 71 agencies that did return a survey, White’s office found that just 11 had not implemented implemented a security policy or disaster recovery plan for dealing with cyberattacks. But twice that many also reported not having undergone a routine cybersecurity risk assessment conducted by a third party, which the security program requires agencies to do at least once every three years.

The enterprise security program — along with federal laws — also requires that certain types of personal data be encrypted. But the auditor’s office found data protection to be even more lax across the Mississippi government, with 38 percent of responding agencies acknowledging that they did not encrypt sensitive information pertaining to health records, taxes or student records.

“Many state agencies are operating as if they are not required to comply with cyber security laws, and many refused to respond to auditors’ questions about their compliance,” the report says. “Mississippians deserve to know their tax, income, health, or student information that resides on state government servers will not be hacked.”

In a phone interview, Mississippi Chief Information Officer Craig Orgeron, who leads the ITS agency, said White’s audit showed that the state’s cybersecurity has improved, but still reflects how far government needs to go, especially in a state where IT is so decentralized, leaving most technology decisions to individual agencies and bureaus.

“In this context, if there are 20 or 30 of the largest agencies [in the audit], you are going to have mixed results,” Orgeron said.

He also said there are “certain functions” in the state code that set governmentwide standards. But, Orgeron noted, the law putting ITS in charge of cybersecurity policy is only two years old, while the enterprise security program itself has been around for less than a decade, so establishing agency compliance is a work in progress.

Still, White’s review is a sign that Mississippi’s top officials are taking cybersecurity seriously.

“With the auditor taking interest, he has pushed the conversation in a positive direction,” Orgeron said. “As an agency head, it is refreshing to have a statewide elected official talking about these issues.”

Orgeron also said his office is developing a request for proposals that would issue multiple contracts to vendors for a “broad set” of IT assessment services, including cyber risk.

This post has been updated to include a statement from Mississippi CIO Craig Orgeron.