NYS’s audit of its Office of Information Technology Services Division of Criminal Justice Services’ Core Systems wasn’t the only embarrassing OITS audit released this week. The state also released its audit of the security and effectiveness of OITS’s Department of Motor Vehicles’ Licensing and Registration Systems:
Auditors found OITS and DMV are not in compliance with the payment card industry data security standards that govern the systems that process credit card transactions. Since January 2012, neither agency has completed and submitted a required self-assessment questionnaire or third-party compliance report, which are necessary to ensure that all risks have been properly identified and mitigated. Non-compliance also exposes the state to other risks ranging from extensive fines or penalties to business disruption due to cancelled accounts and the inability to accept credit card payments. OITS does not have an established monitoring and oversight process for user access management of DMV systems and is not operating in compliance with state cybersecurity policies.
Read the full audit report here.