Sandra Chereb reports:
Auditors delayed release of a report detailing security vulnerabilities in state databases to protect the information of tens of thousands of current and former state employees and their beneficiaries, a legislative committee was told Tuesday.
Douglas Peterson, information systems audit supervisor, told the Legislative Audit Subcommittee it was the first time he can recall in 20 years with the state that a decision was made to withhold an audit until problems are fixed.
Read more on the Las Vegas Review-Journal.
How bad was it, you wonder? From the key findings of the audit:
Confidential information about state employees was stored unencrypted in the Division’s databases, increasing the risk of unauthorized access of this information. One database contained Social Security numbers of over 145,000 current and former state employees and their beneficiaries. State security standards require that confidential personal data be encrypted whenever possible. However, this confidential personal information was not encrypted in the Division’s databases. Enterprise Information Technology Services (EITS) support staff, who manage the Division’s databases, indicated they were not aware that there was a requirement to encrypt this information.
Weaknesses exist in managing network users. We identified 42 computer accounts of former staff among the 179 Division computer user accounts whose network credentials (login identification and passwords) had not been disabled. Thirty-one of these former employees had been gone for over one year. One employee had been gone almost 10 years. Untimely disabling of former employees’ network credentials increases the risk that someone could gain unauthorized access to the state’s information and systems.
Five of the Division’s 77 staff had not completed their annual security awareness training. State security standards require that state employees each receive annual information technology security awareness refresher training to ensure they stay aware of current security threats as well as understanding their responsibility to keep state information confidential.
Desktop computers lacked adequate virus protection. Seven of the Division’s 85 computers did not have adequate virus protection installed. State security standards require that virus protection software be updated regularly to retain protection from evolving online threats. Without current virus protection installed, computers could become infected with malicious software.
Seventeen of the Division’s 85 computers were not receiving Windows operating system updates on a regular basis. Operating system updates are released monthly by Microsoft. State security standards require updates be installed timely to fix security vulnerabilities. Computers without current software security patches installed represent weaknesses in a computer network that can be exploited by a malicious entity to gain unauthorized access to state computer resources and sensitive data stored on them.
Some servers had vulnerabilities. For example, one of the Division’s four servers did not have virus protection software installed. Without current virus protection software installed, servers could become infected with malicious software. In addition, three of the four servers had critical or high-level vulnerabilities due to missing Windows operating system updates. Without installation of these software patches, computers remain vulnerable to online threats.
The Division’s office copiers were not configured to securely process confidential information. Four of the Division’s six photocopiers did not have the Immediate Image Overwrite function enabled as required by state security standards. This function configures the device to erase the processed job immediately after the copy, scan, or fax job is completed, thereby reducing the likelihood of any confidential information being stored on the copier’s hard drive.