Earlier this year, Michigan's auditor general cited the state's Department of Technology, Management and Budget (DTMB) for gaps in its network cybersecurity. It gave the department 60 days to develop a game plan and come into compliance with the audit recommendations.
An audit can mean many things for an IT department, including orders to make big changes.
Government Technology reached out and talked to five members of the National Association of State Auditors, Comptrollers and Treasurers — auditors from the state governments of Minnesota, Virginia, New Jersey, Colorado and Arizona — who outlined five common problems that trip up IT departments. And these folks offered advice on how to avoid them.
[slideshow-break]
Poor Vendor Management
When the New Jersey Office of the State Auditor looked at vendor management for both services and system development, it found there was poor vendor management during the projects, said New Jersey Principal Auditor Dan Altobelli.“Our integrated auditors are supposed to be looking at systems that support major business processes, and more and more of them are provided by vendors. Many are not getting the System and Organization Controls (SOC) report, and the few that are have no idea whether it is valuable,” Altobelli said.
Melinda Gardner, IT audit manager for the Arizona Office of the Auditor General, also pointed to poor vendor management as a troublesome area for a number of IT departments.
“Even if these entities require an SOC report, they are lucky to get them or review them,” Gardner said. “I have found that they all leave a lot to be desired, even if one is provided for assurance purposes.”
Poorly written requests for proposals and contracts are another area where IT departments are frequently dinged on their vendor management, Altobelli said.
“We all know what happens when you don’t ask for something in the initial agreement," Altobelli said, noting it can drive up the cost of the contract.
Solutions:
- Train IT and purchasing departments on the various SOC types and their usefulness, Altobelli advised. This will help the RFP and contract language to contain the right elements with regard to asking for a specific type of report, and will give the IT department an idea of what to look for in the reports they receive.
- Document the whole “service chain,” which calls for making sure the RFP requires the primary vendor to ensure that any subcontractors hired also provide an appropriate SOC report that is forwarded to the state.
- Always include a “right to audit” clause in contracts. Many vendors are reluctant to do this, but try to get some limited language in the contract that says something to that effect, Altobelli said. For example, if any deficiencies are found during the SOC review, or if necessary controls are omitted during the review, the state reserves the right to come in and look at those controls, or require the vendor to mitigate the risk and provide evidence of this.
IT Security Controls Lacking
A lack of internal control processes and also coverage inconsistences are common audit issues for IT departments, said Chris Buse, deputy legislative auditor for the Minnesota Office of the Legislative Auditor and a former assistant commissioner and chief information security officer for the state of Minnesota.“Many critical security and other internal control processes … still are done in agency office silos. Some agency offices execute processes very well, but most execute processes with marginal success and many simply do not have the technical or fiscal wherewithal to execute key control processes at all,” Buse said.
For example, continuous vulnerability scanning is generally an accepted best practice, as evidenced by its inclusion in the Center for Internet Security’s Top 20 Security Controls, he noted. However, performing this function effectively requires sophisticated and costly tools and highly specialized staff, which pose a significant barrier to entry for all but the very largest agencies that have vast cyber-resources.
"Governments that have not centralized these types of services and developed process maturity will undoubtedly have many audit issues,” Buse advised. “There are many other similar examples in the security space, such as monitoring. We now live in a hostile world where 24/7/365 monitoring must be the norm for government systems that citizens depend on, but unfortunately there still are many critical government systems that are still not under the watchful eye of a security operations center that works around the clock.”
When it comes to patch management, 90 percent of all vulnerabilities Altobelli’s office finds are the result of devices missing patches to the operating systems or other software on devices. That said, he noted that the situation appears to be showing some improvement as governments across the nation increasingly use commercial applications or software as a service (SaaS) versus “home-grown” applications.
“There is less of a fear of breaking something by applying a patch when the product is built to be more flexible and/or is off-the-shelf and the vendor is providing updates. But it is still a major problem for my state, especially with OS and [databases]. Another contributing factor to this is a lack of internal vulnerability scanning by agencies,” Altobelli said.
Solutions:
- Outsource security to a managed security services (MSS) firm when needed to supplement in-house technical depth and breadth. Research firm IDC reported in 2017 that the MSS field is rapidly growing, with such firms offering advanced services such as managed security operation centers, managed security and information event management and distributed denial of service protections.
- Take a free IT security assessment test offered by the Center for Internet Security. The CIS Risk Assessment Method [CIS RAM] test aids organizations in assessing their security posture in relation to the CIS Controls cybersecurity best practices. CIS RAM includes templates, exercises, instructions and examples for conducting a cyber-risk assessment.
- Seek ways to gain economies of scale when making costly purchases of security tools.
Inadequate Risk Assessment and Data Classification
A lack of risk assessment and data classification controls runs rampant across IT departments at various government agencies, said Arizona’s Gardner. IT departments and the various stakeholders need to come together and create large processes for risk assessment and data classifications, but Gardner finds often these groups struggle with wrapping their heads around the processes and controls and how to get them to work together and implement them.Data classification is a key piece lacking within New Jersey’s Office of Information Technology, Altobelli said.
“We wrote a finding in 2007 that the centralized OIT has not required the agencies to do a data classification for their systems, and that without one, there was no way to evaluate if controls in place were appropriate because no one knew what they had,” Altobelli said. “OIT required a classification shortly after that … and it was completed by all agencies by June 30, 2008 and put on file at OIT. And there it has lain for 10 years, like the Ark of the Covenant, never opened. No updates when changes were made or new applications were developed, no periodic reviews for accuracy.”
As a result, Altobelli said the stumbling block of not knowing what one has before one can properly assess the risk and assign controls is an ever-present issue.
“Agencies can tell us what applications they have, what platforms they are on, etc., but when you ask them if they have assessed the data in the system and put in proper controls, they say things like, ‘We have a firewall,’” he lamented.
Solutions:
- Create a data classification policy, implement it, and follow it. Carnegie Mellon University’s Information Security Office has a set of guidelines for categories of data classifications that would also be applicable to government agencies.
- Draft documentation of core government systems so that controls and management capabilities can be assigned to these systems to aid in risk assessment.
[slideshow-break]
Scarce ‘How to’ Standards, Guidelines and Compliance Information
Auditors stressed the need for IT departments to have detailed written information on policies and procedures to steer state agencies through standards, guidelines and compliance procedures.“Our central OIT likes to put out policies, but their contribution wanes when it comes to providing agencies with ways to implement the policies,” Altobelli said. “Things like standard operating procedures, hardening [security] guidelines, etc., are not adopted and disseminated to the agencies to aid them in creating a more uniform, secure environment.”
Minnesota auditor Buse expressed a similar sentiment, pointing to the lack of emphasis placed on documentation.
“Without a documented technology foundation, your controls and management capabilities slowly erode as key information technology professionals leave government service, an unfortunate reality with our aging IT workforce,” Buse said.
Solutions:
- Guide agencies on securing inventory and controls for hardware and software assets using active inventory management tools and processes.
- Check existing standards that agencies can adopt, so they will not have to be written from scratch.
IT Governance Missing
IT governance is a big issue that is lacking in a number of states, including New Jersey, Altobelli said, noting his office issued an auditor’s report on the topic last year. And later this year, he plans to attend a conference where he will present a report on it.“One of the main thrusts of the presentation will be the time that we spent figuring out how the governing legislation and additional executive orders work together, or don’t work together, to define responsibilities. Although there are some 'standards' in this area, [such as] COBIT [and] ISO, it is hard to put these into action when the responsibilities are in question,” said Altobelli.
Although Buse does not believe the lack of governance is “tripping up” IT departments, he suspects it may be holding up the ability of state IT agencies to excel.
“Good governance results in IT strategies that stakeholders support and are willing to back financially. Good governance also is an essential part of risk management in complex organizations, helping set the risk bar at an appropriate level enterprise-wide,” Buse said. “It is easy for auditors to criticize low hanging fruit, such as access control issues, however, down the road I want to see my team writing reports to help lawmakers better understand the big picture in IT planning and oversight issues that have much more significant risk and financial implications.”
With this understanding, Buse believes lawmakers can serve as key stakeholders who can help drive major technology directors to better serve citizens.
Karen Helderman, audit director of Virginia’s Office of the Auditor of Public Accounts, has written two reports on IT governance in the past 11 years. One report, issued in 2015, covered governance of enterprise applications and the other, published in 2007, examined governance in systems development.
The reports were written in an effort to educate the legislature and aid in the development of a formal IT governance structure, she said. However, Helderman noted, “These reports tend to fall on deaf ears until something catastrophic occurs, but at least it may start a conversation.”
Solutions:
- Learn about IT governance by reviewing materials from ISACA’s IT Governance Institute, a nonprofit that offers research on IT governance and other related topics.
- Consider creating an IT governance framework, as outlined in Helderman’s 2015 report. This governance framework would aim to better align resources from funding to personnel and assume responsibilities currently held by various state agencies’ IT operations, which have autonomous control over such decisions as to when, how and what enterprise applications to modernize and with what type of software.