Report: State computer systems a hacking risk

Small state agencies generally don't have adequate security controls over their computer systems, exposing them to unacceptable risks, the legislative auditor said in a report Thursday.

The shortcomings result in the risk of unauthorized access to nonpublic information and even the possibility of disrupting state functions, the report said. It is the latest of several critical reports on state agencies from the legislative auditor. Recent reports have raised questions about auditing and other financial controls of agencies such as the Department of Finance, the Department of Natural Resources and the Department of Human Services.

Seven of 12 small state agencies examined by the legislative auditor did not have dedicated information-technology or security staff, and the majority had not conducted risk assessments of their information technology systems, the report said. One agency had not changed four default passwords to powerful database accounts on a purchased software product.

The report identified 45 state agencies with 50 or fewer employees and examined 12 of them, among them the Board of Nursing, the Racing Commission and the Public Utilities Commission. The report did not say which agencies had shortcomings but said the office had discussed the deficiencies with agency managers.

"Because a security breach at a small agency could expose the state to significant liability or expose other government computer systems to unauthorized access, the state needs to find ways to help small agencies better secure their computer environments," the report said.

The state's Office of Enterprise Technology, which oversees the state's information technology systems, acknowledged many of the concerns in a response to the audit, saying it is attempting to consolidate its data centers into one highly secure facility with a secondary backup for disaster recovery.

"It is clear that the historical strategy of addressing cyber security threats on an agency by agency basis was not effective, and never will be," wrote Gopal Khanna, the state's chief information officer.

Mark Brunswick • 651-222-1636