We completed 21 audits on 16 agencies and 4 school districts between CY 2020 and 2022 (1 entity was audited twice during this time period). This summary report shows 10 of the 21 entities did not substantially comply with applicable IT security standards and best practices. Entities struggled with properly scanning and patching their computers. Entities also had compliance problems because they did not create, maintain, or test incident response plans or continuity of operations plans. Other significant issues included poor security awareness training or failed social engineering tests. Almost half the entities had significant management, contract, or policy-related weaknesses. Additional security weaknesses included inadequate account security controls, poor encryption, back up, or destruction processes of sensitive data. We also noted several entities had inadequate network boundary protection or had poor access or environmental controls for their data centers. Lastly, we identified significant security issues within agencies’ specific IT systems. The findings in this report are similar to those in previous summary IT reports. The main reasons for compliance problems across the 20 entities included insufficient top management attention and inadequate resources.
Speaker 1:
Welcome to the Rundown, your source for the latest news and updates from the Kansas Legislative Division of Post Audit featuring LPA staff talking about recently released audit reports and discussing their main findings, key takeaways and why it matters. I'm Mori Exline. In December, 2022, legislative post audit released a performance audit that summarized the security controls of selected state and local entities in the three year period from 2020 to 2022. I'm with Alex Gard, principal IT auditor at Legislative Post Audit who supervised the audit. Alex, welcome to the rundown.
Speaker 2:
Fantastic. Thanks for having me, Maureen.
Speaker 1:
So to get started, can you give me some background about the purpose of this audit and what kinds of things you were looking for in your evaluation?
Speaker 2:
Yeah, so to start with, our office is IT security audits are conducted by a specialized team of auditors. Uh, their primary focus is IT security audits. That's, that's mainly what they do. For the past three year period, we conducted individual IT security audits of oh, 20 or so state agencies and school districts. Those reports are issued confidentially because they contain detailed information about it security weaknesses. This audit presents a summary level information about things that we've seen across multiple entities, uh, in a, in a public report. So that way, you know, decision makers and the public can have some insight into the work that we're doing.
Speaker 1:
Okay. So what considerations do entities generally make in terms of IT security?
Speaker 2:
So the federal and state, uh, governments have both laid out, uh, various frameworks in terms of, uh, rules that have to be complied with, uh, when dealing with certain types of information. Uh, one that folks may be familiar with is, is hipaa, which has to do with, uh, protected health information. It has to be handled a certain way. Certain people have to look at it has to be destroyed a certain way, that kind of thing. Um, these state agencies and other entities, uh, deal with all different types of confidential information, and they have to figure out, okay, um, what controls do we want to put in place to kind of protect that from being sivan or used by the bad guys? And, and these different legal frameworks that, that are out there, whether it's HIPAA or, uh, in the state's case, um, iTech, um, has put together, uh, a pretty big list of to-dos or dos and don't dos, um, if you will, to help guide agencies in making decisions on these are the important things that we think you should do. Absolutely. Uh, but still, I mean, management still has to figure out what they want to do with, um, how much security they wanna put in, uh, because that is a balancing act between, um, you know, operating the day-to-day business versus, um, putting into place things that, that help, um, make the agency and its information safer.
Speaker 1:
So in your report, you mentioned that half of the entities that you audited did not substantially comply with it security standards and best practices in what areas were entities most efficient?
Speaker 2:
So during the audit period, we saw issues on pretty much everything that we audited at some point, but there are three big areas that stick out, um, as issues over and over again. So the first up, um, vulnerability remediation, it's a mouthful. It really just means, uh, scanning, uh, for security holes and software and hardware and patching those with fixes, um, that are issued by the vendor. You know, bad guys are always finding, uh, new ways to get into computer networks every day. And so it's important for agencies to be vigilant and patrolling for those security gaps. Now, this can be a resource intensive process, but it's critical to keeping the bad guys out. Uh, second up, uh, training staff and security awareness, uh, is very important. Agencies have to train their staff on what to look for and what to do and not do, uh, with respect to it. So it itself can put all the technical controls in place that they want, but those controls could be worthless if, um, you know, the regular user let somebody in the front door. Last area that surprised me a little bit as being such an issue during this period, uh, involved incident response and business contingency planning.
Speaker 1:
So what does incident response planning involve? It sounds important.
Speaker 2:
So security incidents are gonna be anything that might be potential security issues. Anything from maybe an inadvertent email with somebody's social security number in it to a, all the way up to a full fledged ransomware attack. Incident response planning involves making sure that there is a plan of action, uh, written down so that when something bad happens, everybody knows how to react, how to respond, what steps to take, and how to minimize loss and disruption, things like that. Business contingency planning on the other hand is really, it's pretty similar, but it deals with larger, more catastrophic type of events. So think of things like major power failures, fires, tornadoes, things like that. Um, things that might put the entire agency out of out of action for a little while. Pandemics come to mind as well. The idea behind both areas is that you want to have your game plan written out ahead of time so you know exactly what to do when disaster strikes and you wanna test those plans to make sure they work like they're supposed to. It's kind of like how you wouldn't want to wing it if you found out your house was on fire or being broken into the same kind of thing, uh, goes for it.
Speaker 1:
Are there any other areas of concern that you guys identified that were maybe just affecting a few organizations but still maybe worth mentioning?
Speaker 2:
Even with some areas that, um, you know, we talked about the problem areas or some of the, the big problem areas that, that touched on or were problems for lots of different agencies. Um, there agencies were kind of rounding the corner or, um, had some bright spots too in terms of, uh, areas that tended to be less problematic. So, uh, we pointed out, for example, that, um, network and boundary protection, which would cover kind of perimeter and other firewalls, uh, and antivirus type measures. Those, those looked, you know, more or less in, in pretty good shape compared with some of the other areas across, uh, that we looked at.
Speaker 1:
So finally, what was the biggest takeaway from this audit?
Speaker 2:
This audit reiterated that the issues that we found over the past three years are some of the same areas that have been historically difficult to manage. The primary causes also appear to be the same. Insufficient management oversight and inadequate resources be that staff, um, staff time or money. I mean, this is not the IT world of 20 years ago. It is everywhere. It's fundamental to how businesses operate and the threats are also more sophisticated and constant entities can face significant monetary and reputational damage, um, in the event of an a security breach. Although federal and state government groups have provided guidance in the form of legal requirements and frameworks, it's still ultimately up to the agency management to implement and comply with'em. Entities are making some inroads, but more needs to be done.
Speaker 1:
Alex Gard is a principal IT auditor at legislative post audit. He supervised an audit that summarized the security controls of selected state and local entities in a three year period between 2020 and 2022. Alex, thanks for visiting the rundown and discussing this audit's findings with me.
Speaker 2:
Thank you.
Speaker 1:
Thank you for listening to the rundown. To receive newly released podcast, subscribe to us on Spotify or Apple Podcast. For more information about legislative post audit and to read our audit reports, visit ks lpa.org. Follow us on Twitter at ks audit or visit our Facebook page.