This audit determined whether selected state agencies and school districts adequately complied with certain IT security standards and best practices. State agencies must follow state IT security standards to protect sensitive information against data loss and theft. Local entities are not required to follow the state's policies.
9 of 15 entities we audited did not substantively comply with IT standards and best practices in at least 2 of 3 subject areas we evaluated. Specifically, 8 of 15 entities did not substantively comply with selected security awareness training controls. 10 of 15 entities did not substantively comply with selected account security controls. Lastly, 8 of 15 did not substantively comply with selected incident response controls. The findings demonstrate a poor "tone at the top" at many entities--meaning lack of top management oversight and supervision.
This audit determined whether selected state agencies and school districts adequately complied with certain IT security standards and best practices. State agencies must follow state IT security standards to protect sensitive information against data loss and theft. Local entities are not required to follow the state's policies.
9 of 15 entities we audited did not substantively comply with IT standards and best practices in at least 2 of 3 subject areas we evaluated. Specifically, 8 of 15 entities did not substantively comply with selected security awareness training controls. 10 of 15 entities did not substantively comply with selected account security controls. Lastly, 8 of 15 did not substantively comply with selected incident response controls. The findings demonstrate a poor "tone at the top" at many entities--meaning lack of top management oversight and supervision.
Welcome to the Rundown, your source for the latest news and updates from the Kansas Legislative Division of Post Audit featuring l p A staff, talking about recently released audit reports and discussing their main findings. Key takeaways in why it matters. I'm Brad Hoff . In July, 2023, legislative post audit released a performance audit reviewing specific IT security controls across state agencies and school districts. I'm with Alex Gard , principal IT auditor at Legislative Post Audit , who's supervised the audit. Welcome to the rundown, Alex.
Speaker 2:Thanks, Brad. I've been looking forward to this all week .
Speaker 1:So, before we begin discussing the audits findings, give our listeners a rundown of the , uh, information Technology Executive Council , otherwise known as iTech, their security standards that state agencies are required to follow and why they're important.
Speaker 2:So, as you mentioned, I e stands for the Information Technology Executive Council. So a little bit of history. In the late 1990s , uh, the state legislature thought it made sense to have general rules in place , um, for it. So they created , uh, this group , uh, made up of stakeholders from various , uh, big agencies, small agencies, different branches. Um, so you got your judicial representatives and your legislative representatives. Uh, and then I think there were also some members even of the, of the general public , um, that had some input as well. So they created this, this body called, called the executive council , and, and they delegated authority to make rules , uh, for it , uh, to this body. And so then essentially, all state agencies have to follow these rules. Um, it's important to keep in mind that these rules weren't made up out of thin air or anything. Uh, they were based on industry standards and best practices, meaning that leaders in the industry thought they, they were good ideas, good, good things to put in place to prevent bad things from happening.
Speaker 1:No , I think another important caveat , uh, for this audit report, Alex, is even though the 15 state entities are named or are listed in the appendix, give our listeners the reason why we can't call out specific , uh, state agencies or school districts and how well each of them , um, performed on , uh, your testing.
Speaker 2:One thing we wanted to be very sensitive to was , um, anything we didn't want to expose or have exposed , uh, weaknesses at a specific , uh, entity. Um , knowing that it may take some, some amount of time to , um, put , put certain controls into place. So we didn't want to basically point out and say, you know, here's the weak spot, here's the weak spot. Um, especially with these technical , um, types of audits, because that could basically give , uh, attackers or roadmap to, here's the , here is the weak link , here is an agency or an organization, and here is that kind of the hole in their, in their processes. Um , we don't want to create any kind of security incidents directly or, or indirectly , uh, for these , uh, organizations. So we thought it , um, so that's kind of why we didn't name specific weaknesses or tie specific findings back to the individual entities. As far as scores for individual areas, it started to run kind of a fine line between , um, especially given that we only tested a limited number of controls at these areas, you start to walk a fine line between kind of outing specific weaknesses for entities that performed extremely poorly. So if you've got an entity that, you know, scores a 0%, for example, in an area, then that is almost the same as pointing out all the individual findings for, for an agency in that area. Um, and so we, we decided because , uh, because we weren't gonna do it, and , and also as a result of some of some of these , uh, overall score area scores, it just made sense to kind of , uh, keep that information , um, confidential. In
Speaker 1:This audit, l p a audited 15 state entities on three IT controls, one being security awareness training, the second one being account security, and the third one being incident response. Take some time to discuss how you selected these 15 entities and what the audit team's process was for evaluating them in those selected control areas.
Speaker 2:So again, a little bit of of background before I can actually answer the question. So, every three years our office conducts , uh, a statewide risk assessment based on , uh, information that we gather from all state agencies. They submit , uh, we ask them to fill out a brief , uh, survey or questionnaire , uh, about their information systems , um, that hold confidential data. And then , um, we gather other information about those systems, like what kinds of data are in it, how much, how old the systems are , um, whether they connect to the internet, things like that. And so we take that information and combine it with some other knowledge that we have, like maybe how recently they've received an a an L P A audit , uh, and then , uh, select from there. So that's how we wound up with , um, the 15 entities , uh, or 12 of the 15 entities , uh, in our list regarding the three school districts. Um , we just straight up asked, asked larger districts , uh, in the state a couple years ago , uh, whether they would be interested in getting an IT security audit from us , um, basically for free and, and relied heavily on that response in selecting districts . So in terms of evaluating the control areas , uh, we picked low hanging fruit, so areas and criteria that we thought we could evaluate easily, and that wouldn't take a large amount of , uh, time for us or the entities to kind of go through and, and do. Uh, but most of the evaluations were really straightforward, just comparing the, the, what the entities did to the plain text of, of the IEX standards. For example , uh, one criteria looked , uh, was that agencies must train their users in security awareness training every year. And so then we took a list of some of the , uh, entity staff and said , okay, for 2022, did you train ? Did you train these people in security awareness training? Show us, show us the proof that you did. And if they had it, great, we marked it as trained, and if they didn't have it marked as not trained. So , um, it was, it was really pretty straightforward. There weren't a whole , a whole lot of , uh, highly sophisticated technical , uh, tests that were performed for this audit.
Speaker 1:So just to, to recap, to kind of set the, the stage of the 15 state entities, 12 or state agencies and three were school districts.
Speaker 2:That's correct.
Speaker 1:Now, let's move to some of the findings of the audit. Uh, one of the main findings of the audit was that nine of the 15 entities you reviewed did not comply with IT standards and best practices in at least two of three subject control areas. What did the audit team find that can explain the reasons why 60% of the entities are not complying?
Speaker 2:So to set the stage, we set the bar , um, for substantive compliance , uh, with these standards at 50%. So if the look like an entity was doing , uh, more than half of the things right in an area , uh, we would consider them as having sub substantively complied with required controls for that area. As you said, we had several entities that did not meet that bar. There were a handful of reasons why entities weren't meeting it. Um, we heard , um, things such as not having enough money or staff to put the right controls in place , uh, but we thought that the biggest reason was an inadequate tone at the top, meaning top management of these organizations had not placed enough of a priority on IT security , um, or had provided inadequate oversight of the IT function. Ultimately, IT security is management's responsibility, and they're the ones that have the duty to protect the entity's data and limit exposure and loss .
Speaker 1:Now, let's turn our attention to each of the , uh, three IT controls first being the security awareness training controls. So the audit team found that eight of the 15 entities did not comply with security awareness training controls. Give our listeners a little bit of background on what these controls are and why they're important for state entities to have in providing IT security. So,
Speaker 2:As I mentioned earlier, training users and , uh, and security awareness is basically one of those, those core things that the organizations need to do because , uh, people, your users, your employees are the weakest link in any kind of security posture. So the controls we looked at in the security awareness training area, we're really just, are you training your, your, your users and , and security awareness, basic security awareness principles , um, teaching them about passwords, teaching them about , um, ways to avoid identity theft, teaching them about social engineering, things like that. Um, are you trading your new users, your new staff , uh, folks that you're bringing on? Is there a security awareness training component to your onboarding process? Um , these are all kind of important things because really , uh, people are the weakest link in any organization's. Uh, security posture. Uh, an organization can spend lots of money and have all sorts of technical bells and whistles and controls in place, but it really just takes one , uh, small action by a single individual , uh, to bypass these controls. Thinks as easy as clicking on the wrong link in an email , um, could just open, open the door up to all sorts of trouble.
Speaker 1:The audit team also found that 10 of the 15 entities did not comply with selected account security controls. Talk a little bit about what those controls are and why they're important for state entities to have.
Speaker 2:So the account security controls that we looked at , uh, were , were really kind of two , uh, groups. The first one being passwords and password related controls. So things like, is your password long enough? Does it have enough variation, numbers, uppercase, lowercase, things like that. And then , um, when you enter your password wrong, how many times can you try before it'll lock you out? Um, so that was, that would be one set of password, the password controls piece of things. The other piece of things that under account security that we looked at , uh, had to do with an , uh, an organization's offboarding process and whether user accounts were being turned off or access to those accounts was being turned off , um, when those, when those folks left or stopped working for , uh, the organization. So , um, you know, I think we found issues with just about every one of the controls that we looked at overall. But , um, these are, these are really important because they're, they're basic kind of door lock type of controls where, you know, you , you ask for an employee's keys to the building back , uh, when they leave , um, uh, user account should be no different. Uh, it's just kind of a virtual , um, key into an IT network. So , uh, that was one of the things that we looked at as well. And , um, like I said, these are kind of basic controls that we looked at here , uh, for this area.
Speaker 1:And the third control you looked at select an incident response controls, you found that eight of the 15 entities , uh, did not comply , uh, in that area as well. Uh, so just talk a little bit about what those controls are and why they're important , uh, for state entities to have in providing IT security.
Speaker 2:So, incident response you can think of , um, similar to some other written plans, but an incident response. Um, plan and related controls are gonna involve what you do, an organization, what it does , um, when faced with kind of , um, an emergency. And this with largely , uh, incident response is largely gonna be , um, we're not talking about like tornadoes or, or fires or things like that. That's gonna be a different plan, but we are talking about things that might be a little bit more technologically technological in nature. Um, things like , um, virus infection or , um, data loss, things like that. Um, when those things happen, usually the stress level is very high, and you're not gonna be thinking, you may not be thinking clearly whatever the, whatever your plan of attack is. Um, you'll want to have that in place. You want to have it , um, clearly spelled out on paper. You want to make sure that it's, it's tested , um, so that if , uh, tested in a secure environment so that if you have an incident that you're not just kind of winging it, the last thing you wanna do is try to figure out how you're gonna handle it on the fly. Uh, and then one of , one of the , uh, final pieces in , in incident response has to do with kind of a , uh, a post, a post-incident look back where , uh, I think it's, it's often called kind of a lessons learned type of process where you , the, the response team , uh, whoever that might consist of, sits down with , uh, each other and goes over what things went right , um, in the process of , of handling this incident, what things could we improve , um, what things totally did not, did not work and needed to get , um, just chucked to the curb. So incident response, like I, like I mentioned, is really just kind of having that plan set in place ahead of time so that , um, when the heat is on, you're not , uh, running around trying to figure out what to do.
Speaker 1:And finally, what is the main takeaway of this audit report ?
Speaker 2:So these aren't new issues overall. Um, you can think back to when we , uh, discussed a report last December about , um, all the entities that we've audited in the past. We, we continue to see issues in terms of agencies not meeting standards, not complying with iTech standards. Uh, it's important to kind of remember that, that these standards have been around a long time. Um , you know, they're, well more than 10, 15 years old , uh, and in their most recent version , uh, and the version that we audited has been around since 2019. So that's kind of agencies or, or organizations have had quite a period of time to, to address the concerns , uh, or put it put in place controls that would , um, that would satisfy these. Um , another thing to , to think about or to take away from this is that , um, these are, these are really kind of baseline controls , um, to fix. These are controls that, you know, leadership, executive manner management within all the branches , um, have really come together and agreed that these are very important, important enough to kind of require all state agencies to do. And so , um, so I mentioned, I mentioned these aren't new issues. I mentioned that that iTech , uh, in its current form has been around for a number of years. Uh , we mentioned earlier , um, the kind of the underlying root cause behind , um, the noncompliance seems to be , uh, issues toned at the top, issues with, with inadequate top management oversight of , um, the IT security function. Um, and the last thing to keep in mind that is that at least as far as the controls that we looked at for this specific audit , uh, implementing controls , uh, to satisfy this does not really require a lot of money. It may require a little bit of ATI investment of time. Um, but in terms of satisfying these , um, they are broad enough and vague enough and , and give agencies enough flexibility to kind of , um, uh, address these or , or comply in a number of different ways. So security awareness trading , for example. You know, you might think, oh, I need a hundred thousand dollars to go out and buy this fancy online , uh, security trading platform licenses and all of this kind of stuff. But the standard doesn't require that. It just requires that you train your people. So it could be as simple as kind of putting together a PowerPoint that discusses , uh, the different training topics that are required. I guess the last thing to mention is that , um, at least at present , um, school districts do not have a , uh, standard , uh, do not have to follow iTech standards. Um, but these are kind of still, even if they weren't, aren't required to follow them, these are still , um, really good baseline best practices , um, good things for folks to do , um, to kind of deter or reduce the likelihood of bad things happening. And so , um, that's something that , um, those districts need to look into as well.
Speaker 1:Alex Gard is a principal IT auditor at legislative post audit . He supervised an audit that reviewed specific IT security controls across state agencies and school districts. Thanks for joining me today, Alex. Sure. Thank you for listening to the Rundown. To receive newly released podcasts, subscribe to us on Spotify or Apple Podcast. For more information about legislative post audit and to read our audit reports, visit ks lpa.org. Follow us on Twitter at ks audit or visit our Facebook page.