Skip to main content
You have permission to edit this article.
Edit
Auditor's report on cybersecurity highlights gaps in controls

Auditor's report on cybersecurity highlights gaps in controls

  • 0
{{featured_button_text}}
Auditor Galloway

Auditor Nicole Galloway

State Auditor Nicole Galloway last week released a summary of the most common cybersecurity risks found by her audits of local governments and courts, along with recommendations those agencies can follow to better safeguard data.

Inadequate security controls -- and, in some cases, even the lack of controls -- put government electronic data at risk of hacking and theft, Auditor Galloway said.

"Our audits uncovered numerous gaps in cybersecurity that compromise the safety of government data," Auditor Galloway said. "These were often as basic as changing, or even using, computer passwords. Government officials have a responsibility to the citizens they serve to ensure appropriate cybersecurity measures are in place and updated timely."

The summary was compiled using local government and court audit reports issued between July 2019 and June 2020. Auditor Galloway's office has released similar reports since 2015. The most common cybersecurity issues found by the audits were:

• Access - Former employees did not have their access removed promptly, and current employees had greater access to the computer system than what they needed to do their job.

• Passwords - The audits found system administrators were not requiring users to change their passwords periodically, passwords were shared by users, passwords were not required to be complex enough, and in some instances, no passwords were even required for access.

• Security controls - Computers were not set to lock after a certain period of inactivity or after a certain number of unsuccessful log-on attempts.

• Backup and recovery - Data backups were not stored at an off-site location, and periodic testing of the backup data was not being performed.

• Data integrity and tracking - Controls were not in place to guard against improper changing or destruction of data, and the systems also don't track who is responsible for changes or how the changes were made.

As part of each audit that found cybersecurity problems, Auditor Galloway made recommendations for the local governments to help protect electronic data. They include:

• Limiting user access rights to only what is necessary for job duties and responsibilities;

• Promptly deleting user access following termination of employees;

• Periodically reviewing user access to data;

• Ensuring passwords are periodically changed, are adequate for security, and that unique accounts and passwords are required for access;

• Putting controls in place to lock computers after inactivity or unsuccessful log-on attempts;

• Storing backup data in a secure off-site location and testing the backup data on a regular basis;

• Ensuring data integrity and audit trail controls are in place to allow for proper accountability of all transactions; and

• Restricting the time frame for making changes to data and ensuring that the audit trail of changes is prepared and viewed for accuracy.

0
0
0
0
0

Be the first to know

* I understand and agree that registration on or use of this site constitutes agreement to its user agreement and privacy policy.

Related to this story

Most Popular

Dylan Leon Mills, 33, of Fredericktown to Sarah Elizabeth Minx, 34, of FredericktownKenneth Irving Harman, 23, of Fredericktown to Casandra Ma…

The year of 2020 has been a challenge, but one thing it has provided is a new appreciation for outdoor areas. Families are spending more time …

Get up-to-the-minute news sent straight to your device.

Topics

News Alerts

Breaking News