YELLOW SHEET
Office of the State Auditor of Missouri
Claire McCaskill
|
YELLOW SHEET Office of the State Auditor of Missouri |
May 24, 2001
Report No. 2001-41
Better computer security controls
are needed for employees who electronically process more than $320 million a
year in unemployment and workers’ compensation benefits
This
audit reviewed how effectively the Department of Labor and Industrial Relations
computer security program protects its system from unauthorized access and/or
information loss from disaster or other interruptions. In fiscal year 2000, the
department used its computer systems, which contain more than 3 million
confidential records, to pay $300 million in unemployment benefits and
approximately $28 million in second injury fund compensation. The department
immediately fixed several system weaknesses upon discovery through the audit.
The following highlights some of the remaining concerns.
No
statewide security standards exist
Missouri
state regulations do not include published computer security standards, policies
or guidelines for agencies. Having no policy has an increased impact for this
department due to the mass of data it handles and its confidentiality. According
to worker’s compensation staff, the loss of computer processing support and
electronic data would seriously weaken their ability to issue on-time
unemployment benefits and second injury fund payments. (See page 3)
Decade-old
data-recovery plan is obsolete
The
department last prepared a plan in 1990 for instances of disaster that can cause
loss of data and computer processing capabilities. The obsolete plan cannot be
used to reestablish computer processing at an alternate site. An updated
data-recovery plan is imperative for this department due to the volume of data
they process, including the distribution of an average 6,700 weekly unemployment
benefit checks. (See page 4)
Unattended
computers can foster access issues
Prior to the audit, the department’s computer terminals could remain signed-on with no user-activity for 5 hours, before it automatically shut down. The Employment Security Division computer (which houses confidential information on all Missouri employers and their employees) could remain signed-on indefinitely with no user activity. The absence of this control increases the risk of unauthorized access. Department officials immediately changed both computer systems to log off after 2 hours of inactivity. Department officials also decreased the staff from 30 to 12 as to who had user identifications with the power to change system security values. (See page 6)
Managing, training for security awareness necessary
The lack of a department-wide security management program led to the majority of the audit’s concerns with risk management processes, disaster recovery plans and effective access controls. Designating one employee as a computer security officer could enhance controls. Training staff in computer security awareness could also aid in successfully implementing a security program. (See page 11)