YELLOW SHEET
Office of the State Auditor of Missouri
Claire McCaskill
|
YELLOW SHEET Office of the State Auditor of Missouri |
November 26, 2003
Report No. 2003-113
Comprehensive
continuity plan for the State Data Center needs to address risks and
responsibilities
This audit reviewed the State Data Center’s comprehensive continuity
plan and security administration. The
Office of Administration, Division of Information Services established the
State Data Center, which processes mainframe data, stores data, and backs up
state data systems. Without a complete
continuity plan, there is limited assurance information technology processing
could be promptly resumed after a disaster or other disruptive event. Security
control weaknesses put mainframe data at risk for unauthorized use or
modification. The following highlights
the findings:
Data center recovery plans missing key items
The comprehensive continuity plan is used to restore
the state’s operating system to recover critical state agency applications
during a disaster. Auditors found some
necessary information was not included in the recovery plan. Examples
include: guidelines on how to use the
plan; assumptions used for developing the plan; different procedures for various
recovery scenarios from minor to total loss of processing capability;
identification of the plan’s limitations; an order of succession to follow for
decisions; and procedures or objectives for testing the plan. (See page 3)
Plan lacks enough detail for data center recovery teams
Division
officials’ plans for two of the three recovery teams rely on the teams reacting
to disasters without a detailed response plan, which could be detrimental to
successful recovery. Standards state a
detailed plan is necessary for recovery personnel who will respond, recover
capabilities, and/or return the system to normal operation. These personnel need to clearly understand
each step they are to execute and how their team relates to other teams. (See pages 4 and 5)
Access to the recovery plan has not been sufficiently restricted
Weaknesses
in establishing access rights to the recovery plan allowed at least 1,000 OA
employees to receive unnecessary plan access.
Officials have not developed formal procedures to evaluate access rights
to the confidential portion of the data center’s disaster recovery plan. OA officials took immediate action to remove
the unnecessary plan access. (See page
6)
Contract procedures for alternate facility are not adequate
The
initial data center contract for an alternate facility, necessary in the event
the data center cannot be used, was to have ended with fiscal year 1999 and was
not re-bid until over two years later. Bids were then solicited for
configuration settings that would not be used.
(See page 7)
Mainframe and customer security control weaknesses increase risk
Management
practices and the data center customer procedures manual do not provide
sufficient computer security procedures for agencies, or require agency
mainframe security to be monitored. At
April 30, 2003, 38 percent of over 45,000 active data center IDs had some
security weakness including: no password change interval, not accessed for more
than 90 days or never accessed, and no assigned or associated user name. (See pages 10 and 11)