YELLOW SHEET
Office of the State Auditor of Missouri
Claire McCaskill
|
|
YELLOW SHEET Office of the State Auditor of Missouri |
Report No. 2004-70
September 15, 2004
Weak Controls Increase the Risk Sensitive or Confidential Material Is Not Properly Safeguarded
Each year the state disposes of hundreds of computers through surplus property sales to political subdivisions and certain not-for-profit organizations and auctions open to the public. We evaluated state agency and overall state policies and procedures for removal of data from disposed of computers to prevent sensitive or confidential data from being disclosed.
Data removal not always effective or consistently done across state agencies
Test results showed we could read or use data recovery software to read data on 37 of the 56 (66 percent) computers tested, which indicated there had been no attempt to remove data or attempts were ineffective. For 13 of the 37 (36 percent) computers, the agency formatted the drive or removed the partition, attempting to remove data. Changing a hard drive format using the format command or removing the partition on a hard drive are sometimes misunderstood as ways to erase data, but neither technique actually removes data. (See page 3)
Sensitive data remained on computers not sanitized
Twenty-three of the 37 (64 percent) computers which had not been sanitized had sensitive data. The sensitive data included social security numbers, bank account information, computer network access information, and medical data. All 37 computers still had licensed software. (See page 4)
No consistent statewide policy
In August 2004, the Office of Information Technology (OIT) provided guidance to state agencies in establishing computer sanitation standards. Until that time state agencies had received little help regarding computer sanitation. As a result, they had inconsistent data removal policies. Only 2 of 12 agencies tested (Departments of Health and Senior Services, and Mental Health) had established written department-wide polices. Other agencies had informal guidelines that were not consistently used by each agency unit or division or were ineffective based on our test results. State agencies will need to develop their own computer sanitation standards based on the OIT guidance. (See page 5)