Missouri State Auditor's Office

Statewide court record database has valid data, but shared accounts and passwords leaves confidential information vulnerable to exposure

This audit reviewed how well the statewide court records system - known as the Justice Information System - is keeping information accurate, valid and secure from unauthorized access. Because court records include confidential and sealed cases, data integrity and security are vital. As of December 2004, the state had spent $99 million on court automation and 82 of 120 courts in the state were connected to the system. The system tracks court case information and is administered by the Office of State Courts Administrator (OSCA).

System alerts ensure court

data is accurate and valid

Auditors tested the system by trying to enter incorrect data, such as dates in the wrong format, letters in a dollar field or wrong codes in certain fields. Auditors found the edit checks functioned properly by not allowing the incorrect data to be accepted. (See page 5)

Shared accounts opens system to unauthorized access

Auditors found OSCA employees responsible for administering and securing the system share system accounts and passwords. Accepted security standards call for segregation between security and database administrative duties. (See page 6)

Local courts do not see

security violation reports

Local courts using the system have not had the opportunity to review security violations occurring in their courts. Instead, an OSCA employee reviews violation reports, but only shares consistent violations. Accepted security standards state access violations and security activity should be reviewed regularly. While an OSCA employee may review security violation reports, it is important for local court officials to review security violations because they may be more likely to recognize security concerns occurring in their courts. (See page 6)

Local courts need ability to verify users and access rights

Local courts do not have complete and accurate information to verify users and their access rights. Periodic comparison of users and rights will maintain effective control over access and reduce the risk of fraud. (See page 7)

Passwords are not kept private or limited to one user

Unauthorized access to the system could occur because OSCA security administrators have access to each user's password. The administrators could use information in the password file to masquerade as another user to access court data. Accepted security standards state passwords are most effective when they are kept confidential and limited to one user. (See page 8)