Missouri State Auditor's Office

State agencies have placed an increased emphasis on information security management since our prior audits

This audit included a follow-up of six information technology security and comprehensive continuity plan audits issued from 2001 through 2003. We determined the current status of information security management practices by evaluating the progress agency officials have made to establish security controls and comprehensive continuity plans. In addition, we evaluated the Office of Administration, Information Technology Services Division's (ITSD) strategy to address information technology governance, principles, and standards for the state through the establishment of an enterprise architecture.

Agencies implemented majority of prior recommendations

Agencies made progress in correcting security and comprehensive continuity planning weaknesses by implementing 43 of 67 recommendations from the 6 prior audit reports. As a result, the implemented recommendations increase the agencies' ability to protect information technology resources. However, the recommendations that have not been implemented continue to expose information technology resources to unnecessary risks. (See page 8)

Progress has been made developing the statewide enterprise architecture

Executive Order 03-26, issued in December 2003, authorized the state's Chief Information Officer (CIO) to establish an enterprise architecture for Missouri. Effective January 2005, the CIO was assigned responsibility to oversee the ITSD. According to the state's enterprise architecture manual, "the goal of statewide Enterprise Architecture is to enhance coordination, simplify integration, build a consistent infrastructure, and generally allow greater efficiencies in the development of technology solutions."The state has made important progress developing an enterprise architecture, but this architecture is not complete. Developing, implementing, and maintaining an enterprise architecture is necessary for an organization's management of information technology resources. Managed properly, an enterprise architecture can help optimize the interdependencies and relationships among the state's business operations and the information technology resources that support these operations. According to the CIO, completion of the architecture has been hampered because each state agency's information technology units operated autonomously prior to the state's information technology consolidation. Beginning in 2005, information technology personnel and resources from most executive branch agencies were consolidated under the CIO. As a result, the CIO believes progress on the architecture development should now proceed more smoothly and quickly than prior to the consolidation. (See page 15)