YELLOW SHEET
Office of the State Auditor of Missouri
Claire McCaskill
|
|
YELLOW SHEET Office of the State Auditor of Missouri |
Report No. 2006-77
December 2006
|
Missing Security Controls Increases Risks of Threats and Vulnerabilities to Information Technology Resources
This audit reviewed the management and control of information technology resources at the Missouri Department of Conservation (MDC). Auditors found MDC management needs to obtain and commit resources to fully document and develop internal control policies and procedures to completely protect the department's information and technology resources from threats and vulnerabilities. Auditors also performed an analysis of fiscal year 2005 department expenditures and found MDC paid $23,232 in potential duplicate payments for products or services. |
|
Risk assessment program is not fully implemented |
Identifying and assessing information security risks are essential steps in determining what controls are required and what level of resources should be expended on controls. MDC management had not fully implemented a formal risk assessment process and had no policies for conducting these assessments. A MDC Information Technology Section (ITS) official said informal, undocumented risk assessments have been performed. According to another ITS official, ITS does not have the resources available to dedicate to performing and documenting a formal risk assessment. (See page 5) |
|
Business continuity and disaster recovery plans not approved and implemented |
MDC personnel have documented a business continuity plan and a disaster recovery plan. However, neither of these plans has been approved by management. Since the plans have not been approved, an ITS official said neither plan has been implemented or tested. Without implementing and testing these two plans, management cannot ensure the adequacy of the plans. Management does not have assurance that critical business operations could be carried out or computer operations promptly restored in the event of a significant disruption to normal system operations. (See page 5) |
|
Security management program is not fully implemented |
MDC management has developed and documented policies for specific security controls, including password standards and establishing user access. However, MDC management had not completed the process of establishing and documenting policies and procedures for all key security controls. Accepted standards state policies are necessary to set organizational strategic directions for security and assign resources for the implementation of security. (See page 6) |
|
Payment procedures not always followed |
Our analysis of fiscal year 2005 department expenditures found MDC overpaid vendors up to $23,232 for the same products or services because of internal control weaknesses. Duplicate payments can occur for a variety of reasons, including data input errors, inconsistencies in the vendor file, and payments from non-original invoices such as statements and faxes. As a result of our findings and questions, MDC management began an internal audit of duplicate payments and related internal controls. (See page 14) |