Auditor Galloway releases report on MissouriBUYS, the Office of Administration's electronic purchasing program

Review of cyber security measures and system data integrity results in "good" rating
April 5, 2018

JEFFERSON CITY, Mo. (April 5, 2018) Missouri State Auditor Nicole Galloway today released a report examining the Statewide eProcurement system, known as MissouriBUYS. The Office of Administration (OA) uses the web-based purchasing system to solicit bids and secure vendors for goods and services; as of January 1, more than 18,000 vendors were registered for the program. The audit examined the cyber security measures and data integrity of the  MissouriBUYS program, which received a rating of "good."

Implementation of MissouriBUYS has been in progress since the state awarded the contract for the system in March 2015 to replace the previous On-Line Bidding and Vendor Registration system. The State Auditor's Data Analytics Technical Audit unit examined operating practices and cybersecurity safeguards for the new system.

The audit found the MissouriBUYS system was vulnerable to the risk of unauthorized or inappropriate activity because 39 user accounts of terminated agency employees were not disabled in a timely manner, including three users who still had access to the system for more than a year after termination. Four other unneeded accounts assigned to system provider support personnel also had not been removed.

The audit raised concerns there had been insufficient reviews of users' access to data and user access rights, and that existing security policies and procedures were not documented. The audit also found that controls could be strengthened to restrict the capability to export vendor registration data to only those individuals who need such access to perform their jobs. In addition, the audit found the OA had not formally documented or tested contingency plans to help facilitate recovery of the system, if needed.

A complete copy of the audit report is available online

 

For more information, contact: