On Wednesday, a Florida House panel took the baton from a Senate committee, addressing a problem-riddled Auditor General’s IT audit of the Agency for State Technology.
The House Government Operations & Technology Appropriations Subcommittee discussed a January Auditor General report about the Agency for State Technology and State Data Center operations.
Despite the findings of that report, which included issues with user access privileges, accounts kept active despite being unused, and other such seemingly-exploitable security glitches, the Senate Governmental Oversight and Accountability Committee showed little interest in the kind of specific, drill-down inquiry about remedies for these issues one might have expected.
But Wednesday in the House was a different matter.
—-
Arthur Hart, Audit Manager for Information Technology Audits in the Office of Auditor General, addressed the audit.
“I think there is reason for some concern about some findings in the audit,” Chairman Blaise Ingoglia said by way of introducing Hart.
Notable: a financial audit of AST is expected later this year.
—-
Hart laid out the case, which had twelve parts total.
“AST,” Hart said, needed to “address its control weaknesses.”
When the chair asked who was using access that lacked authorization, Hart said “several state agency employees” had admin rights to their servers, but did not relinquish those rights when server content was centralized.
The same surplus of access was found among three AST employees, Hart added.
—-
Service accounts, such as operations and scheduling accounts, were also an issue.
Some were kept active beyond the point where they were needed. Some had inappropriate logons.
These accounts, Hart said, were administrative, non-user accounts typically.
However, there are some accounts that allow, through a default setting, a log in.
Proper administrative procedure, said Hart, would disable that ability.
—-
Reviews of access, intended to be conducted quarterly, were ignored — despite that being mandated in procedural documents.
AST, said Hart, is currently creating a process toward quarterly review, with implementation expected by the end of the year.
Ingoglia was incredulous.
“We’re talking about a year. Is that normal? I find that concerning that when we see an issue, it’s going to take a year to fix,” Ingoglia said, “especially with data.”
—-
The fourth finding had to do with inventory.
Information was not recorded because software had not been installed, said Hart.
AST’s response? The agency is working to install the inventory agent, to catalog all state data center resources.Ci
—-
Configuration management was also an issue.
20 of 23 servers exhibited issues with patch management and other such concerns.
Ingoglia tied that into inventory control, wondering if Florida was “left open to a breach of data.”
The audit revealed neither breach of data nor fraud, Ingoglia said.
—-
Another recommendation: to have signed service level agreements with all customer entities; four of 34 were missing.
Ingoglia noted there was no defined contract; Hart countered that there was no current contract for three of those four, but they abided by an old deal.
—
Issues with timely system backup and recoverability abound also; AST is to develop backup procedures.
Backup tapes — also an issue.
Hundreds of them had been destroyed, 149 of those without records. Other tapes could not be located throughout the year-long audit.
Better controls are recommended, said Hart.
Ingoglia wondered where the tapes were.
Eventually, from Eric Larson of AST, Ingoglia learned that the lost tapes were “scratched” and “destroyed,” and could not be read without an encryption key — which is the same kind used by the federal government, and therefore, secure.
Larsen said that if those tapes were read by an outside party, that would mean “we’d have bigger problems” than an AST data breach.
—
Disaster recovery plans — they don’t exist in a viable way. The auditor general recommends they work that out.
Ingoglia wondered what the risk was to the state.
Hart responded that the center has a “plan in draft.”
“The center can accommodate a disaster, but you’ll have to talk to the agency about that,” Ingoglia said.
Larsen, during his part of the hearing, noted that AST has just done a successful test of its disaster recovery architecture.
“That extends to every single customer in the data center,” Larsen said.
Ingoglia noted that money was allocated for procuring DR did not go to the stated purpose.
—-
Issues with performance metrics and problems with user controls closed out the dozen charges from the audit.
“We recommend that AST Management improve security controls,” Hart said.
Despite the issues, Hart noted that none of these problems were related to, as Rep. Don Hahnfeldt put it, “mal-intent.”
“Clearly, there are things that need to be addressed,” Rep. Rene Plasencia said. But he believes AST needs the “tools to do it.”
—-
Eric Larson, the interim executive director for AST, offered what he called “additional context.”
Larson noted that access issues were a problem across many agencies audited in recent years, and suggested documentation and delegation as a solution.
Agencies, said Larson, are expected to surrender excess administrative access upon request.
Unlike the Senate, Ingoglia was a bit tougher on Larson.
“You guys are the Agency for State Technology. It would seem like a basic function to make sure everybody has [appropriate user] privileges.”
Larson, when asked about the elongated time frame to fix these problems, discussed the challenges of review and remediation of “the issue of appropriateness of privileges.”
—-
An internal tool (The Privileged Access Management Tool) will allow for management of access and privileges.
Acquired six months ago during the audit, the agency is preparing to implement, as it recognizes flaws in its mechanism of delegating access privileges.
“This issue is systemic, and we have a plan to address it. To completely implement it, it will probably take longer than a year,” Larson said.
It would also take more manpower, Larson said, as the agency has lost 20 FTEs in recent months, but is “filling positions as rapidly as possible.”
A problem: salaries lag behind the private sector, creating a “skills gap,” which AST looks to remedy by training.
Ingoglia wondered if, given the skills gap, the “perpetual problem” might need to be solved by outsourcing.