(The Center Square) – A report released by Democrat Auditor Nicole Galloway gave the Missouri Department of Conservation’s data security a rating of “good” and recommended changes to improve its system.
The rating is the second-highest and is given when audit results find the organization is well managed. “Excellent” is the highest rating and is given when the audit finds no areas needing improvement.
Last year, a media outlet detected and reported a security vulnerability on the Missouri Department of Elementary and Secondary Education's (DESE) website. The St. Louis Post-Dispatch sent DESE three social security numbers of teachers it detected in HTML code, visible to anyone who chose to view it with most internet browsers. Missouri Republican Gov. Mike Parson called the action a "hack" and alerted the Missouri State Highway Patrol to investigate. Cole County Prosecutor Locke Thompson didn't file any charges and said in February the situation resolved itself.
In its response to the audit, Conservation Department Director Sara Parker Pauley wrote the department was either working on the problems noted in the report or would begin implementing the recommendations.
The report noted the department and the Office of Administration’s Information Technology Services Division don’t have an agreement in place for IT services provided by the division to the department.
“As a result, the responsibilities and expectations between both parties are not fully established or documented,” the report said.
The 17-page report states the Department of Conservation is at risk of others gaining inappropriate access to data due to its failure to remove accounts of terminated users – someone who has left employment of the organization and no longer needs access to the organization’s data. Of 39 accounts found to be of concern, the auditor stated 31 were former employees whose employment had ended at least 30 days prior to the review. The department couldn’t identify the other eight users or determine why their access to department resources was necessary.
The auditor’s report stated the department had a documented policy for user termination procedures, but the department said staff turnover in the IT department contributed to the failure to detect and remove terminated users.
The department also acknowledged it doesn’t have a formal written policy requiring passwords to be changed periodically. The report stated allowing non-expiring passwords “greatly increases the risk of an account password becoming known by someone other than the account owner, which may result in inappropriate access to and misuse of sensitive department information.”
The report found the department doesn’t proactively monitor user accounts not accessed or used for specified periods of time. The National Institute of Standards and Technology recommends inactive accounts be disabled after specified amounts of time, according to the audit.
The department also doesn’t perform reviews or have a written policy for reviewing existing users’ access to resources to ensure the level of access is appropriate and aligned with job responsibilities.