The final phase of the information systems development life cycle is system disposition.  To promote the economic, efficient, and effective operation of State government, and to minimize the risk of inappropriate or illegal disclosure of sensitive or confidential information, information technology (IT) equipment must be disposed of in a well-controlled fashion.

State Technology Office (STO) rules^[1] provide that electronic media in all its forms, on all media and devices, must be protected during all phases of its life cycle, from unauthorized or inappropriate access, use, modification, disclosure, or destruction.  STO rules^[2] further provide that agencies shall implement procedures for the removal of confidential or exempt information from electronic media prior to transfer or final disposition.

Our audit focused on IT controls applicable to the storage and disposal of IT equipment containing electronic storage media, for the period January 2004 through December 2004, at the following State agencies: the Agency for Health Care Administration (AHCA), Department of Business and Professional Regulation (DBPR), Department of Children and Family Services (DCFS), Department of Elder Affairs (DEA), Department of Highway Safety and Motor Vehicles (DHSMV), Department of Juvenile Justice (DJJ), Department of Corrections (DOC),  and Parole Commission.  This audit included a review of the procedures followed by the agencies in erasing the data from electronic media within surplus IT equipment.  We also examined the STO’s rulemaking role regarding surplus IT equipment.

The results of our audit are summarized below:

Finding No. 1:  Our audit disclosed instances where, at certain agencies, computer hard drives within equipment ready for disposal were not completely erased.  In addition, some computer hard drives contained confidential or inappropriate data.  This deficiency was found only at certain agencies included in our audit; however, the specific agencies and the details of the data are not disclosed in this report to avoid compromising agency information.  The appropriate agency personnel have been notified of the deficiencies.

Finding No. 2:  Agencies lacked adequate written procedures or performed inadequate procedures in regard to the disposal of IT equipment.

Finding No. 3:  Instances were noted at DBPR where computer hard drives within surplus equipment were reloaded, prior to final disposition, with material protected by copyright.

[1] 60DD-2.005, Florida Administrative Code

[2] 60DD-2.005, Florida Administrative Code

The heads of the applicable agencies provided responses to our preliminary and tentative findings.  These letters are included in the audit report.