Report Number 2007-005 Summary

Auditor General mini logo Summary

Report Number:	2007-005
Report Title:	Selected State Agencies' Progress in Assessing System and Network Vulnerabilities - Information Technology Audit
Report Period:	11/2005-03/2006
Release Date:	07/25/2006

Pursuant to Florida Law[1], the State Technology Office (STO[2]), in consultation with each agency head, is required to conduct a comprehensive risk analysis to determine the security threats to the data and information technology (IT) resources of each agency. STO information resource policies and standards[3] incorporate guidelines of the National Institute of Standards and Technology (NIST) on risk management for information technology systems. The NIST guidelines[4] provide that security vulnerability testing is an important element of the IT risk assessment process.

Vulnerability scanning is the process of attaining information about the integrity of an organization's networks and associated systems through testing and verification of network-related security controls. These activities result in the identification of vulnerabilities, which are flaws, misconfigurations, or special sets of circumstances in systems and networks that could be exploited in order to bypass the security and misuse data and IT resources.

Our audit of selected State agencies’ focused on evaluating the information technology vulnerability detection and remediation methodologies employed at five State agencies; as well as the monitoring and oversight efforts provided by the Department of Management Services (DMS) during the period November 2005 through March 2006. This audit also included assessments of safeguards for the security of modems and wireless access points attached to agency networks at the five selected State agencies. We also examined the adequacy of laws in place to protect the State’s networks and IT systems.

The results of our audit disclosed that Florida law needed clarification with respect to responsibilities for IT governance, including, in particular, IT security and risk management. (Finding No. 1) In addition, based on reviewing the policies and procedures at a limited number of agencies, we noted that improvements were needed regarding:

Agencies’ vulnerability testing during interim periods between formal risk assessments. (Finding No. 2)
Controls to ensure that agency-authorized wireless access points were appropriately secured and in procedures to detect the presence of unauthorized wireless access points. (Finding No. 3)
Controls to ensure that agency-authorized modems were appropriately secured and in procedures to detect the presence of unauthorized modems. (Finding No. 4)
Disseminating IT security policies and procedures in a more secure manner. (Finding No. 5)

Specific details of conditions described in Findings No. 2 through 5, are not disclosed in this report. In addition, the responsible agencies are not named, to avoid the possibility of compromising agency information. However, the appropriate agency personnel have been notified of the deficiencies and have been provided the recommendations included in each of the findings.

DMS, as a part of developing a strategic plan for IT security, should work with the agencies in addressing the issues discussed in this report.

[1] Section 282.318(2)(a)2., Florida Statutes (2005)

[2] Effective July 1, 2005, the responsibilities of the STO were assimilated by the Department of Management Services.

[3] Chapter 60DD-2.0010(7) Florida Administrative Code

[4] NIST Special Publication 800-30, Section 3.3

The Secretary's response is included at the end of this report as Appendix A.