Summary
Summary
| Report Number: | 2009-083 |
| Report Title: | Selected State Entities' Surplus - Information Technology Property Controls - Information Technology Audit |
| Report Period: | 08/2008 - 10/2008 |
| Release Date: | 01/07/2009 |
The final phase of the information systems development life cycle is system disposition. To promote the economic, efficient, and effective operation of State government and to minimize the risk of inappropriate or illegal disclosure of sensitive or confidential information, information technology (IT) property must be disposed of in a well-controlled fashion.
Department of Management Services Rule 60DD-2.005, Florida Administrative Code, provides that electronic data in all its forms and on all media or devices must be protected during all phases of its life cycle from unauthorized or inappropriate access, use, modification, disclosure, or destruction. Department of Management Services Rule 60DD-2.009(2), Florida Administrative Code, provides that agencies shall implement procedures for the removal of confidential or exempt information from electronic media prior to transfer or final disposition.
Our audit focused on IT controls applicable to the storage and disposal of surplus IT property containing electronic storage media during the period August 2008 through October 2008 at the following State entities: the Agency for Workforce Innovation (AWI), Department of Agriculture and Consumer Services (DACS), Department of Health (DOH), Fish and Wildlife Conservation Commission (FWCC), and the Office of State Courts Administrator (OSCA). This audit included a review of the procedures followed by the entities in erasing the data from electronic media within surplus IT property.
The results of our audit are summarized below:
Finding No. 1: At certain entities, some computer hard drives in surplus computers ready for disposal were not completely erased. In addition, some surplus computer hard drives contained confidential or inappropriate data.
Finding No. 2: The entities included in our audit either lacked adequate written procedures or performed inadequate procedures with regard to the disposal of surplus IT property.
The entities' responses are included at the end of this report as Exhibit A.