1 / 16

Why we did this audit

Safe Data Disposal Protecting Confidential Information Joint Legislative Audit and Review Committee April 23, 2014 Lou Adams, CPA, Deputy Director of Performance Audit Todd Larson, CISA , Senior Performance Auditor. Why we did this audit.

verdi
Download Presentation

Why we did this audit

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Safe Data Disposal Protecting Confidential InformationJoint Legislative Audit and Review CommitteeApril 23, 2014Lou Adams, CPA, Deputy Director of Performance AuditTodd Larson, CISA, Senior Performance Auditor

  2. Why we did this audit Washington state agencies face confidentiality risks if surplus computers contain confidential information State law requires agencies to remove data before redistributing, selling or destroying computers Risks include fraud, identity theft and IT security breaches

  3. Audit Questions • Do state agencies’ computer disposal policies, procedures, and processes comply with state requirements and follow best practices? Do state agencies remove confidential data stored in their computers before they are released for surplus or destruction?

  4. State computer surplus program State agencies DES Surplus Program Safeguard confidential information Release computer for surplus Donate to agencies, schools and non-profits or sell to the public Options: Erase or destroy drives The state surplused almost 20,000 computers in the last biennium.

  5. Washington’s data safeguarding requirements • State laws address the protection and destruction of information State law RCW 19.215.020 “Destruction of information - Liability - Exception – Civil action” State law RCW 42.56.420 “Security” • The Washington State Office of the Chief Information Officer (OCIO) established and oversees IT security policies for the state. OCIO Standard 141.10 - Section 8.3 “Media Handling and Disposal”

  6. Protecting confidential information The OCIO standards note three types of confidential data • Personal information • Employee information • IT and network security information • We found all three types on state computers released for surplus

  7. What we did • We selected a sample of computers from 13 state agencies sent to the surplus program over a six-week period. • We tested the computers to see if they contained confidential information. • We reviewed agency policies to see if they were sufficient compared to the OCIO Security Standards and nationally recognized best practices.

  8. Surplus computers contained confidential data We found confidential information on four agencies’ computers: ECY DOH L&I DSHS

  9. Surplus computers contained confidential data • We found 11 of the 177 computers we tested contained confidential information • Using statistical analysis, we projected that 109 of the 1,215 computers sent for surplus contained confidential information 9% of computers contained confidential data

  10. Some agencies’ procedures were not sufficient We found confidential data on four of the 13 agencies’ computers ECY DOH L&I DSHS Four of the 13 did not have documented policies and procedures DSHS DOT PARKS SENATE And 10 of the 13 did not have a step to verify the data was removed DFW L&I DNR ECY DOH DOT PARKS SENATE DSHS OIC

  11. Why confidential information was not deleted • In most cases, human error appeared to be the cause for data not being deleted. • Computers were mistakenly released for surplus before data was removed • Some broken computers were presumed to be clean

  12. The OCIO reacted swiftly • Immediately quarantined and halted the distribution and sale of surplus computers • Provided additional guidance to state agencies • Began reviewing its computer disposal policies

  13. State agencies reacted swiftly • The Department of Ecology now destroys all surplus hard drives and added a two-person verification step. • The Department of Health uses a two-person process to verify and document all hard drives have been removed. • The Department of Labor & Industries added a verification step and will give staff formal training. • The Department of Social and Health Services began to verify and document that all data has been removed.

  14. Recommendations We recommend that: • The OCIO improve its oversight and the security standards they provide to agencies • State agencies without documented procedures establish them • State agencies add a step in their procedures to verify and record that confidential data is appropriately removed

  15. Our stratified sample analysis Detailed results for the six-week test period

  16. Contacts • Troy Kelley • State Auditor • (360) 902-0360 • Troy.Kelley@sao.wa.gov • Chuck Pfeil, CPA • Director of Performance Audit, • (360) 902-0366 • Chuck.Pfeil@sao.wa.gov • Lou Adams, CPA • Deputy Director of Performance Audit, • (360) 725-9741 • Louella.Adams@sao.wa.gov • Todd Larson, CISA • Senior Performance Auditor • (360) 725-9734 • Todd.Larson@sao.wa.gov Website:www.sao.wa.gov

More Related