NorthwestAugust 27, 2015

JONATHAN J. COOPER Of The Associated Press

SALEM, Ore. - Oregon technology managers never resolved known security vulnerabilities at a state data warehouse that stores a trove of sensitive information about Oregonians, state auditors concluded in a report.

The audit by the secretary of state's office said the state data center has only recently begun addressing concerns outlined in at least 11 security audits or letters since 2006, some public and others confidential. Most of the weaknesses remain unresolved, it said.

The data center provides centralized computer support to much of state government, combining functions that were formerly handled separately by each agency. Servers in Salem store a variety of routine government information - such as employee emails and files - along with more sensitive information about the public, including tax returns, Social Security numbers and confidential medical records.

"Over the last nine years, security weaknesses at the state data center have put confidential information at risk," auditors wrote in their 14-page report, which was released Tuesday. "These weaknesses continued because the state abandoned initial security plans, did not assign security roles and responsibilities, or provide sufficient security staff."

Daily headlines, straight to your inboxRead it online first and stay up-to-date, delivered daily at 7 AM

In a written response, Chief Information Officer Alex Pettit said the staff is taking steps to resolve the issues identified. It said legislation enacted earlier this year will help by giving him more authority and responsibility to police security matters. A written security plan is in the works and should be complete by the first quarter of next year, he wrote.

The audit said the data center got a good start in 2005 with a strong security plan before it was launched, but many of the initial plans were never fully executed.

Auditors said the state has not followed standard security practices that require closely monitoring people with special access privileges that allow them full access to computer systems. The auditors also said network-monitoring equipment is not up to date and isn't fully functional, and obsolete software isn't always updated.

The data center has also not had a security manager with enough authority or staff to resolve vulnerabilities, the auditors said.

Advertisement
Daily headlines, straight to your inboxRead it online first and stay up-to-date, delivered daily at 7 AM