Department of Technology, the offices of
directly elected officials and other branches like
the judiciary do not necessarily have to abide
by those same standards. While many do, the
report argued most of those are not adequately
addressing information security.
“State entities that do not fall under the purview
of the technology department need to do
more to safeguard the information they collect,
maintain, and store,” the report said.
The state auditor’s office did not identify any
of the entities included in the survey, but they
could include constitutional offices or parts of
the judicial branch.
Some of the problems noted in the
report seemed to include relatively basic
security measures.
The report said one government entity
did not change the default password on
certain information security systems, posing
a significant threat of an attacker gaining
unauthorized access to its network.
Another entity failed to apply security updates
on its devices, according to the report.
The state auditor’s office also raised concerns
that some parts of government are not acting
quickly enough to resolve these issues.
“Despite being aware of significant deficiencies
in their current information security programs,
some ... have been slow to address these
weaknesses,” the report said.
The review was the only security assessment
three of the entities had ever undergone,
according to the report, suggesting there could
be additional weaknesses of which the entities
are unaware.
The state auditor recommended that all entities
adopt standards comparable to the information
antfer
(Antfer)
#1