State Auditor Nicole Galloway released a report that examined security controls designed to protect data and information maintained by the Missouri Department of Conservation. The audit, which gave a rating of “good,” provided recommendations to department officials for improving data security.
The audit found the MDC does not always timely remove the accounts of terminated users, which leaves the department vulnerable to the risk of records being improperly viewed and altered. The MDC also does not have a formal written policy requiring users to periodically change their account passwords.
The audit also found the MDC does not proactively monitor for user accounts that have not been accessed or used for a specified period and does not have a policy requiring such review; the department also does not perform periodic reviews of users’ access to resources to ensure such access remains appropriate and does not have a policy requiring review. The audit also highlighted the need for a service level agreement between the MDC and the Office of Administration – Information Technology Services Division, as well as the need for MDC management to develop certain key policies and procedures for data security.
The audit provides recommendations to the MDC for implementing policies to address the report’s findings. A complete copy of the audit can be found here.
