Audit criticizes information security oversight in Maryland agencies -- Gazette.Net


In a highly critical, often-technical, 68-page report, a Maryland legislative audit found numerous flaws in the state’s information security efforts at state agencies, including failing to protect citizens’ Social Security numbers and other private information.

Security protocols were not in place at each state agency, and personal information was not always in fully encrypted files, according to the audit.

A Joint Audit Committee meeting is scheduled for Tuesday in Annapolis on the findings of the information security audit, which was released Sept. 27, and also to review other legislative audits of state agencies.

Legislators have complained that state audits often find many of the same problems recurring.

In the information security audit, the auditors found that although the state Department of Information Technology was supposed to be in charge of IT security protocols, the department had not established an oversight process and delegated much of the work to the state agencies to handle internally, according to the audit.

None of five state agencies that were reviewed had fully implemented security processes, according to the audit report.

In the response to the legislative audit, Secretary of Information Security Elliott H. Schlanger agreed to implement many of the auditors’ proposed recommendations to tighten security.

But he said the department did not have enough personnel to monitor security activities at each agency.

“Until such time as DoIT has these resources, the current policy of delegating to the agencies is deemed the most appropriate way to ensure compliance with state security policy and will remain in effect,” Schlanger said.