Wednesday, August 10, 2016

Audit uncovers cybersecurity weaknesses in state court system

(From State Auditor Nicole Galloway)

Missouri State Auditor Nicole Galloway today released an audit of the case and record management system used by courts around Missouri. The Judicial Information System is managed by the Office of State Courts Administrator (OSCA), and stores case files, including financial records, and conviction and sentencing information. Auditor Galloway's report describes potential weaknesses that were not addressed after being raised in a prior audit.

"The Office of State Courts Administrator has an obligation to ensure court information and records are handled securely and accurately, and with the responsible management of public dollars," Auditor Galloway said. "The current system lacks necessary safeguards to identify inappropriate or unusual activity. This audit includes recommendations to improve accountability and better protect the integrity of case information."

Auditors identified concerns related to the risk of data in the system being compromised or adjusted. This includes critical case information, such as conviction statuses, sentences and release dates, which could be modified, with no way to track or identify who made the changes, when they were made, or under what authority. System users receive system-generated passwords, which they are unable to change, even though individuals with administrative privileges can log in and see others' passwords, increasing the risk of misuse without detection. The report also identified 12 former OSCA or court employees that had active accounts even though they were no longer employed by the office or court.

In addition, the office has no formal long-range plan or project budget in place for the system, despite spending $218 million over 11 years implementing and managing the court automation system. There was also no indication of any formal long-term planning that would take place as part of the development process for a new Judicial Information System that will replace the current one. Auditor Galloway recommended development of cost management strategies so legislators and policymakers are aware of the state's total potential financial commitment before approving new features or systems. The system's major funding source currently is a court fee that is set to expire after 2023.

Auditors also recommended the office establish a comprehensive risk assessment and management program to prepare for potential future risks. The audit of the Office of the State Courts Administrator Judicial Information System received an overall performance rating of fair, and can be found online here.

No comments: