An audit of the Oregon Public Employees Retirement System’s IT security management practices found a slew of problems that “pose substantial risks” to its members and the state.
The Oregon secretary of state’s department of audits said the state retirement system needs to improve its IT strategic planning efforts to “ensure that IT investments return the most value and pose the least amount of risk to the agency.”
It also said the system’s existing IT planning efforts are inadequate to enable timely completion of the agency’s strategic objectives.
The purpose of the audit was to determine whether the system could improve IT security and IT strategic planning efforts, and to assess the agency’s preparedness to restore critical IT systems in response to a disaster.
The report said PERS should immediately correct deficiencies in existing disaster recovery plans so the agency can respond to catastrophic events that would prevent the use of existing IT systems. However, according to the report, the agency has not tested any disaster recovery plans, and has no alternative recovery site.
Although the report acknowledged the system is making progress to update current plans and implement a recovery site, it insisted that “a more urgent effort is needed.”
The audit, which included an assessment of critical security controls and the agency’s IT security management practices, said Oregon PERS should “improve security management roles and training, as well as correct weaknesses in inventory management, configuration change management, vulnerability management, and controlling administrative accounts.”
The audit found that while the system has identified a method to issue most pension payments in the event of a disaster, it has not fully addressed changes in payment processing by the Oregon State Treasury.
“The agency’s disaster recovery plans pose serious risks because they are insufficient to restore critical IT systems,” said the report. “Furthermore, the agency has not tested those plans and has not yet complied with legislative mandates to acquire an alternative recovery site and improve disaster recovery planning.”
It also said Oregon PERS’ strategy to re-issue the prior month’s payments poses risk of benefit payment errors and has never been tested.
The report included 16 recommendations for the system to implement to improve its IT strategic planning critical security controls.
Among the recommendations, the reported suggested the system develop a process to schedule, track, and allocate sufficient resources to completing the disaster recovery plan; ensure the disaster recovery plan reflects short-term and long-term recovery of all critical business systems; and establish an alternative backup site that is geographically distant from the primary storage location.
In response to the audit report, Kevin Olineck, Oregon PERS’s new director, said the system generally agreed with the report’s findings.
“We are committed to improving our capabilities in these areas, and have identified opportunities for improvements in recent years which this audit report validates,” said Olineck in a letter to the state’s audit division. “We are incorporating these practices as we hone our focus on strategic planning and communication with stakeholders about our continuing progress toward change.”
Olineck said he expects the implementation of at least 13 of the 16 recommendations by the end of next June.