An audit of the Maryland Department of Information Technology's information data security policies and practices found some shortcomings in the four-year-old state agency that's charged with unifying the state's computer systems.
DoIT developed an "information security policy" two years ago and updated it in April, according to the report this month by the Office of Legislative Audits. The policy outlines how DoIT and all state agencies must handle information security, and the state also follows some federal guidelines developed in 2002, the audit said.
The auditors found that current state law and DoIT's own policy apply to personal identifiable information held by state agencies, such as social security numbers. The auditors also found that certain notifications for data breaches that are part of state law were not addressed in the DoIT policy.
DoIT is responsible for enforcing information security across state agencies, but the auditors found that the agency delegated this responsibility to the individual agencies. DoIT had not established a formal oversight process for ensuring that state agencies were adequately protecting information systems and data.
The auditors also found that, in their review of the information security practices of five state agencies, none had implemented all the policy requirements set forth in the DoIT policy.
"[N]one of the five agencies assessed and addressed risk for all of its individual information systems," the report said.
State agencies have to protect their employees' laptops better, the audit also found.
The audit was done from May 2011 to December 2011.According to the report:
Two of the agencies that authorized the use of portable devices for the storage and access of personal identifiable information (such as personal health data) did not adequately protect the data (such as through the use of full disk encryption).
In its response to the audit, DoIT officials agreed that the agency will take steps to make it clear in its information security policy how personal identifiable information must be handled by state agencies. But it noted it didn't have the resources to do monitoring, compliance and enforcement of information security policies across all state agencies, and that's why it would continue to delegate that responsibility to the individual agencies.
There was no indication in the report that there had been any data security breaches that were discovered by the auditors.
For more details, here's the full report.