Audit Reveals Poor Data Security Practices By State Agencies

By Author: eccuni
Total Articles: 211
Comment this article

Increasing instances of cybercrime have brought data privacy and confidentiality to the center stage. Disclosure of confidential information may have multiple repercussions for affected parties including legal consequences. As such, IT security professionals must take adequate precautions to safeguard privileged information. Recently, an audit by office of the state comptroller for New Jersey found glaring violations guidelines concerning with disposition of surplus computer equipment’s by various state agencies. Computer equipment’s were dispatched to warehouse without removing data from the hard drive. The auditors found data in 46 of the 58 hard drives investigated. The confidential data contained on the devices included names, addresses, phone numbers, social security numbers, tax returns, user name and passwords of government computers and documents related to child abuse. Computers sent to the warehouse did not contain any information regarding the working status of the surplus computers and certification regarding degaussing of hard drives. Negligence on the part of employees may lead to inadvertent data disclosure. Online IT courses ...
... may help in creating security conscious culture among employees.

A Treasury circular letter - 00-17-DPP of the State requires removal of all data contained in the hard drives before their disposal. Agencies are required to notify the Surplus property unit (SPU) of the state regarding excess equipment’s. The SPU then notifies all government departments regarding availability of equipment. An equipment is declared ‘surplus’ if no other agency claims the equipment within 30 days and is sold or donated.

The audit also revealed that a Laptop tested at the warehouse included personal information pertaining to a State judge including three years tax returns, life insurance trust agreement, documents containing social security number, confidential fax letters, non-public memoranda and mortgage documents containing account number and property address. Data security awareness training, online IT degree and e-learning programs may help users in ensuring information security by inculcating safe computing practices.

Revealed personal and confidential information may be misused for identity theft, misrepresentation, availing fake loans, mail redirection among many others. Disclosed confidential government data may be misused for creating fake documents, letter heads, fax letters or shared with rival intelligence agencies. Adequate monitoring of employee activity is crucial to avoid lapses in data security. Officials must ensure adherence to data protection guidelines.

Hiring security professionals qualified in IT degree programs may help in improving IT practices in state departments and agencies.