LANSING – Partly because budget restraints haven’t allowed the Michigan Department of Corrections to hire a staffer to oversee the department’s computerized records, far too many of the wrong people have access to the information stored on the database, said a report released from the Auditor General.

The audit said that the DOC and the Department of Information Technology were not effective in preventing and detecting unauthorized access to the database, called the Offender Management Network Information System.

Specifically, said the report, which covered activities from May 2002 through July 2007, DOC failed to follow its own policies by not hiring an information security officer to field access to and maintain the integrity of the database.

In its response the department agreed that the position needed to be filled but said that because of budget cuts, the requests to fill the position were denied. However, recently, the DOC got the go-ahead to fill the position and will work toward filling it, the department said.

In general, the audit said, the DIT and DOC didn’t have an organized system or written policy to account for who is given access to the database or who gives that access within the departments. For instance, there is correctional facility staff assigned to give access but no controls to ensure they have the authority to do so.

The audit found 22 people with administrative access to the database, meaning that they could change passwords and log into accounts other than their own. With so many administrators assigned to the database, the audit said, the department can’t ensure accountability for changes made to the database.

The DOC said that since the audit was done, it has reduced the number of people with administrative access to 10 and will continue to reduce the number further and to implement “trails” that allow for greater accountability.

Other problems with access included that the DIT and DOC failed to remove people who may have been granted access to the database at one point but were no longer entitled to the privilege.

For example, 32 percent of the users hadn’t logged on for more than 90 days, so were considered inactive users, yet they still had access to critical data. At least 2 percent of inactive users were considered “high risk” by auditors.

Another 1 percent of the more than 9,500 user accounts were assigned to people who are no longer state employees, the report found.

The departments said they would work with human resources to link employee records to access and that they have cut off access for those who should no longer have it.

The audit also found issues with the general security of the database, reporting that many logins weren’t password protected and that social security numbers and other vital information wasn’t encrypted.

Also, although the department ran a State Police background check on all of its contractors, it didn’t do a federal fingerprint background check on 75 percent of those employees, meaning the department wouldn’t know if an employee committed a crime outside of Michigan.

The department said that since the audit was finished it has made sure that all of the logins are password protected and has worked toward developing polices for other security issues, which should be in place by September 30, 2008.

Also by that date the DIT and DOC said they will have fully implemented policies for updating programming, which they have made strides toward since the audit, they said.

The audit found that in 100 percent of cases, test results for changes didn’t have management approval before being made. In 92 percent of cases, the request forms for changes to the database didn’t document the user who requested the change and/or have management approval.

Some other issues with the system’s management included that the DIT and the DOC didn’t have effective backup and recovery procedures, which the departments said they’ll have in place by the end of 2008.

This story was provided by Gongwer News Service. To subscribe, click on Gongwer.Com

a>>