An Audit Report on Selected Information Technology Controls at the Winters Data Centers
July 2011
Report Number 11-033
Overall Conclusion
Weaknesses in the Health and Human Services Commission's (Commission) logical and physical access controls over information technology at the Winters Data Centers could result in damage to equipment or unauthorized access to and the loss of confidential data and systems.
Health and human services agencies rely on mission-critical systems housed at the Winters Data Centers to carry out their responsibilities. The weaknesses auditors identified increase the risk of unauthorized access to or loss of confidential data.
While the Commission has comprehensive information security policies and procedures, it does not enforce those policies and procedures consistently. It also does not comply with Texas Administrative Code requirements for passwords, user access, and disaster recovery plan testing. On at least 70 percent of the databases and servers that auditors tested, the Commission's password implementation did not meet information security standards established for state data centers.
The Commission does not adequately monitor vendors that provide certain operation and maintenance services at the Winters Data Centers. The outsourcing of certain operation and maintenance services to vendors, combined with the Commission's organizational structure, has resulted in significant challenges. For example:
- A system of shared responsibilities for information technology now exists among vendors, the Commission, and health and human services agencies. Staff at the Commission and health and human service agencies have not fully embraced those shared responsibilities. The complex system of responsibilities requires greater oversight by the Commission and health and human services agencies.
- The outsourcing of certain services, coupled with a lack of oversight by the Commission and health and human services agencies, has resulted in instances in which staff were unaware of services and user accounts on their mission-critical systems.
While vendors perform certain services at the Winters Data Centers, this does not relieve the Commission or the health and human services agencies of their responsibility for ensuring that data and systems are properly secured.