I hate to overstate the findings of any report, but my first thought while reading the latest audit of the Agency for State Technology was:
“Jeez, is this joint as potentially ‘leaky’ as I think it is?”
The report by Florida Auditor General Sherrill F. Norman’s office, which I got a copy of on Thursday, lays out a laundry list of security and other problems at the relatively new agency.
And the best defense that state Chief Information Officer Jason Allison, appointed by Gov. Rick Scott, can muster is to deflect blame and point fingers.
Among the many audit findings are that “access privileges for some AST users … did not restrict (them) to only those functions appropriate and necessary for assigned job duties or functions.”
Gee, no security problem there.
Also, some “accounts remained active when no longer needed and some … inappropriately allowed interactive logon, increasing the risk that the confidentiality, integrity, and availability of AST data and IT resources may be compromised.”
I’m no expert, but that sounds downright dangerous.
The AST also failed to “review user access privileges for the mainframe, open systems environments, and the network domains,” kept an inaccurate “inventory of IT resources at the State Data Center,” and “State Data Center backup tape records were not up-to-date and some backup tapes could not be located and identified.”
The agency, created by the Legislature in 2014, was aimed at avoiding all the problems of its predecessor, the Agency for Enterprise Information Technology, effectively abolished in 2012.
Mission not accomplished.
Allison, in a weak-beer response included in the audit report, says he just inherited problems from the Northwood and Southwood Shared Resource Centers, which his agency took over.
“It is important to note that AST has combined two separate data centers into a new state agency with a single, cohesive team,” he said.
Yes, a team that apparently doesn’t know when to tell people to change their freaking passwords.