Virginia Attorney General’s office has increased chance of data breach: audit

RICHMOND, Va. (WRIC) -- Sensitive data kept by the Virginia Office of the Attorney General may be at risk due to confusion between its oversight committee and providers, per a recent audit.

The report was conducted in Fiscal Year (FY) 2024 and states that the Attorney General's office has made progress since prior reviews. However, weaknesses still exist within three areas of the office.

The Auditor of Public Accounts (APA) said improvements should be made to increase the safety and protection of sensitive data.

Continue to improve Virtual Private Network Security Controls

According to the audit report, in the area of "Virtual Private Network Security Controls," the office has made progress since FY2019 by "implementing multi-factor authentication for remote sessions through the virtual private network (VPN)" -- however, the audit report reveals that two weaknesses still exist within the department.

These weaknesses were communicated to management in a separate, confidential document, due to it containing descriptions of security mechanisms.

Recommendations

The audit recommends that the office "dedicate the necessary resources to mitigate the specific risks communicated in the [confidential] document to improve the security posture of remote connections and to comply with its Office Policies and the Security Standard."

Develop, implement a process to maintain oversight over service providers

The office was first reviewed for this area in FY2022. However, the audit report revealed that it needs to continue to strengthen procedures and processes to manage risks that come from the use of information technology providers, as well as monitor the effectiveness of the security controls of providers.

In the report, providers are defined as organizations that perform certain business tasks or functions on behalf of the Office and the Commonwealth. The Attorney General's office uses six providers, whose function is to transmit, process or store sensitive and "mission-critical data."

Multiple weaknesses were found in this area. Firstly, auditors learned that the office does not maintain a complete and up-to-date list of providers that perform business tasks or functions on behalf of the office.

When auditors reviewed the list of 85 providers given to them by the office, they found that 12 columns meant to indicate whether the provider stored or processed sensitive information were blank. Auditors determined that two of those 12 providers both processed and stored sensitive information.

In January and May, the office obtained the Virginia Information and Technologies Agency's (VITA) COV Ramp service, which is a brand family that signifies the Commonwealth of Virginia’s seal of approval for IT products, services and solutions. Its goal is to help aid the Attorney General's office in completing a contract with two providers by defining and documenting agency and provider roles and responsibilities. However, the office didn't do this for four agencies.

The office also did not document enforceable agreements with four other providers, according to the audit report. In June, the office didn't obtain COV Ramp reports for the provider, along with reports for the remaining five providers.

The report states that, by not establishing an effective process to gain certainty over its providers' operating controls, the Attorney General's office cannot ensure that providers have effective security controls, which will increase the chance of a possible breach or data disclosure, auditors said.

The report also reveals that by not obtaining, reviewing and documenting an annual review of independent audit assurance, along with placing possible compensating controls over each provider, the Office may not be able to ensure an "adequate level of security controls," putting its sensitive data at risk.

In July 2023, the office completed its Office Policies and Office Procedures, which included an acquisition of system and services requirements and processes. However, according to the report, the office did not define steps "to ensure that policy and process requirements are met, either for providers under active oversight with VITA’s COV Ramp service or for providers under the purview of the Office."

In addition, the Attorney General's office has not reviewed and revised its Office Policies and Office Procedures since July 2023 to reflect the new Security Standard requirements, which were effective March 2024.

According to the audit report conducted in FY2024, the Office does not obtain annual independent audit assurance reports -- including System and Organization Controls reports -- which identify deficiencies, determine the potential need to implement compensating controls and identify any subservice organizations requiring oversight.

Recommendations

• The audit recommends that the office should update its Office Procedures to clearly define the steps the Office is responsible for and that it meets the service provider oversight policy and process requirements.
• It should also establish a process to track oversight activities for providers that are managed by COV Ramp.
• For providers under the office's direct responsibility, the audit report recommends that the office clearly communicate required security controls through written agreements.
• It is recommended that the Attorney General's office request and review monthly service reports and annual independent audit reports to ensure providers have effective controls to protect sensitive data.
• During the evaluation, the office should identify control deficiencies, develop mitigation plans, and escalate issues of noncompliance, as needed.
• Lastly, the office should document its evaluation of the monthly service reports and annual assurance reports from each provider under the office purview, which will help to ensure the confidentiality, integrity, and availability of sensitive data according to the report.

Improving Server Operating System Security

The FY2024 report states that the office does not implement certain controls and processes on a sensitive server operating system to properly secure the system in accordance with its Office Policies, Office Procedures, the Security Standard and industry best practices, such as the Center for Internet Security’s Benchmark (CIS Benchmark).

The audit indicated five weaknesses to management in a separate, confidential document, due to the sensitivity and description of security mechanisms.

The report stated that a lack of resources, personnel changes and lack of "a necessary tool" contributed to these issues and that, without these controls, the office may not effectively and consistently protect and mitigate risks to data.

Recommendations

The audit report recommends that the office ensure that "server operating system configurations, controls, and processes align with the requirements in its Office Policies, Office Procedures, the Security Standard and the CIS Benchmark."

Auditors stated that implementing those controls will help maintain the confidentiality, integrity and availability of the sensitive and mission-critical data stored or processed on the server.