Montana Department of Justice fails IT security according to state auditors

Darrell Ehrlick

(Daily Montanan) A new state information technology audit shows that the Montana Department of Justice is not meeting goals and requirements for security, structure and governance, exacerbated by high turnover within the department, and is at risk for not converting the state’s out-of-date motor vehicle record management properly.

In testimony before the Legislative Audit Committee, lawmakers heard about ongoing problems within the department that is looking to transition away from the MERLIN system, which keeps record of vehicle license, registration and drivers licensing and identification cards.

Will Selph, the DOJ chief of staff, told legislators that MERLIN has reached the end of its programming life and the state will switch to a new system, estimated at more than $54 million. In the meantime, however, the Montana Legislative Audit Division reviewed five areas of the existing system – IT governance, IT management, IT human resources management, IT risk management, and IT security management – and each category received either a “needs improvement” or “unsatisfactory.”

Auditors said the worry is that if they don’t fix the problems now, the new system will have the same limitations and liabilities lawmakers are concerned about with the current one.

“Without improvements, the MERLIN replacement project is at risk of not meeting goals and the new system is more likely to see issues with meeting federal requirements and users’ needs,” the audit said.

Montana Attorney General Austin Knudsen responded to the audit, saying the Department of Justice has concurred with all the recommendations and Selph reported to the committee that meetings, policies and procedures had already taken place between the time the audit findings were published and the meeting last week.

Previously, the information technology portion of the DOJ had been managed, in part, by the Department of Administration – which oversees a wide array of technical and information systems. However, lawmakers have given increasing power to IT within the state’s Department of Justice, so that it could address privacy and law enforcement concerns.

For example, auditors gave the department an unsatisfactory rating because it lacks IT governance that puts both MERLIN and any new system at risk.

“DOJ is still building management processes, defining policies, and determining the roles that will support MERLIN. In addition, the department has committed to a replacement system that is being customized and implemented over the next few years. This creates competing priorities and increases the risk to the agency,” the report said, noting that the department specify how investments and risks are monitored or reported in “a transparent and regular way.”

The audit also found that high staff turnover left the department unaware of management practices.

“As staff left, key responsibilities were not officially reassigned (disaster recovery programs, risk assessment and mitigation planning). We found evidence of the previous administration’s management practices that current staff were not aware of,” the audit said.

In a section that rated the DOJ’s information technology risk management practices as “unsatisfactory,” auditors warned that “MERLIN is at risk of major interruptions.”

“Within the DOJ, data on these risks are not being gathered to understand and communicate them throughout the entire enterprise in a consistent, formal manner,” the audit said. “Project risks are being managed by multiple vendors and DOJ.”

The auditors also found the security management of the Department of Justice were unsatisfactory because few seemed to know how to manage federal and state compliance.

“System security plans were incomplete and out-of-date,” the audit said. “Security controls may lack oversight and enforcement. Without an overarching enterprise security program, related controls, such as application controls, can be changed, disregarded or ineffective as time goes on.”

“I am disappointed in the audit and hopeful you will all turn it around because it affects all of us in this room and our constituents,” said audit committee Chairwoman Rep. Denise Hayman, D-Bozeman.