Not long ago, we talked over the formal report of the Oregon Secretary of State’s audit (the “Report“) of the Oregon Liquor Control Commission’s (“OLCC”) information and facts know-how techniques, similar to Oregon’s leisure cannabis field. In our earlier article on the matter, we talked over results and recommendations relating particularly to the OLCC’s Marijuana Licensing Process (MLS) and the different Cannabis Monitoring Process (CTS), and whether or not the OLCC has enough complex controls in area to assure that the MLS and CTS are supporting effective regulation of the leisure cannabis field. Today we are heading to look at the OLCC’s common information and facts know-how (IT) security concerns and catastrophe restoration strategies, and whether or not the OLCC has applied enough security strategies to secure towards regarded complex and physical threats.
The Report initially lays out two “key findings” in this location:
- The “OLCC has not applied an effective IT security administration system for the agency as a whole.”
- The “OLCC has not formally designed a catastrophe restoration prepare and has not analyzed backup data files to assure they can be applied to restore mission-significant apps and info.”
Digging further, the Report paints a bit of a grim photograph of the OLCC’s IT capabilities:
[W]e uncovered that OLCC administration has not applied an appropriate security administration system for all agency IT techniques. OLCC does not have enough procedures, strategies, and plans in area to assure that pc assets are guarded towards regarded vulnerabilities and physical threats. While this does not have an impact on the externally hosted cannabis apps, other plans and administrative techniques at OLCC may possibly be at possibility. – The Report
According to the Report, the OLCC at this time does not have an up-to-day security prepare, does not adequately monitor information and facts IT assets, does not have a approach to watch for unauthorized alterations or products, are unable to discover security vulnerabilities, lacks enough controls for physical access to OLCC web sites and assets, and frequently has servers and products functioning on out-of-date platforms. None of that appears very great.
Furthermore, the Report observes that OLCC hasn’t designed an suitable restoration prepare in the celebration of a process broad celebration. To be fair, the OLCC backs up its info, but hasn’t analyzed whether or not these backups can be applied to restore techniques, so there is no realizing whether or not the proven backup protocol will even perform.
All of these issues appear back again to the core concern we identified in the prior article: The OLCC is dramatically underfunded for its mission. Fixing these issues will get experience and assets that historically haven’t been devoted to the agency. The agency’s reaction to the Report (the “Response”) highlights this concern. As with the challenges with CTS and MLS, the Reaction acknowledges these common IT security issues, and notes that it is trying to get additional funding from the legislature to deal with the Report’s concerns.
The shortcomings of OLCC’s in general IT security is not significantly surprising as OLCC continues to rely on legacy techniques and frequently has not modernized its agency-broad techniques at the very same tempo as the rest of point out governing administration . . . The IT security auditor’s results reflect a symptom of a common absence of administration proficiency and capability to preserve a focus on point out requirements and practices. – The Reaction
In relation to these concerns, the OLCC has requested “$400,000 to replace unsupported servers and switches and, position authority for a [Chief Information Officer] ($197,000).” Our contacts at the OLCC recommend that the legislature fulfilled this request, but we haven’t nevertheless gained formal see. In our see, the OLCC has finished a commendable work in its regulation of Oregon’s leisure cannabis market in excess of the earlier few yrs, but with so a lot occurring on so numerous fronts, the agency could use additional assets. Fingers crossed.