Office of the Legislative Auditor - Financial Audit Division

Report Summary

Public Employees Retirement Association

Computer System Security Audit

Conclusions:

The Public Employees Retirement Association (PERA) does not have a comprehensive security program that is capable of responding promptly to volatile technology risks. Of greatest concern, the retirement association had not devoted sufficient staff to perform important security duties. At the time of our audit, one information technology professional managed most aspects of the security infrastructure. No backup employees had been cross-trained to perform these critical security duties. Compounding this risk, PERA had not completed a formal information technology risk assessment or developed written security policies, procedures, and standards. Finally, the retirement association had very few monitoring controls to detect and promptly respond to potential security breaches.

These security program shortcomings allowed serious internal control weaknesses to go unchallenged:

• PERA did not protect its computer infrastructure from some Internet-based attacks.
• Software running on some servers had not been updated to remedy known security flaws.
• PERA did not properly secure its databases.
• PERA did not adequately secure some data on its servers or enforce strong password controls.
• PERA did not limit the number of network access points.

Financial-Related Audit Reports address internal control weaknesses and noncompliance issues found during our audits of state departments and agencies. The scope of our work at the Public Employees Retirement Association was limited to a review of controls that protect the integrity of its mission critical business data.