After conducting a covert penetration test, the Colorado State Auditor "identified a significant number of serious vulnerabilities in the state’s networks and applications that would likely provide a malicious attacker with unauthorized access to the public’s data or with the ability to directly target Colorado’s citizens."
According to the report, the Colorado auditor was able, through the convert test, to "compromise several state government networks and systems and gain unauthorized access to thousands of individuals' records, including state employees' records, containing confidential data such as social security numbers, income levels, birth dates, and contact information."
The auditor estimated that a data breach of this magnitude would cost the state of Colorado between $7 million and $15 million to fix. "This estimate does not include the cost to individual citizens whose data would have been stolen."
The auditor also found that 60% of state agencies failed to submit required information secuirty plans to the Office of Cyber Security by the July 15, 2010, statuatory deadline. Even for agencies that submitted plans, only one was complete. In addition, the Commission on Higher Education is not collecting, reviewing, and submiting information security plans for colleges and universities to the office, as required by statute.
The report determined that the Office of Cyber Security "lacks a strategic plan for directing its operations, lacks any meaningful measures for assessing its performance, and does not have procedures to collect and analyze meaningful cyber security information." The auditor blamed a "lack of leadership" at the office and a "lack of oversight" at the Governor's Office of Information Technology for the problems identified in the audit.
The Governor's Office of Information agreed with the findings of the auditor, but blamed the problems on tight budgets and antiquated network and computer security systems that the office inherited. The office said it would address the information security problems identified by the auditor "where budget and resources permit."