An audit of the North Dakota Information Technology Department shows the agency cannot account for 217 of its 6,500 assets, including 24 assets that may have contained sensitive information such as Social Security numbers.
The department complied with law and appropriation requirements with the exception of its inadequate inventory procedures, according to the state auditor’s report. Kelly Ivahnenko, the department's public information officer, said that the department has taken steps to rectify inventory procedures and that the assets identified by the auditor's report were sent to surplus and were never lost.
Of the assets tracked from July 2016 through June 2018, 24 lost assets possibly contain sensitive information. Three tablets, four laptops, seven desktop PCs and 10 servers could not be located, totaling $92,151 in missing sensitive assets.
The sensitive information may have included Social Security numbers, drivers license information, usernames and passwords, addresses and phone numbers of employees, students and the general public, according to Brianna Ludwig, the communications director of the state auditor’s office.
“It’s concerning that we have assets out there which could have sensitive information on them and ITD could not find them,” said Joshua Gallion, the state auditor, in a statement.
The department does encrypt sensitive information, but the audit found that three laptops were not encrypted. Past audits had similar findings.
The Information Technology Department did not have the sufficient guidelines for identifying and protecting sensitive assets, according to the audit report. Sensitive information in a missing asset could pose a security risk.
The audit report recommends that the department implement better physical inventory procedures. Other recommendations include urging the department to properly encrypt all data, to identify sensitive assets at risk of loss and to complete a follow-up on sensitive assets that are not located during inventory.
The department has a “high level of confidence” that the missing assets were decommissioned and sent to surplus without sensitive information on them," said Ivahnenko.
Decommissioned items are scrubbed of information.
The Information Technology Department will not be searching for the assets that were unaccounted for because of their certainty that the items are in surplus, Ivahnenko said.
The assets were unaccounted because of manual errors in inputting information into the inventory system, according to Ivahnenko. The department has since switched to an automated system to prevent clerical and data entry errors.
“The bottom line is we do due diligence after an audit,” Ivahnenko said. “The audit confirmed things (about the asset-tracking system) that we had identified.”
Ivahnenko said the department has taken steps and has corrected problems with the inventory system.
The Legislature or executive management of the IT Department could take punitive action against the department, but it will receive no consequences from the auditor’s office, Ludwig said. The office will audit the department again in two years and check if the recommendations have been followed. If the recommendations have not been followed, the department will receive a repeat finding notice on the audit but will not face other consequences from the office.
“There’s always room for improvement,” Ivahnenko said. “Protecting our systems and citizens’ data is our highest priority.”
In the 2019 legislative session, the Legislature funded IT unification for five state departments. The unification brings more assets and responsibility to the IT Department and requires the department to develop and follow reliable internal processes to ensure that all assets are properly managed.
The department’s 6,500 assets include office equipment, network equipment and computer equipment, which total more than $25 million.