Audit of the Department of Criminal Justice Information Services (April 13, 2023)
April 13, 2023 · Department of Criminal Justice Information Services · Read the full official report on mass.gov ↗
source
“Below is a summary of our findings and recommendations, with links to each page listed.”
Read the plain-English breakdown
This is a Massachusetts State Auditor performance audit of the Department of Criminal Justice Information Services for July 1, 2020 through June 30, 2021.
“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of the Department of Criminal Justice Information Services (DCJIS) for the period July 1, 2020 through June 30, 2021.”
Auditors checked whether DCJIS properly maintained criminal record systems, protected CORI information, ensured required cybersecurity training, and reconciled CORI fee revenue.
“The purpose of our audit was to determine whether DCJIS does the following:”
CORI records include sensitive personal information, so weak storage checks can raise the risk of identity theft or fraud.
“If DCJIS does not audit these CORI requestors, there is a higher-than-acceptable risk that an individual’s personally identifiable information may be used for such things as identity theft or fraud.”
If you live in Massachusetts, this matters because employers, organizations, agencies, and individuals can request CORI information, and the audit is about whether that information is handled safely and accurately.
“During the audit period, there were 1,019,597 CORI requests from 9,814 organizations and 36,481 individuals.”
The auditor reported three main issues: DCJIS was not auditing non-law-enforcement CORI users, was not ensuring all CSSOA users completed cybersecurity training, and was not reconciling all iCORI revenue.
“DCJIS does not reconcile all revenue recorded in the iCORI database.”
The auditor recommended that DCJIS create procedures, check storage and safeguarding of CORI, monitor cybersecurity training, and resolve the $22,343 revenue difference.
“DCJIS should investigate and resolve the $22,343 variance.”
The audit says the issues could affect privacy, cybersecurity, and public money tracking, because DCJIS manages sensitive criminal justice information and related fee revenue.
“Because DCJIS does not perform reconciliations of all of the revenue recorded in its iCORI database, there is a higher-than-acceptable risk of variances occurring and going undetected.”
CORI means Criminal Offender Record Information, and the iCORI database contains Massachusetts criminal activity records plus personal details like names, birthdates, addresses, and Social Security numbers.
“This database contains Massachusetts-only criminal activity and personally identifiable information such as names, birthdates, addresses, and social security numbers.”
1 figure(s) pending source verification - not shown
What the Auditor checked
- Complied Does DCJIS maintain its Criminal Offender Record Information (CORI) database, iCORI, in accordance with Section 167A(f) of Chapter 6 of the General Laws and DCJIS’s request turnaround policy, as published on its website?
- Did not comply Does DCJIS perform audits of CORI requestors to confirm that non–law enforcement CORI requestors have security protection over the information obtained through the iCORI database in accordance with Section 2.21(4)(d) of Title 803 of the Code of Massachusetts Regulations, which was effective during the audit period?
- Did not comply Does DCJIS ensure that all Criminal Justice Information System Single Sign On Application (CSSOA) users who have access to criminal justice information complete cybersecurity awareness training in accordance with Section 5.2.1 through 5.2.3 of the United States Department of Justice Federal Bureau of Investigation’s “Criminal Justice Information Services (CJIS) Security Policy,” dated June 1, 2020?
- Did not comply Does DCJIS reconcile funds received for CORI requests to the Massachusetts Management Accounting and Reporting System (MMARS) in accordance with the Office of the Comptroller of the Commonwealth’s “Cash Recognition and Reconciliation Policy,” dated July 1, 2004?
What the Auditor found
Why it matters: There is increased risk that personally identifiable information could be misused for identity theft or fraud.
Standard: Section 2.21 of Title 803 of the Code of Massachusetts Regulations required DCJIS audit staff, during audits, to assess whether requestors properly store and safeguard CORI. ( Section 2.21 of Title 803 of the Code of Massachusetts Regulations )
2 recommendations
- DCJIS should require its audit team to perform audits to assess whether non–law enforcement requestors properly store and safeguard the CORI they obtain from DCJIS.agency: disagreed
- DCJIS should develop and implement policies and procedures that require its audit team to perform audits to assess whether non–law enforcement requestors have properly stored and safeguarded CORI.agency: disagreed
Agency response & Auditor reply
Agency: "Respectfully, DCJIS believes that its current approach to ensuring compliance is more effective and does not find the recommendations provided by the SAO to be feasible given the current DCJIS staff and resources."
Auditor: "The Office of the State Auditor acknowledges that the use of auditing as stated in 803 CMR 2.23 is discretionary; however, in our review, we found that this control measure had not been used one single time, and we were informed that it has been rarely used, if at all, because of the noted staffing constraints."
Why it matters: User error could compromise the integrity and security of CSSOA.
Standard: Section 5.2.1 of the FBI CJIS Security Policy required basic security awareness training within six months of initial assignment and biennially thereafter. ( Section 5.2.1 of the United States Department of Justice Federal Bureau of Investigation’s “Criminal Justice Information Services (CJIS) Security Policy,” issued on June 1, 2020 )
2 recommendations
- DCJIS should ensure that CSSOA users complete initial cybersecurity awareness training within six months of their initial access to CSSOA and biennially thereafter.agency: disagreed
- DCJIS should continually monitor that both new and existing CSSOA users have completed the required cybersecurity awareness training.agency: disagreed
Agency response & Auditor reply
Agency: "Therefore, while DCJIS appreciates the SAO’s efforts and is grateful for the SAO’s audit, it respectfully disagrees with the SAO’s finding on this point."
Auditor: "However, we disagree with DCJIS on who is ultimately responsible for ensuring that all CSSOA users complete the mandatory biennial cybersecurity awareness training."
Why it matters: Variances in revenue records could occur and go undetected.
Standard: The Office of the Comptroller of the Commonwealth’s Cash Recognition and Reconciliation Policy requires departments to reconcile received revenue in internal accounting records to revenue reported in MMARS. ( Office of the Comptroller of the Commonwealth’s “Cash Recognition and Reconciliation Policy,” issued July 1, 2004 )
2 recommendations
- DCJIS should investigate and resolve the $22,343 variance.agency: disagreed
- DCJIS should develop policies and procedures that require its employees to perform regular reconciliations of the revenue recorded in its iCORI database to revenue recorded in MMARS.agency: disagreed
Agency response & Auditor reply
Agency: "DCJIS strongly disagrees with this finding because it is factually inaccurate."
Auditor: "Although DCJIS may not have designed the iCORI database (which is used for recording CORI requests and generating fees) for reconciliation purposes, it is still the book of original entry2 for the fees associated with requesting CORI."
More audits of this entity
Other Office of the State Auditor reports on Department of Criminal Justice Information Services .
-
Audit of Settlement Agreements and Confidentiality Clauses Across Multiple State Agencies - Department of Criminal Justice Information Services (January 28, 2025)State Agency / Office · January 28, 2025