Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Audit of the Department of Criminal Justice Information Services (April 13, 2023)

April 13, 2023 · Department of Criminal Justice Information Services · Read the full official report on mass.gov ↗

Published April 13, 2023 Audit covers July 1, 2020 – June 30, 2021 Under Diana DiZoglio · 2023–present

In plain English
The audit found that DCJIS handled CORI requests on time overall, but had problems with checking how criminal record information is safeguarded, making sure users completed cybersecurity training, and reconciling some revenue records.
source
“Below is a summary of our findings and recommendations, with links to each page listed.”
Read the plain-English breakdown
What is this?

This is a Massachusetts State Auditor performance audit of the Department of Criminal Justice Information Services for July 1, 2020 through June 30, 2021.

“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of the Department of Criminal Justice Information Services (DCJIS) for the period July 1, 2020 through June 30, 2021.”
Why was it audited?

Auditors checked whether DCJIS properly maintained criminal record systems, protected CORI information, ensured required cybersecurity training, and reconciled CORI fee revenue.

“The purpose of our audit was to determine whether DCJIS does the following:”
Why it matters

CORI records include sensitive personal information, so weak storage checks can raise the risk of identity theft or fraud.

“If DCJIS does not audit these CORI requestors, there is a higher-than-acceptable risk that an individual’s personally identifiable information may be used for such things as identity theft or fraud.”
What's in it for me?

If you live in Massachusetts, this matters because employers, organizations, agencies, and individuals can request CORI information, and the audit is about whether that information is handled safely and accurately.

“During the audit period, there were 1,019,597 CORI requests from 9,814 organizations and 36,481 individuals.”
The bottom line

The auditor reported three main issues: DCJIS was not auditing non-law-enforcement CORI users, was not ensuring all CSSOA users completed cybersecurity training, and was not reconciling all iCORI revenue.

“DCJIS does not reconcile all revenue recorded in the iCORI database.”
What happens next

The auditor recommended that DCJIS create procedures, check storage and safeguarding of CORI, monitor cybersecurity training, and resolve the $22,343 revenue difference.

“DCJIS should investigate and resolve the $22,343 variance.”
Why it's significant

The audit says the issues could affect privacy, cybersecurity, and public money tracking, because DCJIS manages sensitive criminal justice information and related fee revenue.

“Because DCJIS does not perform reconciliations of all of the revenue recorded in its iCORI database, there is a higher-than-acceptable risk of variances occurring and going undetected.”
Jargon, unpacked

CORI means Criminal Offender Record Information, and the iCORI database contains Massachusetts criminal activity records plus personal details like names, birthdates, addresses, and Social Security numbers.

“This database contains Massachusetts-only criminal activity and personally identifiable information such as names, birthdates, addresses, and social security numbers.”

1 figure(s) pending source verification - not shown

What the Auditor checked

What the Auditor found

DCJIS did not audit non-law-enforcement CORI requestors to ensure CORI was properly stored and safeguarded.
data privacyrecordkeeping/documentationinternal controls

Why it matters: There is increased risk that personally identifiable information could be misused for identity theft or fraud.

Standard: Section 2.21 of Title 803 of the Code of Massachusetts Regulations required DCJIS audit staff, during audits, to assess whether requestors properly store and safeguard CORI. ( Section 2.21 of Title 803 of the Code of Massachusetts Regulations )

2 recommendations
  • DCJIS should require its audit team to perform audits to assess whether non–law enforcement requestors properly store and safeguard the CORI they obtain from DCJIS.agency: disagreed
  • DCJIS should develop and implement policies and procedures that require its audit team to perform audits to assess whether non–law enforcement requestors have properly stored and safeguarded CORI.agency: disagreed
Agency response & Auditor reply
Agency: "Respectfully, DCJIS believes that its current approach to ensuring compliance is more effective and does not find the recommendations provided by the SAO to be feasible given the current DCJIS staff and resources."
Auditor: "The Office of the State Auditor acknowledges that the use of auditing as stated in 803 CMR 2.23 is discretionary; however, in our review, we found that this control measure had not been used one single time, and we were informed that it has been rarely used, if at all, because of the noted staffing constraints."
DCJIS did not ensure CSSOA users completed required cybersecurity awareness training on time.
cybersecurityinternal controls

Why it matters: User error could compromise the integrity and security of CSSOA.

Standard: Section 5.2.1 of the FBI CJIS Security Policy required basic security awareness training within six months of initial assignment and biennially thereafter. ( Section 5.2.1 of the United States Department of Justice Federal Bureau of Investigation’s “Criminal Justice Information Services (CJIS) Security Policy,” issued on June 1, 2020 )

2 recommendations
  • DCJIS should ensure that CSSOA users complete initial cybersecurity awareness training within six months of their initial access to CSSOA and biennially thereafter.agency: disagreed
  • DCJIS should continually monitor that both new and existing CSSOA users have completed the required cybersecurity awareness training.agency: disagreed
Agency response & Auditor reply
Agency: "Therefore, while DCJIS appreciates the SAO’s efforts and is grateful for the SAO’s audit, it respectfully disagrees with the SAO’s finding on this point."
Auditor: "However, we disagree with DCJIS on who is ultimately responsible for ensuring that all CSSOA users complete the mandatory biennial cybersecurity awareness training."
DCJIS did not reconcile all revenue recorded in iCORI to MMARS.
cash handlinginternal controls

Why it matters: Variances in revenue records could occur and go undetected.

Standard: The Office of the Comptroller of the Commonwealth’s Cash Recognition and Reconciliation Policy requires departments to reconcile received revenue in internal accounting records to revenue reported in MMARS. ( Office of the Comptroller of the Commonwealth’s “Cash Recognition and Reconciliation Policy,” issued July 1, 2004 )

2 recommendations
  • DCJIS should investigate and resolve the $22,343 variance.agency: disagreed
  • DCJIS should develop policies and procedures that require its employees to perform regular reconciliations of the revenue recorded in its iCORI database to revenue recorded in MMARS.agency: disagreed
Agency response & Auditor reply
Agency: "DCJIS strongly disagrees with this finding because it is factually inaccurate."
Auditor: "Although DCJIS may not have designed the iCORI database (which is used for recording CORI requests and generating fees) for reconciliation purposes, it is still the book of original entry2 for the fees associated with requesting CORI."

More audits of this entity

Other Office of the State Auditor reports on Department of Criminal Justice Information Services .

See this entity's page with all 2 audits →