Audit of the Merit Rating Board
February 1, 2018 · Merit Rating Board · Read the full official report on mass.gov ↗
Read the plain-English breakdown
This is a state performance audit of the Merit Rating Board, covering selected information technology operations from July 1, 2014 through June 30, 2016.
“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor (OSA) has conducted an audit to review and evaluate controls over selected information technology (IT) operations and activities of the Merit Rating Board (MRB) for the period July 1, 2014 through June 30, 2016.”
Auditors reviewed whether MRB had proper controls over important IT areas, including who can access systems, how changes are managed, how personal information is handled, and how operations would continue after a disruption.
“In this performance audit, we reviewed certain IT controls over MRB mission-critical applications related to logical access security; change management (monitoring, documenting, and approving modifications to an agency’s IT system); personally identifiable information (PII); and business continuity planning and disaster recovery (DR).”
MRB handles driving-record information used by insurers and public agencies, so weak controls could put personal data and key government services at risk.
“Its primary mission is to maintain and update driving records and report driving record information to Massachusetts auto insurers and other transportation and public-safety government agencies.”
For an ordinary Massachusetts driver, this matters because MRB systems include sensitive information like names, addresses, license numbers, birth dates, and driving records.
“This increases the risk of terminated employees improperly accessing and/or altering personal information in ALARS such as names, addresses, driver’s license numbers, dates of birth, and driving records.”
The main problem was not one single failure, but a pattern of missing or incomplete safeguards: access was not always removed promptly, personal data controls were incomplete, and continuity and recovery plans were not properly documented or tested.
“MRB lacked proper procedures for dealing with incidents that might compromise its ability to recover from disruptions to its operations or destruction of data that are vital to serving the citizens of the Commonwealth.”
The auditor recommended that MRB work with MassDOT to tighten access reviews, classify and inventory data, train new employees before system access, create a business continuity plan, test disaster recovery, and maintain offsite backups.
“MRB should work with MassDOT IT to develop, document, and implement a BCP that includes MRB operations.”
The audit is significant because the Auditor found weaknesses that could affect the confidentiality, accuracy, and availability of MRB information and systems.
“This increases the risk that the confidentiality, integrity, and availability of MRB information will be compromised.”
ALARS is the key computer system that stores and manages license, registration, driving-record, accident, citation, insurance-claim, and related information.
“According to the RMV’s Uninsured Motorist System User Manual, ALARS consists of multiple components, including licensing, registration, titles, suspensions, accident records, inspection maintenance, non-renewals, policies, and MRB information.”
1 figure(s) pending source verification - not shown
What the Auditor checked
- Did not comply Has MRB designed and effectively implemented logical access security controls, such as background checks for new users; approval processes for new, transferred, and terminated user accounts; and password security, to support its mission-critical application systems?
- Complied Has MRB designed and effectively implemented change-management controls to support its mission-critical and essential application systems?
- Did not comply Has MRB designed and effectively implemented a business continuity plan (BCP) and disaster recovery (DR) controls, such as established policies and procedures and annual testing, to support its mission-critical and essential application systems?
What the Auditor found
Why it matters: Former employees could improperly access or alter personal information in ALARS.
Standard: MassIT Enterprise Information Security Policy requires removal of access rights upon termination of employment. ( MassIT Enterprise Information Security Policy )
2 recommendations
- MRB should define a specific timeframe to revoke terminated employees’ access to ALARS.agency: agreed
- MRB should develop its own logical access security policies and procedures to supplement MassDOT’s ISP.agency: agreed
Agency response & Auditor reply
Agency: "The recommendation that the Merit Rating Board establish better review procedures for checking on ALARS for terminated employees is reasonable."
Auditor: "Although MassDOT IT may be responsible for actually initiating and removing these access rights, MRB is responsible for establishing the access rights for its employees, monitoring its accounts, and asking MassDOT IT to modify or terminate these rights in a timely manner as necessary."
Why it matters: Employees could have more access to personal information than their jobs required.
Standard: MassDOT's ISP requires quarterly review of all accounts to ensure access rights are limited to least privilege. ( MassDOT information security program )
1 recommendation
- MRB should develop and implement a process to review the access rights for all ALARS user accounts and work with MassDOT IT to obtain the information necessary to perform this activity.agency: agreed
Agency response & Auditor reply
Agency: "The Merit Rating Board does not have any control over who has access to ALARS."
Auditor: "Without such controls, there is a risk that data in the system may be corrupted or manipulated by former employees and that a terminated employee’s account could be compromised and used to manipulate data in ALARS."
Why it matters: MRB may not know what data is missing or lost after loss or corruption.
Standard: MassIT Enterprise IT Security Compliance Policy and Enterprise IT Asset and Risk Management Policy require data classification and IT asset inventory. ( MassIT Enterprise IT Security Compliance Policy; MassIT Enterprise IT Asset and Risk Management Policy )
1 recommendation
- MRB should consult with MassDOT to develop policies and procedures to classify and inventory its data in case of loss or corruption.
Agency response & Auditor reply
Agency: "The Merit Rating Board has no control over data classification or data inventory."
Auditor: "However, MRB also needs to work with MassDOT IT and provide it with the information necessary for MassDOT IT to effectively administer this process."
Why it matters: Critical operations could be disrupted if MRB loses data or systems.
Standard: MassIT Enterprise Business Continuity for IT Management Policy requires agencies to develop, implement, test, and maintain a BCP for IT resources supporting core systems and services. ( MassIT Enterprise Business Continuity for IT Management Policy )
1 recommendation
- MRB should work with MassDOT IT to develop, document, and implement a BCP that includes MRB operations.
Agency response & Auditor reply
Agency: "It would not be possible for the Merit Rating Board to create a BUSINESS Continuity Plan (BCP) or conduct any Disaster Recovery testing independent of MASSDOT IT and MASS IT."
Auditor: "This is why we recommend that MRB consult with MassDOT in developing a BCP and performing a DR test for all critical IT assets (such as data, equipment, IT services, and IT personnel) to ensure that suitable alternative procedures exist in case disruptions occur."
Why it matters: The confidentiality, integrity, and availability of MRB information could be compromised during a business interruption.
Standard: MassIT Enterprise Business Continuity for IT Management Policy requires annual testing of plans, including disaster recovery plans. ( MassIT Enterprise Business Continuity for IT Management Policy )
1 recommendation
- MRB should consult with MassDOT to perform a DR test for all critical IT assets to ensure suitable alternative procedures exist in case disruptions occur.
Agency response & Auditor reply
Agency: "The Merit Rating Board has provided documentation to MASSDOT IT & MASSIT whenever requested concerning the Merit Rating Board requirements for business continuity and disaster recovery."
Auditor: "MRB needs to work with MassDOT IT to develop, implement, test, and maintain a BCP for all IT resources that deliver and support core critical business functions of MRB."
Why it matters: MRB could permanently lose protected information after a business interruption or disaster.
Standard: MassIT Enterprise Communications and Operations Management Policy and NIST Special Publication 800-34 require backup procedures and offsite backup storage practices. ( MassIT Enterprise Communications and Operations Management Policy; National Institute of Standards and Technology Special Publication 800-34 )
1 recommendation
- MRB should consult with MassDOT to document, develop, and implement backup procedures for its servers.
Agency response & Auditor reply
Agency: "The Merit Rating Board no longer has control over the data servers and workstation infrastructure within our department."
Auditor: "However, the Office of the State Auditor believes MRB should still take measures to ensure that its data servers are backed up regularly by MassDOT IT and maintained off site."