Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Massachusetts Department of Transportation Aeronautics Division

August 18, 2017 · Massachusetts Department of Transportation · Read the full official report (PDF) ↗ · official site ↗

Published August 18, 2017 Audit covers July 1, 2014 – December 31, 2015 Under Suzanne M. Bump · 2011–2023

In plain English
The audit found that MassDOT’s Aeronautics Division had weak IT controls, poor oversight of aircraft registration data, and problems with its Air-PORT system, which may need to be replaced after costing more than $600,000 to develop.
source
“The Aeronautics Division had deficiencies in information technology (IT) general controls over its Airport Information Resource Portal (Air-PORT) application system2 and its business operations.”
Read the plain-English breakdown
What is this?

This is a State Auditor review of selected IT operations and aircraft registration controls at MassDOT’s Aeronautics Division for roughly July 2014 through December 2015, with some testing extended into 2016.

“In this audit, we reviewed certain IT general controls over the Aeronautics Division’s Airport Information Resource Portal (Air-PORT) application that were related to IT project management, IT governance, and logical access security.”
Why was it audited?

Auditors checked whether the division had proper controls over its main Air-PORT system, user access, business continuity, security training, and aircraft registration revenue.

“We also followed up on the issues identified in our previous audit of the Aeronautics Division (No. 2008-0044-4T) regarding the implementation of controls related to aircraft registrations and the revenue generated.”
Why it matters

These weaknesses could put government data and systems at risk, disrupt operations, and affect whether aircraft registration fees are properly billed and collected.

“The deficiencies could have compromised the integrity, availability, and confidentiality of the Aeronautics Division’s information.”
What's in it for me?

For an ordinary resident, this matters because weak records and IT controls can waste public money, reduce accountability, and leave aviation-related fees or safety-related information poorly tracked.

“This would result in a significant waste of staff resources and of the more than $600,000 that was spent in developing Air-PORT.”
The bottom line

The division’s main IT system did not fully meet business needs, access controls were weak, backup planning was incomplete, employees lacked required security training, and aircraft registration data was not reliable enough.

“Further, Aeronautics Division and Massachusetts Department of Transportation (MassDOT) IT management told us that Air-PORT, as developed, does not fully meet the Aeronautics Division’s business needs and may need to be replaced.”
What happens next

The Auditor recommended better IT project staffing, clearer requirements, stronger vendor and user-access reviews, a tested business-continuity plan, annual security training, and stronger aircraft-reporting and reconciliation procedures.

“The Aeronautics Division should ensure that all future IT projects are staffed with personnel with expertise in IT project management.”
Why it's significant

The report is significant because the problems were broad: they involved IT security, disaster planning, access permissions, contractor oversight, and the accuracy of aircraft registration records used for billing and management decisions.

“As a result, Air-PORT could not be updated and the number and type of commercial aircraft based at airports supported by the Aeronautics Division were not properly accounted for, which could affect the division’s ability to make informed business decisions.”
Jargon, unpacked

Air-PORT is the division’s web-based system for airport information, projects, grants, aircraft registrations, and related data.

“According to Air-PORT’s user manual, Air-PORT is a “web-based application . . . [that] facilitates the management of facility information, projects and grants, and other activity data across the MassDOT system, and . . . supports cloud data storage and retrieval.””

3 figure(s) pending source verification - not shown

What the Auditor checked

What the Auditor found

Ineffective IT project management caused deficiencies in Air-PORT.
cybersecurityinternal controls

Why it matters: Air-PORT did not meet business needs and may need to be replaced, wasting staff resources and more than $600,000 spent developing it.

Standard: COBIT 4.1, Section AI.2 ( Section AI.2 of Control Objectives for Information and Related Technology (COBIT) 4.1 )

2 recommendations
  • The Aeronautics Division should ensure that all future IT projects are staffed with personnel with expertise in IT project management and should have detailed business and technical application requirements.agency: agreed
  • MassDOT should amend its Software Development & Maintenance Policy to require MassDOT IT involvement for Aeronautics Division-managed IT projects that MassDOT IT can administer.agency: agreed
Agency response & Auditor reply
Agency: "The Aurigo Masterworks IT project was procured after the completion of a detailed analysis and documentation of business and technical application requirements."
The division did not periodically review its Web-hosting service provider's security measures.
cybersecurityvendor oversightinternal controls

Why it matters: The division could be unaware of weaknesses at the service provider's data center that could compromise the integrity and availability of MassDOT information.

Standard: COBIT 4.1, Section DS2 ( Section DS2 of COBIT 4.1 )

1 recommendation
  • The Aeronautics Division should establish business requirements and a process to periodically review the effectiveness of its third-party service providers' security measures.agency: agreed
Agency response & Auditor reply
Agency: "The Aeronautics Division will adhere to the MassDOT Data Security policies and procedures for compliance of third-party service provider (TPSP) security reviews."
The division did not grant Air-PORT user access based on business need.
cybersecurityinternal controlsdata privacy

Why it matters: Air-PORT was vulnerable to alteration of information that could affect business operations.

Standard: MassDOT information security program, Section 3.1.1.2.7.4 ( Section 3.1.1.2.7.4 of MassDOT's information security program )

1 recommendation
  • The Aeronautics Division should remove external consultants' accounts and test accounts from Air-PORT, and MassDOT should establish a process to review Air-PORT user accounts for business need.agency: agreed
Agency response & Auditor reply
Agency: "The Aeronautics Division has deleted all external users of AIR-Port."
The division still had not documented and tested a business-continuity plan.
cybersecurityinternal controls

Why it matters: The division had not assessed its ability to sustain operations during a business interruption, which could lead to loss or breach of data or interrupted business.

Standard: Enterprise Business Continuity for IT Management Policy ( Enterprise Business Continuity for IT Management Policy )

1 recommendation
  • The Aeronautics Division, with MassDOT IT, should develop, document, and test a business-continuity plan in accordance with the Enterprise Business Continuity for IT Management Policy.agency: agreed
Agency response & Auditor reply
Agency: "The MassDOT Business Continuity Plan (BCP) is currently under development, including many related policies and procedures."
Aeronautics Division employees did not receive security-awareness training.
cybersecuritydata privacyinternal controls

Why it matters: The lack of training created a higher-than-acceptable risk of inappropriate and unauthorized disclosure of division information.

Standard: Executive Order 504, Section 6; MassDOT information security program ( Section 6 of Executive Order 504; MassDOT's information security program )

1 recommendation
  • The Aeronautics Division should ensure that all employees receive security-awareness training upon hire and annually.agency: agreed
The division did not adequately oversee airport managers' required semiannual reports.
recordkeeping/documentationinternal controlsreporting timeliness

Why it matters: Air-PORT could not be updated, aircraft may not have been accounted for, and the division could have lost registration-fee revenue that could address security and public safety risks.

Standard: 702 CMR 5.08(3)(f) and 702 CMR 5.09 ( Section 5.08(3)(f) of Title 702 of the Code of Massachusetts Regulations; 702 CMR 5.09 )

1 recommendation
  • The Aeronautics Division should establish formal policies and procedures to ensure airport managers' reports are received twice a year, including report format, follow-up, and penalties.agency: agreed
Agency response & Auditor reply
Agency: "Management concurs with the auditors’ comments, and the following action will be taken to improve the situation."
The division did not adequately monitor the accuracy and completeness of its aircraft registration database.
recordkeeping/documentationinternal controlscash handling

Why it matters: Because many records lacked registration status or contained other errors, the division could not verify that all aircraft were registered and all fees were billed and collected in 2015.

Standard: COBIT 4.1, Section ME2

1 recommendation
  • The Aeronautics Division should periodically report to management on aircraft without registration status or with data-entry errors, reconcile MMARS and Air-PORT fee amounts, and ensure all aircraft in airport managers' reports are in Air-PORT.agency: agreed
Agency response & Auditor reply
Agency: "The Aeronautics Division identified system limitations with the AIR-Port Aircraft Registration module and decided to replace the module."

Prior findings revisited

Still a problem
"During our prior audit, we found that the Aeronautics Division had not documented and tested a business-continuity plan in conjunction with MassDOT IT to provide for the timely restoration of mission-critical and essential business functions."

More audits of this entity

Other Office of the State Auditor reports on Massachusetts Department of Transportation , including the prior audits referenced above.

See this entity's page with all 7 audits →