Massachusetts Department of Transportation Aeronautics Division
August 18, 2017 · Massachusetts Department of Transportation · Read the full official report (PDF) ↗ · official site ↗
source
“The Aeronautics Division had deficiencies in information technology (IT) general controls over its Airport Information Resource Portal (Air-PORT) application system2 and its business operations.”
Read the plain-English breakdown
This is a State Auditor review of selected IT operations and aircraft registration controls at MassDOT’s Aeronautics Division for roughly July 2014 through December 2015, with some testing extended into 2016.
“In this audit, we reviewed certain IT general controls over the Aeronautics Division’s Airport Information Resource Portal (Air-PORT) application that were related to IT project management, IT governance, and logical access security.”
Auditors checked whether the division had proper controls over its main Air-PORT system, user access, business continuity, security training, and aircraft registration revenue.
“We also followed up on the issues identified in our previous audit of the Aeronautics Division (No. 2008-0044-4T) regarding the implementation of controls related to aircraft registrations and the revenue generated.”
These weaknesses could put government data and systems at risk, disrupt operations, and affect whether aircraft registration fees are properly billed and collected.
“The deficiencies could have compromised the integrity, availability, and confidentiality of the Aeronautics Division’s information.”
For an ordinary resident, this matters because weak records and IT controls can waste public money, reduce accountability, and leave aviation-related fees or safety-related information poorly tracked.
“This would result in a significant waste of staff resources and of the more than $600,000 that was spent in developing Air-PORT.”
The division’s main IT system did not fully meet business needs, access controls were weak, backup planning was incomplete, employees lacked required security training, and aircraft registration data was not reliable enough.
“Further, Aeronautics Division and Massachusetts Department of Transportation (MassDOT) IT management told us that Air-PORT, as developed, does not fully meet the Aeronautics Division’s business needs and may need to be replaced.”
The Auditor recommended better IT project staffing, clearer requirements, stronger vendor and user-access reviews, a tested business-continuity plan, annual security training, and stronger aircraft-reporting and reconciliation procedures.
“The Aeronautics Division should ensure that all future IT projects are staffed with personnel with expertise in IT project management.”
The report is significant because the problems were broad: they involved IT security, disaster planning, access permissions, contractor oversight, and the accuracy of aircraft registration records used for billing and management decisions.
“As a result, Air-PORT could not be updated and the number and type of commercial aircraft based at airports supported by the Aeronautics Division were not properly accounted for, which could affect the division’s ability to make informed business decisions.”
Air-PORT is the division’s web-based system for airport information, projects, grants, aircraft registrations, and related data.
“According to Air-PORT’s user manual, Air-PORT is a “web-based application . . . [that] facilitates the management of facility information, projects and grants, and other activity data across the MassDOT system, and . . . supports cloud data storage and retrieval.””
3 figure(s) pending source verification - not shown
What the Auditor checked
- Did not comply Has the Aeronautics Division established adequate ITGCs to support its mission-critical and essential application system over IT project management, including contracts and service-level agreements?
- Did not comply Has the Aeronautics Division established adequate ITGCs to support its mission-critical and essential application system over logical access security, including user account management?
- Did not comply Has the Aeronautics Division established adequate ITGCs to support its mission-critical and essential application system over IT governance, including IT policies and procedures, new employee acknowledgment forms, and employee security-awareness training?
- Did not comply Has the Aeronautics Division established adequate ITGCs to support its mission-critical and essential application system over business continuity?
- Did not comply Has the Aeronautics Division implemented adequate controls regarding the registration process for aircraft under its jurisdiction and the revenue the division generated for calendar year 2015?
What the Auditor found
Why it matters: Air-PORT did not meet business needs and may need to be replaced, wasting staff resources and more than $600,000 spent developing it.
Standard: COBIT 4.1, Section AI.2 ( Section AI.2 of Control Objectives for Information and Related Technology (COBIT) 4.1 )
2 recommendations
- The Aeronautics Division should ensure that all future IT projects are staffed with personnel with expertise in IT project management and should have detailed business and technical application requirements.agency: agreed
- MassDOT should amend its Software Development & Maintenance Policy to require MassDOT IT involvement for Aeronautics Division-managed IT projects that MassDOT IT can administer.agency: agreed
Agency response & Auditor reply
Agency: "The Aurigo Masterworks IT project was procured after the completion of a detailed analysis and documentation of business and technical application requirements."
Why it matters: The division could be unaware of weaknesses at the service provider's data center that could compromise the integrity and availability of MassDOT information.
Standard: COBIT 4.1, Section DS2 ( Section DS2 of COBIT 4.1 )
1 recommendation
- The Aeronautics Division should establish business requirements and a process to periodically review the effectiveness of its third-party service providers' security measures.agency: agreed
Agency response & Auditor reply
Agency: "The Aeronautics Division will adhere to the MassDOT Data Security policies and procedures for compliance of third-party service provider (TPSP) security reviews."
Why it matters: Air-PORT was vulnerable to alteration of information that could affect business operations.
Standard: MassDOT information security program, Section 3.1.1.2.7.4 ( Section 3.1.1.2.7.4 of MassDOT's information security program )
1 recommendation
- The Aeronautics Division should remove external consultants' accounts and test accounts from Air-PORT, and MassDOT should establish a process to review Air-PORT user accounts for business need.agency: agreed
Agency response & Auditor reply
Agency: "The Aeronautics Division has deleted all external users of AIR-Port."
Why it matters: The division had not assessed its ability to sustain operations during a business interruption, which could lead to loss or breach of data or interrupted business.
Standard: Enterprise Business Continuity for IT Management Policy ( Enterprise Business Continuity for IT Management Policy )
1 recommendation
- The Aeronautics Division, with MassDOT IT, should develop, document, and test a business-continuity plan in accordance with the Enterprise Business Continuity for IT Management Policy.agency: agreed
Agency response & Auditor reply
Agency: "The MassDOT Business Continuity Plan (BCP) is currently under development, including many related policies and procedures."
Why it matters: The lack of training created a higher-than-acceptable risk of inappropriate and unauthorized disclosure of division information.
Standard: Executive Order 504, Section 6; MassDOT information security program ( Section 6 of Executive Order 504; MassDOT's information security program )
1 recommendation
- The Aeronautics Division should ensure that all employees receive security-awareness training upon hire and annually.agency: agreed
Why it matters: Air-PORT could not be updated, aircraft may not have been accounted for, and the division could have lost registration-fee revenue that could address security and public safety risks.
Standard: 702 CMR 5.08(3)(f) and 702 CMR 5.09 ( Section 5.08(3)(f) of Title 702 of the Code of Massachusetts Regulations; 702 CMR 5.09 )
1 recommendation
- The Aeronautics Division should establish formal policies and procedures to ensure airport managers' reports are received twice a year, including report format, follow-up, and penalties.agency: agreed
Agency response & Auditor reply
Agency: "Management concurs with the auditors’ comments, and the following action will be taken to improve the situation."
Why it matters: Because many records lacked registration status or contained other errors, the division could not verify that all aircraft were registered and all fees were billed and collected in 2015.
Standard: COBIT 4.1, Section ME2
1 recommendation
- The Aeronautics Division should periodically report to management on aircraft without registration status or with data-entry errors, reconcile MMARS and Air-PORT fee amounts, and ensure all aircraft in airport managers' reports are in Air-PORT.agency: agreed
Agency response & Auditor reply
Agency: "The Aeronautics Division identified system limitations with the AIR-Port Aircraft Registration module and decided to replace the module."
Prior findings revisited
"During our prior audit, we found that the Aeronautics Division had not documented and tested a business-continuity plan in conjunction with MassDOT IT to provide for the timely restoration of mission-critical and essential business functions."
More audits of this entity
Other Office of the State Auditor reports on Massachusetts Department of Transportation , including the prior audits referenced above.
-
Audit of the Massachusetts Department of Transportation - Millbury Roadway Reconstruction and Related Work (Contract 86774)State Agency / Office · October 19, 2021 -
Close-out of Agencies and Authorities combined into the Massachusetts Department of TransportationState Agency / Office · October 18, 2012 -
Audit of Cybersecurity Awareness Training Compliance Across Multiple State Agencies - Massachusetts Department of TransportationState Agency / Office · November 8, 2024 -
Audit of the Massachusetts Department of Transportation Aeronautics DivisionState Agency / Office · June 30, 2022 -
The Department of Transportation's Office of Information Technology's Activities Relating to the Registry of Motor VehiclesState Agency / Office · July 20, 2011 -
Massachusetts Department of Transportation Use of Consultants and Contract EmployeesState Agency / Office · January 9, 2014