Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

The Department of Transportation's Office of Information Technology's Activities Relating to the Registry of Motor Vehicles

July 20, 2011 · Massachusetts Department of Transportation · Read the full official report (PDF) ↗ · official site ↗

Published July 20, 2011 Audit covers July 1, 2009 – October 31, 2010 Under Suzanne M. Bump · 2011–2023

In plain English
The audit found MassDOT’s IT office handled RMV system changes properly, but needed stronger controls over who could access RMV systems and data.
source
“However, as addressed in the Audit Results section of this report, we found that OIT’s controls over logical access security needed to be enhanced to provide reasonable assurance that only authorized users would have access to MassDOT/RMV applications.”
Read the plain-English breakdown
What is this?

This is a 2011 Massachusetts State Auditor report reviewing MassDOT IT work related to the Registry of Motor Vehicles.

“In accordance with Chapter 11, Section 12, of the Massachusetts General Laws, we performed an evaluation of MassDOT’s OIT’s general information technology controls at RMV.”
Why was it audited?

Auditors checked whether RMV computer system changes were controlled and whether access to sensitive RMV data was protected.

“Our primary audit objective was to determine whether adequate controls were in place to provide reasonable assurance that OIT controls over program changes to the RMV’s application systems were in place and in effect to process all requests (including maintenance and patches) for changes to application systems in a standardized and controlled manner.”
Why it matters

Weak access controls could let unauthorized people see, change, delete, or disclose sensitive RMV information.

“The absence of adequate controls over logical access security may place critical and personally identifiable information at risk by allowing unauthorized users to modify, delete, or disclose sensitive information.”
What's in it for me?

If you have a Massachusetts license or vehicle registration, the RMV system holds records about you, so access controls affect the protection of your personal information.

“ALARS is used to maintain all records for Massachusetts-licensed drivers, including licenses, registrations, criminal and civil citations, inspection stickers, and various miscellaneous fees.”
The bottom line

The main problem was that some old or generic accounts were still active or not clearly tied to authorized users.

“Our audit tests revealed that of the 1,409 active user accounts, 365 (26%) were no longer associated with MassDOT/RMV.”
What happens next

MassDOT said it would review the questionable accounts, deactivate accounts as needed, and put formal review procedures in place.

“Following this review, all subsequent account deactivations will be completed by April 29, 2011; this will address both user and generic accounts.”
Why it's significant

The report matters because RMV systems handle sensitive transactions, including money and license suspensions or revocations.

“For example, areas of significant impact would include the handling of ALARS transactions that involve the exchange of cash and the suspension/revocation of licenses.”
Jargon, unpacked

“Logical access controls” means the rules and technical safeguards that stop unauthorized people from getting into computer systems or data.

“Logical access controls are controls designed to protect computer resources from unauthorized modification, loss, or disclosure, specifically those controls that prevent or detect unauthorized access to sensitive data and programs that are stored or transmitted electronically.”

What the Auditor checked

What the Auditor found

Logical access security controls did not adequately ensure that only authorized users had access to MassDOT/RMV systems and data.
cybersecuritydata privacyinternal controls

Why it matters: Unauthorized users could modify, delete, or disclose sensitive information, including critical and personally identifiable information.

Standard: Control Objectives for Information and Related Technology (CobiT version 4.1) and formal enterprise-wide logical access security policies and procedures. ( Chapter 11, Section 12, of the Massachusetts General Laws; Control Objectives for Information and Related Technology (CobiT version 4.1) )

5 recommendations
  • Strengthen access security controls so unauthorized users’ access privileges are deactivated or modified when access is no longer required.agency: agreed
  • Implement formal notification procedures for human resources or department management to notify OIT of changes in employee status.agency: agreed
  • Periodically review generic user accounts and deactivate them when appropriate.agency: agreed
  • Complete review of the 152 user accounts and 12 generic accounts requiring further investigation.agency: agreed
  • Complete enterprise-wide policies and procedures for all IT security initiatives.agency: agreed
Agency response & Auditor reply
Agency: "This audit has uncovered a few areas where we can improve our security and it is our goal to meet the recommendations outlined by the State Auditor’s team in this report."

More audits of this entity

Other Office of the State Auditor reports on Massachusetts Department of Transportation .

See this entity's page with all 7 audits →