The Department of Transportation's Office of Information Technology's Activities Relating to the Registry of Motor Vehicles
July 20, 2011 · Massachusetts Department of Transportation · Read the full official report (PDF) ↗ · official site ↗
source
“However, as addressed in the Audit Results section of this report, we found that OIT’s controls over logical access security needed to be enhanced to provide reasonable assurance that only authorized users would have access to MassDOT/RMV applications.”
Read the plain-English breakdown
This is a 2011 Massachusetts State Auditor report reviewing MassDOT IT work related to the Registry of Motor Vehicles.
“In accordance with Chapter 11, Section 12, of the Massachusetts General Laws, we performed an evaluation of MassDOT’s OIT’s general information technology controls at RMV.”
Auditors checked whether RMV computer system changes were controlled and whether access to sensitive RMV data was protected.
“Our primary audit objective was to determine whether adequate controls were in place to provide reasonable assurance that OIT controls over program changes to the RMV’s application systems were in place and in effect to process all requests (including maintenance and patches) for changes to application systems in a standardized and controlled manner.”
Weak access controls could let unauthorized people see, change, delete, or disclose sensitive RMV information.
“The absence of adequate controls over logical access security may place critical and personally identifiable information at risk by allowing unauthorized users to modify, delete, or disclose sensitive information.”
If you have a Massachusetts license or vehicle registration, the RMV system holds records about you, so access controls affect the protection of your personal information.
“ALARS is used to maintain all records for Massachusetts-licensed drivers, including licenses, registrations, criminal and civil citations, inspection stickers, and various miscellaneous fees.”
The main problem was that some old or generic accounts were still active or not clearly tied to authorized users.
“Our audit tests revealed that of the 1,409 active user accounts, 365 (26%) were no longer associated with MassDOT/RMV.”
MassDOT said it would review the questionable accounts, deactivate accounts as needed, and put formal review procedures in place.
“Following this review, all subsequent account deactivations will be completed by April 29, 2011; this will address both user and generic accounts.”
The report matters because RMV systems handle sensitive transactions, including money and license suspensions or revocations.
“For example, areas of significant impact would include the handling of ALARS transactions that involve the exchange of cash and the suspension/revocation of licenses.”
“Logical access controls” means the rules and technical safeguards that stop unauthorized people from getting into computer systems or data.
“Logical access controls are controls designed to protect computer resources from unauthorized modification, loss, or disclosure, specifically those controls that prevent or detect unauthorized access to sensitive data and programs that are stored or transmitted electronically.”
What the Auditor checked
- Partially Assess the adequacy of controls in place to protect the integrity and confidentiality of data within ALARS.
What the Auditor found
Why it matters: Unauthorized users could modify, delete, or disclose sensitive information, including critical and personally identifiable information.
Standard: Control Objectives for Information and Related Technology (CobiT version 4.1) and formal enterprise-wide logical access security policies and procedures. ( Chapter 11, Section 12, of the Massachusetts General Laws; Control Objectives for Information and Related Technology (CobiT version 4.1) )
5 recommendations
- Strengthen access security controls so unauthorized users’ access privileges are deactivated or modified when access is no longer required.agency: agreed
- Implement formal notification procedures for human resources or department management to notify OIT of changes in employee status.agency: agreed
- Periodically review generic user accounts and deactivate them when appropriate.agency: agreed
- Complete review of the 152 user accounts and 12 generic accounts requiring further investigation.agency: agreed
- Complete enterprise-wide policies and procedures for all IT security initiatives.agency: agreed
Agency response & Auditor reply
Agency: "This audit has uncovered a few areas where we can improve our security and it is our goal to meet the recommendations outlined by the State Auditor’s team in this report."
More audits of this entity
Other Office of the State Auditor reports on Massachusetts Department of Transportation .
-
Audit of the Massachusetts Department of Transportation - Millbury Roadway Reconstruction and Related Work (Contract 86774)State Agency / Office · October 19, 2021 -
Close-out of Agencies and Authorities combined into the Massachusetts Department of TransportationState Agency / Office · October 18, 2012 -
Audit of Cybersecurity Awareness Training Compliance Across Multiple State Agencies - Massachusetts Department of TransportationState Agency / Office · November 8, 2024 -
Audit of the Massachusetts Department of Transportation Aeronautics DivisionState Agency / Office · June 30, 2022 -
Massachusetts Department of Transportation Use of Consultants and Contract EmployeesState Agency / Office · January 9, 2014 -
Massachusetts Department of Transportation Aeronautics DivisionState Agency / Office · August 18, 2017