Recently, we discussed the official report of the Oregon Secretary of State’s audit (the “Report“) of the Oregon Liquor Control Commission’s (“OLCC”) information technology systems, related to Oregon’s recreational cannabis industry. In our previous post on the topic, we discussed findings and recommendations relating specifically to the OLCC’s Marijuana Licensing System (MLS) and the separate Cannabis Tracking System (CTS), and whether the OLCC has sufficient technical controls in place to ensure that the MLS and CTS are supporting effective regulation of the recreational cannabis industry. Today we are going to look at the OLCC’s general information technology (IT) security concerns and disaster recovery procedures, and whether the OLCC has implemented sufficient security procedures to protect against known technical and physical threats.
The Report first lays out two “key findings” in this area:
- The “OLCC has not implemented an effective IT security management program for the agency as a whole.”
- The “OLCC has not formally developed a disaster recovery plan and has not tested backup files to ensure they can be used to restore mission-critical applications and data.”
Digging deeper, the Report paints a bit of a grim picture of the OLCC’s IT capabilities:
[W]e found that OLCC management has not implemented an appropriate security management program for all agency IT systems. OLCC does not have sufficient policies, procedures, and plans in place to ensure that computer resources are protected against known vulnerabilities and physical threats. Although this does not affect the externally hosted marijuana applications, other programs and administrative systems at OLCC may be at risk. – The Report
According to the Report, the OLCC currently does not have an up-to-date security plan, doesn’t adequately track information IT assets, doesn’t have a process to monitor for unauthorized changes or devices, cannot identify security vulnerabilities, lacks sufficient controls for physical access to OLCC sites and resources, and generally has servers and devices running on outdated platforms. None of that sounds very good.
Additionally, the Report observes that OLCC hasn’t developed an adequate recovery plan in the event of a system wide event. To be fair, the OLCC backs up its data, but hasn’t tested whether those backups can be used to restore systems, so there is no knowing whether the established backup protocol will even work.
All of these problems come back to the core issue we identified in the prior post: The OLCC is drastically underfunded for its mission. Fixing these problems will take expertise and resources that historically haven’t been dedicated to the agency. The agency’s response to the Report (the “Response”) highlights this issue. As with the issues with CTS and MLS, the Response acknowledges these general IT security problems, and notes that it is seeking additional funding from the legislature to address the Report’s concerns.
The shortcomings of OLCC’s overall IT security is not particularly surprising as OLCC continues to rely on legacy systems and generally has not modernized its agency-wide systems at the same pace as the rest of state government . . . The IT security auditor’s findings reflect a symptom of a general lack of management proficiency and capacity to maintain a focus on state requirements and practices. – The Response
In relation to these concerns, the OLCC has requested “$400,000 to replace unsupported servers and switches; and, position authority for a [Chief Information Officer] ($197,000).” Our contacts at the OLCC suggest that the legislature fulfilled this request, but we haven’t yet received official notice. In our view, the OLCC has done a commendable job in its regulation of Oregon’s recreational cannabis market over the past few years, but with so much happening on so many fronts, the agency could use additional resources. Fingers crossed.