An audit was released by Secretary of State Dennis Richardson that found the Public Employees Retirement System, or PERS, struggles to proactively manage IT resources or projects and is failing to protect its critical Information Technology (IT) systems from a disaster.
Auditors found that PERS management has not developed long-term disaster recovery plans and that existing short-term plans have never been fully tested. As a result, should a disaster strike, PERS may be unable to issue almost $400 million in monthly payments and associated tax withholdings. Auditors also found that insufficient IT strategic planning has contributed to the mismanagement of other PERS initiatives, such as implementing a disaster recovery program as outlined in the PERS 2015-2020 Strategic Plan. For years, PERS has identified needed improvements for the agency’s disaster recovery program, but PERS has made little progress and failed to even use most of the money approved by the legislature to address these very issues.
The findings are outlined in the audit report entitled: “Severe Deficiencies in Disaster Recovery Program and Insufficient Information Technology Planning Pose Substantial Risks to Beneficiaries and the State.”
“Given that PERS issues billions of dollars of payments each year, the agency should be prepared to weather disasters,” said Secretary of State Dennis Richardson. “Unfortunately, we found that PERS has not taken the necessary steps to ensure they can restore critical IT systems in the event of a disaster.”
“It is good that PERS has a short-term strategy,” said Audits Director Kip Memmott. “But until plans are fully developed and tested, thousands of beneficiaries are at risk of not being paid their monthly benefits should a disaster occur.”
In addition to the audit, the team conducted a cybersecurity assessment of the agency’s IT security management and five foundational security controls: hardware inventory, software inventory, secure configurations, vulnerability assessments, and access management. The assessment found opportunities to improve the agency’s overall IT security management program as well as all five foundational controls. Due to the state’s move to a unified cybersecurity approach with the 2017 passage of Senate Bill 90, PERS needs to work with the Office of the State Chief Information Officer, where appropriate, to ensure the security of its computer systems and information.
Auditors made ten recommendations to PERS to implement improved IT strategic planning and to take immediate action to remedy weaknesses in its disaster recovery plans. In addition, auditors made six recommendations to PERS and the Office of the State Chief Information Officer to improve cybersecurity controls.
Kevin Olineck, Director of PERS, says following the audit they tested a short term back up where the Oregon Treasurer’s Office ran a set of payments in the even of a problem.
They hired a consultant to help develop a remote facility where work could be done if there was a problem with their main building and a way to store a data backup on a remote computer system that wouldn’t be affected by a disaster in our region.
Olineck says they also have protections in place to prevent hackers from accessing the data.