Professional Documents
Culture Documents
DiNapoli
Division of State Government Accountability
Report 2012-S-40
September 2013
2012-S-40
Execuve Summary
Purpose
To determine if electronic devices being surplused by the State University of New York at Albany (University at Albany) through the Oce of General Services (OGS) are permanently cleaned of all data, including personal, private and sensive informaon. The audit covers the period of January 1, 2012 through May 26, 2012.
Background
Oce of Cyber Security Policy requires all State enes to establish formal processes to address the risk that personal, private or sensive informaon may be improperly disclosed. One way informaon can be compromised is through careless disposal of electronic devices. This policy also requires that all laptops containing, or with access to, State informaon must be encrypted. Agencies can dispose of electronic devices on their own; however, OGS Surplus Unit provides this service for many State agencies. Agencies are required to remove all informaon prior to disposal and, if sending them to OGS, to cerfy in wring that the devices no longer contain any retrievable informaon. OGS Surplus Unit does not accept any responsibility for clearing the data from these devices. At the me of our audit, the University at Albany had 36 electronic devices ready for disposal through OGS Surplus Unit.
Key Findings
Seven of the 36 computer hard drives readied for surplus sll contained data, even though University at Albany had provided OGS with cercaons indicang all informaon had been removed. Two of these hard drives contained personal, private and/or sensive informaon including social security numbers, dates of birth, home addresses and nancial informaon. One of these two hard drives also contained potenally inappropriate photographs that could be considered oensive for the work place. The other ve hard drives also contained retrievable data that included resumes, personal vacaon photos, research informaon and student term papers. One of the seven hard drives was taken from a laptop computer, which should have required more stringent security controls and been encrypted.
Key Recommendaons
Reinforce policies and procedures to ensure that all informaon is removed from electronic devices prior to authorizing the equipment for surplus. Ensure that all data on laptop computers is encrypted.
2012-S-40
Oce of the State Comptroller State of New York Division of State Government Accountability
September 4, 2013 Dr. Robert J. Jones President State University of New York at Albany 1400 Washington Avenue Albany, NY 12222 Dear Dr. Jones: The Oce of the State Comptroller is commied to helping State agencies, public authories and local government agencies manage government resources eciently and eecvely and, by so doing, providing accountability for tax dollars spent to support government operaons. The Comptroller oversees the scal aairs of State agencies, public authories and local government agencies, as well as their compliance with relevant statutes and their observance of good business pracces. This scal oversight is accomplished, in part, through our audits, which idenfy opportunies for improving operaons. Audits can also idenfy strategies for reducing costs and strengthening controls that are intended to safeguard assets. Following is a report of our audit entled Disposal of Electronic Devices. This audit was performed according to the State Comptrollers authority under Arcle V, Secon 1 of the State Constuon and Arcle II, Secon 8 of the State Finance Law. This audits results and recommendaons are resources for you to use in eecvely managing your operaons and in meeng the expectaons of taxpayers. If you have any quesons about this report, please feel free to contact us. Respecully submied,
2012-S-40
Table of Contents
Background Audit Findings and Recommendaons Removal of Informaon Recommendaons Audit Scope and Methodology Authority Reporng Requirements Contributors to This Report Agency Comments 4 5 5 6 6 6 7 8 9
State Government Accountability Contact Informaon: Audit Director: John Buyce Phone: (518) 474-3271 Email: StateGovernmentAccountability@osc.state.ny.us Address: Oce of the State Comptroller Division of State Government Accountability 110 State Street, 11th Floor Albany, NY 12236 This report is also available on our website at: www.osc.state.ny.us Division of State Government Accountability 3
2012-S-40
Background
In todays electronic age, unauthorized disclosure of personal, private and sensive informaon has become an extremely high-risk area. Various laws and regulaons, including the State Technology Law, impose strict requirements on organizaons to properly safeguard the informaon they collect. In New York, Oce of Cyber Security Policy requires all State enes to establish formal processes to address the risk that personal, private or sensive informaon may be improperly disclosed through careless disposal or re-use of electronic devices. Personal computers, tablets and smart phones pose a parcular concern because they can easily be returned to the manufacturer or sold to the public while sll containing personal idenable informaon. The policy therefore requires that all electronic media (i.e. hard drives and other memory components) in these devices be securely overwrien or physically destroyed to prevent the unauthorized disclosure of sensive informaon. This policy also requires that all laptops containing, or with access to, State informaon must be encrypted. Some organizaons must also comply with addional provisions of laws applicable to their specic type of business. For example, the federal Gramm-Leach-Bliley Act imposes certain requirements on organizaons that deal with individual nancial services, including colleges and universies that parcipate in student loan programs. Organizaons that deal with medical services including student health clinics must also comply with privacy provisions of the Health Insurance Portability and Accountability Act. Agencies can dispose of electronic devices on their own. However, the OGS Surplus Unit provides this service for many State agencies. The Surplus Unit does not always take physical custody of the equipment, but instead arranges for the sale or transfer directly by the owner agency. The Surplus Unit does not assume responsibility for removing informaon from electronic devices or tesng devices to ensure informaon has been removed. Instead, it requires each agency to remove all informaon and to cerfy, in wring, that they have done so prior to sending an item for disposal. Once an item is ready for surplus, the Surplus Unit will oer electronic devices for reuse to State agencies and public authories, then to municipalies and then to school districts. If the items are not transferred to these enes, the Surplus Unit will make them available for sale to the public.
2012-S-40
2012-S-40
Recommendaons
1. Reinforce policies and procedures to ensure that all informaon is removed from electronic devices prior to authorizing the equipment for surplus. 2. Ensure that all data on laptop computers is encrypted.
Authority
This audit was done according to the State Comptrollers authority as set forth in Arcle V, Secon 1 of the State Constuon and Arcle II, Secon 8 of the State Finance Law. Division of State Government Accountability 6
2012-S-40
Reporng Requirements
A dra copy of this report was provided to State University of New York at Albany ocials for their review and comment. Ocials agreed with our recommendaons and reported having already taken steps to implement them. A copy of their response is included at the end of this report. Within 90 days aer nal release of this report, as required by Secon 170 of the Execuve Law, the President of the State University of New York at Albany shall report to the Governor, the State Comptroller, and the leaders of the Legislature and scal commiees, advising what steps were taken to implement the recommendaons contained herein, and where the recommendaons were not implemented, the reasons why.
2012-S-40
2012-S-40
Agency Comments