An Audit Report on the Department of Information Resources and Security of the State's Data Centers
April 2008
Report Number 08-030
Overall Conclusion
The two largest data centers involved in the Department of Information Resources' (Department) state data center consolidation project have control environments capable of protecting state agency systems and safeguarding confidential state data to meet all state and federal requirements. These two data centers--the Austin Data Center and the San Angelo Data Center--are considered the primary data centers and will eventually house the data and systems of the 27 agencies involved in the data center consolidation project. Team for Texas, a group of firms with a $145 million annual contract with the Department, selected the Austin Data Center and the San Angelo Data Center as the final locations for all consolidated data center services.
As of January 2008, only one agency's systems and data had been consolidated; the systems and data of the remaining 26 agencies involved in the data center consolidation project had not been fully consolidated at either of the two primary data centers.
Auditors identified weaknesses in controls at smaller data centers that are involved in the data center consolidation project. For example:
- Reviews of the logs of physical access to server rooms at the Winters Data Center in Austin are incomplete. This may prevent compliance with the U.S. Internal Revenue Service's guidelines for protecting federal tax information.
- The processes and procedures at the Winters Data Center for erasing confidential data from tape media are inadequate. Documented processes and procedures are required by the U.S. Health Insurance Portability and Accountability Act (HIPAA).
- A State Fire Marshal inspection of the fire suppression and alarm systems at the Winters Data Center could not confirm that these systems were functional.
- Key card readers at the Winters Data Center and the Network Security Operations Center are not installed or are not functioning properly for some doors to server rooms. This increases the risk of unauthorized physical access to agency servers and data in those server rooms.
Team for Texas also manages the data centers currently located at individual agencies. However, Team for Texas has addressed only certain aspects of security at agency data centers and continues to rely on pre-existing agency processes and physical security at agency data centers for other critical aspects until agency systems are consolidated at one of the primary data centers. As a result, security risks that existed at agency data centers prior to the data center consolidation project will continue to exist until those risks are addressed or until agencies' systems are consolidated into one of the primary data centers.
In addition, Team for Texas has not maintained current disaster recovery plans for each data center. Its contract with the Department does not require Team for Texas to prepare a final disaster recovery plan for the primary data centers until three months after the first agency goes through the consolidation process at one of the primary state data centers. Team for Texas has collected 17 existing agency disaster recovery plans and developed new disaster recovery plans for 6 agencies. Until all agency disaster recovery plans are developed and updated for the current environment, agencies could lose the ability to conduct business if their disaster recovery plans are not adequate.
Contact the SAO about this report.
Download the Acrobat version of this report. (.pdf)
If you prefer an HTML version, follow this link to an Adobe site which converts PDF files to HTML.