Audit criticizes state high-tech office
By Bill Cotterell
Date: September 20, 2003
Although the state runs TV commercials warning Floridians about identity theft and computer crime, its $600 million high-tech center failed to run background checks on employees or take their fingerprints as required by law, an audit released Friday showed.
Auditor General Bill Monroe's study of the State Technology Office also said the agency failed to use proper business practices in arranging a $2.8 million consulting deal. Moreover, he said, the STO - the cornerstone of Gov. Jeb Bush's efforts to consolidate and streamline the state's computer operations - failed to work out formal service agreements with the state agencies it serves.
Although it was critical, Monroe's performance review was not as scathing as former state Comptroller Bob Milligan's May 2002 audit of the STO. Milligan made 28 allegations of mismanagement, conflicts of interest, purchasing irregularities and legal violations.
State Technology Officer Kim Bahrami concurred with Monroe's recommendations for improving operations in the massive computer center. She said most of the irregularities were already corrected and that other discrepancies are being resolved.
Monroe said the state enlisted Gartner Group Consultation Services in 1997 and its contract was amended in 2001 to add security reviews by TruSecure Corp. The audit said a $2.3 million purchase order was issued to Gartner in mid-2001 and added another $500,000 in December of that year to add services for some executive and legislative agencies.
"No documentation existed to demonstrate that a competitive procurement process was used or to support why a competitive procurement process was not used in the acquisition of certain contractual services," Monroe reported.
He said the STO purchase order with Gartner "did not contain details of the scope of work to be performed" but that an unsigned business proposal submitted by Gartner in May 2001 did have those details.
He also said the STO had no service agreement with the Department of Education or Agency for Workforce Innovation for IT services in 2001 and 2002. Monroe said DOE signed an agreement last January and one was being worked out with AWI but had not been filed by last May, when the audit period ended.
Bahrami said she now has written service agreements with the departments of Community Affairs, Elder Affairs, Financial Services, Revenue, Environment and the State Board of Administration. She said the STO is now negotiating with eight more state agencies.
Bahrami, who took over the technology office Aug. 31, 2001, said each of the cited problems was being addressed or had been fixed during or after the audit period.
Security issues raised
Monroe also faulted the office for not designating a chief privacy officer, in accordance with Florida law, to review "state agencies' policies, laws, rules and practices which may affect the privacy concerns of state residents," he wrote.
Similarly, he said, the technology office had not designated an information-security manager, did not have "a written enterprise IT security plan" and had not implemented security rules "for entities that use the STO's Enterprise Network...as required by Florida law."
Bahrami said the STO is developing security rules and "has formally assigned" both a CPO and an information-security manager.
"The agency has prioritized background checks for the special-trust employees at the STO," she told Monroe. "Currently, background checks have been performed on security office staff designated as employees of special trust."
She said the technology office has also developed a "disaster recovery plan" to get state agencies up and running after a hurricane, terrorist attack or other massive failure.
Technology office spokeswoman Carla Gaskin said it was important to note that Monroe's report covered most of 2001 and all of 2002, including some activities early this year.
"We appreciate the insight and recommendations," she said. "We're working to assure that we have a resilient and secure network."
^macro[showdigestcomments;^uri;Audit criticizes state high-tech office;]