In what will be one of the last audits he will present to the county before a new auditor is sworn in next year, Washington County Auditor John Hutzler said the county’s information security contains “concerning deficiencies.”
Presenting the findings of a 2021 audit his office conducted to the Board of Commissioners on Tuesday, Dec. 6, Hutzler said that significant problems with the county’s information security management were discovered during the audit.
“At the time of our fieldwork, we found concerning deficiencies in County information security management and serious deficiencies in the implementation of CIS Basic Controls,” the auditor’s report states.
However, Hutzler didn’t go into much detail about the issues his audit identified, purportedly out of caution to exposing the county to greater cyber risks.
Hutzler did say that the audit was based on the “six Basic Controls identified by the Center for Internet Security (CIS) Controls,” a best-practices framework created by a national community of IT experts.
Hutzler said that, while he couldn’t go into further detail, the audit laid out five recommendations for actions the county should take to improve its IT security:
- The county should formally establish and authorize the Information Technology Services (ITS) department’s role and responsibilities as the centralized technology service provider, serving all Washington County agencies.
- The county administrator should submit a new policy to the Board of Commissioners for approval, which establishes an information security governance framework for the county. This would include a steering committee of appropriate stakeholders to provide oversight of the program.
- The administrator should implement the framework by assigning a qualified information security officer (ISO) with sufficient staff, budget, authority and independence to effectively implement information security.
- The ISO and steering committee should propose policies and procedures for adoptions by the board of commissioners or administrator.
- The ISO should implement an IT security program that uses industry-accepted methods to continuously assess and address technology risks, including the deficiencies identified in this review.
Hutzler took the unusual step of highlighting the audit findings in an email shared with local media and Intel Corp., Washington County's largest private employer, on Thursday, Dec. 8.
There has been tension between Hutzler, who lost his reelection bid in May, and other top county officials for months.
A day before Hutzler’s audit was finalized, County Administrator Tanya Ange submitted a management report disputing some of the audit’s findings. She said the audit did “not accurately reflect the current state” of the county’s IT security risk, since it was based on data collected a year and a half ago.
“IT Services continues to keep the County safe and secure using best practices, reasonable industry standard measures, and realistic security goals based on our actual current state to counter the ever-increasing threats,” Ange said in her response.
Hutzler himself noted that, at the same time this audit began in 2020, the county’s ITS department began updating its systems and looking for a new IT security framework to operate under.
He noted also that the ITS department had already been working to address some of the issues found in this audit long before it was presented to the board.
However, Hutzler said the report was "significantly delayed" because of “interference from outside the county auditor’s office,” which contributed to some of the elements of the audit being outdated.
In particular, he said that the lead auditor assigned to this review transferred to another county department while the audit was underway, and she took with her “confidential documents” that were required for the audit to be finished.
“She took with her the confidential working papers of this project, with the understanding that she would be able to complete her draft report without interference from her new boss,” Hutzler said at the Dec. 6 presentation. “That proved not to be the case. It took me seven months and the intervention of an attorney to regain control of those files so that I could complete the project.”
Further details on what these documents were or why Hutzler had to get an attorney involved could not be obtained in time for this report on Friday, Dec. 9.
In his email to media Thursday, Hutzler indicated that the documents were restored to him "under threat of litigation" from the auditor.
"I can only hope that County Administration took advantage of its delay to address the serious deficiencies we found during our 2021 examination," Hutzler stated in Thursday's email.
Ange responded in her management report to the audit that the county would be implementing the recommended steps outlined in the audit.
She gave the rough timeline of next spring for implementing the first three steps, with the last two coming sometime in August and November, respectively.
Hutzler, who has been the county auditor since 2011 and sought his fourth consecutive term this May, lost his reelection bid to Kristine Adams-Wannberg, a senior auditor from his office.