It’s been more than a week since a computer security blogger first pointed out that the Oklahoma Department of Corrections’ Sex Offender Registry had a few security flaws, to put it charitably.
The Oklahoman‘s Julie Bisbee followed up on the blog post last Wednesday, with assurances from the department’s spokesman that all the problems had been fixed.
But the finger pointing continues in the comments section of the original blog. Judging by a few of the comments, several people who worked (or still work) in IT for the department are blaming their managers and the department in general:
In the spring of 2001 work on the Sex Offender Registry, a federally mandated and funded project, was begun. The rules in place at the time did not allow DOC to hire staff to build the system, so they outsourced the job to a less-than-entirely-legitimate consulting firm. The contract programmer who wrote the SOR had never worked in the development environment that was used. He had no real knowledge of database design or of Internet security. For that matter, the original statement of work for the project does not mention security.
Pre-Y2K, Internet security was (comparatively) in its infancy. We know for a fact that members of the DOC IT staff ASKED about security, but they were told that the issue was none of their business.
There’s no way to know if those are legitimate complaints or not, but a recent audit of the department (PDF link) pointed out several problems with its IT structure and management. The $1 million audit was requested by the Legislature in 2007 and done by a Texas-based corrections consulting firm, MGT of America Inc. Its main conclusion? The department is woefully underfunded by state government.
Starting on Section 7-29 (page 231 of the PDF), the audit faults the department for having a decentralized Information Technology Unit.
Management of IT functions resides in several different divisions, hampering coordination of services. The department’s core offender management information system is unreliable and requires significant upgrade or replacement. Ongoing planning and work on the internal development of a replacement for this system has been unsuccessful, leaving the department in an extremely vulnerable position.
The audit’s IT section doesn’t mention the publicly available Sex Offender registry Web site, but it does go on to detail the problems with the DOC’s internal databases.
Because of these issues, the agency is at a very critical point in its ability to effectively manage the offender population. The existing inmate database could fail at any time, leaving nothing to replace it. Staff would have to return to paper and pencil to manage and account for inmates and parolees. Any efficiencies that currently exist would disappear, increasing the demands on the state’s limited resources.
The Legislature recently approved some additional funds for the DOC for this fiscal year. But a budget agreement last week freezes spending for the 2009 fiscal year, so the IT changes for the department might have to wait.
Written by Paul Monies