The Oregon Secretary of State’s Office has released its audit of the state Liquor Control Commission’s cannabis regulation systems, identifying eight information-technology security issues and making 17 recommendations for addressing the program’s weaknesses.
The audit comes on the heels of a summit in the state held by U.S. Attorney Billy Williams with members of the industry to approach issues in the program identified by Williams, such as diversion of products out-of-state and to the illicit market.
What did the report identify as weaknesses?
- “Data reliability issues with self-reported data in the Cannabis Tracking System (CTS) and an insufficient number of trained compliance inspectors inhibit OLCC’s ability to monitor the recreational marijuana program in Oregon.”
- “OLCC should improve processes for ensuring the security and reliability of data in the CTS and the Marijuana Licensing System. In addition, better processes are needed to monitor vendors that host and support these applications.”
- “OLCC has not implemented an effective IT security management program for the agency as a whole.”
- “OLCC has not formally developed a disaster recovery plan and has not tested backup files to ensure they can be used to restore mission-critical applications and data.”
What are the agency’s recommendations?
- “Develop and implement standards and protocols for on-site inspections and investigations.”
- “Evaluate the need and provide for an adequate number of trained OLCC inspectors commensurate with number of licensed marijuana businesses.”
- “Perform risk-based on-site monitoring and inspections to ensure that licensees are reporting accurate information in the CTS and complying with applicable laws.”
- “Develop and implement policies and procedures for effectively monitoring software of service vendors to ensure they are meeting security and hosting requirements defined in contracts and service level agreements.”
- “Develop and implement reconciliation processes to ensure that data is appropriately transmitted by the Marijuana Licensing System (MLS) and received by the [CTS].”
- “Establish processes for granting and reviewing access to the [MLS] and [CTS].”
- “Implement change management processes in line with industry best practices, including measures that ensure test data remains segregated from the production environment.”
- “Update and test OLCC’s information and security plan to ensure the plan reflects the agency’s current business and IT environment.”
- “Establish a process to maintain an up-to-date inventory of authorized hardware and software allowed on OLCC’s network.”
- “Develop and implement a configuration management process, including establishing configuration baselines, maintaining and up-to-date repository of configuration items, and monitoring configuration status changes to detect any unauthorized changes.”
- “Develop and implement a process to scan for vulnerabilities on devices on network.”
- “Develop and implement an effective antivirus solution on servers and workstations, and monitor to ensure all servers and workstations have an up-to-date antivirus solution.”
- “Transition software off obsolete platforms. If that is not possible, ensure unsupported servers are appropriately segregated on the network.”
- “Review physical access procedures to ensure access is appropriate, and require PINs to be periodically changed.”
- “Develop and implement a process to remediate weaknesses identified in risk assessments and audits, and routinely evaluate and assess the agency’s security posture.”
- “Develop a document an entity-wide disaster recovery plan.”
- “Perform periodic tests of backups to ensure usability.”