Arizona Department of Economic Security—Information Technology Security—Department should improve security processes and controls over its information technology systems and data, and establish an information security program

The Arizona Department of Economic Security (Department) has a significant responsibility to safeguard its information technology (IT) systems and the data contained in them from misuse or attack because of the volume and nature of the sensitive data it maintains. Although the Department has established various IT security processes to help protect its systems and data, we were able to identify weaknesses that allowed access to these systems and sensitive data, including social security numbers and confidential health information. Additionally, the Department lacks an information security program as required by state policy. Establishing such a program would help ensure the Department sufficiently protects its IT systems and data. Finally, our in-depth review of three key policy areas—data classification, incident response, and security awareness education and training—found that the Department had not developed or fully developed associated procedures and had not incorporated some best practices within its incident response policy.