Oregon's pot data needs better security
- By Matt Leonard
- Apr 30, 2018
The Oregon Liquor Control Commission, which oversees the production, sale and use of marijuana in the state, needs to improve the reliability and security of the data used for cannabis licensing and seed-to-sale tracking, according to an audit by the Oregon Secretary of State.
Because OLCC lacked skilled technology project management staff and expertise to build its own cannabis management systems quickly enough, it opted for contractor-supplied solutions. The commission signed one agreement with NIC for a software-as-a-service Marijuana Licensing System that allows Oregon citizens to apply for licenses to become recreational marijuana producers, processors and retailers. A separate contract was signed with Franwell Inc., for a SaaS Cannabis Tracking System.
The auditors looked at OLCC's IT security management program and the application controls over the Cannabis Tracking System and Marijuana Licensing System. They found that the contractors' systems were operating properly but that the agency needs to implement better monitoring and enhance security.
The major issues, auditors said, include:
- Immature regulatory processes and poor data quality that increase the risk of compliance violations going undetected.
- Need for better management practices for marijuana computer programs and application vendors.
- Lack of an appropriate IT security management program.
- Lack of a disaster recovery plan and testing of backups.
OLCC's current IT security plan has been in place since 2008, which was prior to legalization, auditors noted.
“OLCC’s security plan does not provide sufficient guidance for agency personnel to adequately protect OLCC’s information assets,” they said. “This significantly increases the risk that an IT security event could occur that would adversely affect OLCC’s ability to fulfill its mission.”
Another hit to the agency's security posture is the fact that it does not adequately track the hardware and software it allows on its network. There is no complete list of assets maintained by the agency, which makes it difficult for OLCC to protect its systems.
Other security issues included a lack of baseline configurations for devices on the network and the inability to scan for vulnerabilities. OLCC also fails to manage endpoints in a way that would better ensure they’re protected from malware, the auditors said.
OLCC Executive Director Steve Marks agreed with the audit's 17 recommendations and said the agency will be seeking budget authority to move forward with addressing the issues raised by the audit.
"In this unique area of endeavor, without blueprints or a playbook, the current condition of OLCC's IT systems related to marijuana can be characterized as 'state-of-the-art imperfection.'" Marks wrote in his reply. “We are taking immediate action to obtain the necessary approvals to help us remedy issues as rapidly as possible.”
Matt Leonard is a former reporter for GCN.