Secretary of State Dennis Richardson
Releases Audit
of the Oregon Liquor Control Commission
Salem, OR – Today, Secretary of State Dennis Richardson
released an audit of The Oregon Liquor Control Commission (OLCC). The audit
titled: Cannabis Information
Systems Properly Functioning but Monitoring and Security Enhancements are Needed
found that OLCC has taken positive steps to establish information
systems for recreational marijuana regulation. However, auditors also found
several weaknesses associated with the agency’s new IT systems used for
marijuana licensing and tracking.
The audit also found that OLCC has not implemented an
appropriate agency-wide IT security management program.
In 2014, voters approved Measure 91, which legalized the
production, sale, and use of recreational marijuana in Oregon. State law
requires applicants for recreational marijuana business licenses and renewals
to submit their application to OLCC. The law also requires the agency to
implement a system to track recreational marijuana from seed to sale. In
response, OLCC contracted with external vendors to develop, host, and support
the Marijuana Licensing System and Cannabis Tracking System (CTS). We found that these systems are functioning properly
to facilitate licensing of marijuana businesses and to track marijuana products
within the state.
OLCC requires Marijuana businesses to track a number of
items in the CTS, including daily sales activity, inventory transfers, lab test
results, inventory adjustments, and marijuana waste. OLCC has developed initial
processes to use this data to identify potential instances of noncompliance in
the marijuana industry.
However, auditors determined that immature regulatory
processes and poor data quality increase the risk that compliance violations in
the recreational marijuana program will go undetected. Specifically, auditors
found the following issues increased the risk that OLCC may not detect
potential violations or illegal activity:
- Reliance on self-reported data from marijuana
businesses;
- Inconsistent weight measurement systems;
- Allowing untracked marijuana inventory in the
first 90 days of licensure;
- Poor or insufficient data quality in the
Cannabis Tracking System; and
- An insufficient number of trained inspectors
needed for on-site investigations.
Additionally, auditors concluded that better practices are
needed to manage marijuana applications and application vendors. They
identified the following specific weaknesses:
- OLCC lacks processes to monitor some third-party
service providers;
- OLCC does not have a process for reconciling
data transmitted by the licensing system to the tracking system;
- Test data exists in the Marijuana Licensing
System production environment, increasing the risk that program decisions may
be based on unreliable data; and
- User account management processes are lacking,
which increases the risk of inappropriate access to marijuana systems.
Although the marijuana licensing and tracking systems are
hosted and supported by external vendors, OLCC’s information technology (IT)
division is responsible for the agency’s network security, web application
design and development, database administration, and software development.
Auditors determined OLCC lacks an appropriate IT security
management program based on the following identified weaknesses:
- OLCC lacks an up-to-date security plan;
- IT assets are not sufficiently tracked;
- OLCC has not set server or network device
baselines and does not have a process to monitor for unauthorized changes or
devices;
- Management has not developed processes to
identify IT security vulnerabilities;
- Antivirus solutions are not effectively managed;
- Servers and workstations are running on
unsupported operating systems;
- Physical access controls should be improved; and
- Long-standing information security issues remain
unresolved, including insufficient and outdated policies and procedures
necessary to safeguard information assets.
Auditors also found OLCC should develop a disaster recovery
plan and improve backup media testing processes.
The audit includes 17 recommendations to address the risk of
undetected compliance violations, weaknesses related to marijuana vendor and
application management, IT security management weaknesses, and weaknesses
related to disaster recovery and backup media testing.
Read the full audit on the Secretary of State
website.
###
|