A Florida Department of Military Affairs audit revealed lapses in cybersecurity protocols, including inadequate separation of cybersecurity duties and insufficient archiving of text messages, prompting recommendations for improved control policies.

An audit of the Florida Department of Military Affairs has uncovered several instances where proper cybersecurity protocols were not followed.

According to the report issued by the Florida Auditor General, state law requires that each state agency head designate an information security manager to administer the agency’s cybersecurity program.

These security managers must report directly to the agency head to ensure appropriate separation of beauties between information technology operations and the assessment and oversight of cybersecurity program controls.

It was previously found in an earlier audit, that the Department of Military Affairs did not designate a security manager to the Department of Management Services. Furthermore, the department’s security manager failed “to report directly to the Adjutant General for information security duty purposes.”

It was found that the department had designated the Chief Information Officer, who was responsible for the department’s daily IT operations, as the security manager. Because of this role, auditors found that it was not an appropriate separation of duties between operations and oversight of cybersecurity program controls.

According to the report, in response to the auditor general’s inquiry of this matter, department management indicated that they believed that the Chief Information Officer serving as the security manager, was appropriate.

State law further requires that the department maintain public records, which specifies that electronic communications, including text messages, are retained for a period of at least three fiscal years or until they become obsolete.

The audit found that the department had not established procedures for archiving text messages sent or received by department-owned mobile devices as of March 2023, after a previous audit had uncovered similar findings.

Additionally, issues around the department’s public deposits raised concerns when the department could not produce seven of the 67 Public Deposit Identification and Acknowledgement forms requested for audit.

Of the 60 forms submitted for audit, four included account numbers that did not match department records; 15 were signed by a qualified public depository — a state law requirement — after the audit request, while 16 were not signed by the department.

The auditor general recommended that the department implement better control policies and procedures, including on purchasing cards, which had some not turned in once employment had ceased. It was further recommended that department management enhance policies and procedures to remove, sanitize or destroy hard drives prior to disposal.