. https://informationsecurity.report/Resources/Whitepapers/55d5c3dd-e543-47d2-91ad-e0adfa0e6c9f_2019-28.pdf
DAS is the state’s central administrative agency. It supports state agencies by providing management frameworks and infrastructure for information systems and services, procurement, and other functions. Responsibility for cybersecurity is split between DAS, the Office of the State CIO, and the Enterprise Security Office. This audit assessed critical security controls and the information technology (IT) security management practices at the Department of Administrative Services (DAS). We concluded the agency does not have a security management program that identifies necessary actions to ensure systems are appropriately secure, and lacks basic foundational IT controls for all six cybersecurity controls we reviewed. As a result, DAS systems and data may be at risk for unauthorized use, disclosure, or modification. DOWNLOAD