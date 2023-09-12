Serious Control Deficiencies Found in Puerto Rico’s Department of Transportation and Public Works Information Systems

The Office of the Inspector General of Puerto Rico (OIG) has uncovered serious deficiencies in the controls and security of the information systems of the Department of Transportation and Public Works (DTOP), including systems that contain sensitive data about users and residents of Puerto Rico. The findings were revealed during a compliance examination conducted by the OIG.

The examination specifically evaluated the access controls and security of the Drivers and Vehicles Information Databases Plus System (DAVID+), which was established by DTOP and the Roads and Transportation Authority (ACT). One of the major issues identified was the use of outdated technology and servers for the DAVID+ System. The two servers, IBM Model Power 570, are obsolete and no longer supported by the manufacturer. Additionally, a Cisco 7606 router used for connection to the network of the Puerto Rico Electric Power Authority (PREPA) was also found to be obsolete and without technical support.

Furthermore, the examination revealed that DTOP did not have a risk analysis of computerized information systems or a current Security Plan. The ACT, through its executive director, certified to the OIG that they also do not have a current Incident Management Plan but are working on creating one.

Overall, the OIG identified 15 findings regarding the information systems in DTOP and ACT, including the lack of a Strategic Information Technology Plan, deficiencies in the Contingency Plan of the Information Technology Area, and failures related to the administration of access accounts of former employees in the DAVID+ System.

Due to the seriousness of the control deficiencies and the security risk posed to user information, the OIG has required that the recommended actions be urgently addressed within the next 90 days.

The DTOP was found to be an extremely vulnerable entity to unauthorized extraction of sensitive data, given the increased cyber attack risks faced by government agencies in recent years. The draft results and findings of the examination were submitted to the DTOP Secretary for comments, and the department is currently evaluating each finding and working on corrective actions to comply with the report’s recommendations.

