Leak of Kitzhaber's emails, state audit intertwined
SALEM The leak of former Gov. John Kitzhabers emails occurred at a time when state auditors were reviewing security controls at the state data center where the emails are stored.
The routine audit, which is ongoing, was already underway when the leak occurred and it is unrelated to the criminal investigation into the release. Oregon Department of Administrative Services Director Michael Jordan asked the Oregon State Police to initiate that inquiry on Feb. 18. OSP has its own information technology forensics experts to investigate the leak, according to Department of Administrative Services spokesman Matt Shelby.
The state Audits Division is part of the Oregon secretary of states office, and agency spokesman Tony Green said Friday that the agency conducts routine audits of the data center, usually once every two years.
Our audit was in the field long before anyone raised this issue, Green said. Its possible that something in the audit might be relevant to what happened, but theres no connection in terms of what started the audit, what the auditors went in looking at.
Still, the audit report could address data control issues that have come to light in the last month as state employees dealt with the leak and a request by a Kitzhaber administration staffer to delete emails from the governors personal email account stored on state computer servers.
Data center managers did not comply with the Kitzhaber staffers request to delete the archived emails. A spokeswoman for Kitzhaber said the administration never intended to delete all of the emails, and planned to preserve any that dealt with state business. The emails were subsequently leaked to the Willamette Week newspaper.
The security audit began in December and should be completed in early summer.
Since the State Data Center was created in 2005, the state Audits Division has conducted four specific audits and an overall audit on security that covered all state computer programs. The most recent audit in 2012 did not appear to identify any problems related to the recent issues.
In the March 2010 audit, auditors concluded: We found that a majority of State Data Center security issues were long-standing weaknesses that could be successfully mitigated without new or overly complex technical solutions.
In the March 2012 follow-up to the earlier audit, the audit generally gave the center good marks, except for incomplete or not untested recovery programs used after major crashes or similar events, and improper handling of some media tapes.
Green said if auditors find any evidence of criminal activities at the data center, they would turn it over to law enforcement as they have done in such situations with previous audits.
At this point, its way too early to even guess as to what that may be, Green said. Just because someone leaked records doesnt mean there are security problems.
Peter Wong and Hillary Borrud are reporters with the Pamplin Media Group/EO Media Group Capital Bureau in Salem.Add a comment