Organization: | Office of the State Auditor |
---|---|
Date published: | April 13, 2023 |
Executive Summary
In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of the Department of Criminal Justice Information Services (DCJIS) for the period July 1, 2020 through June 30, 2021. The purpose of our audit was to determine whether DCJIS does the following:
- maintains its Criminal Offender Record Information (CORI) database, iCORI,1 in accordance with Section 167A(f) of Chapter 6 of the General Laws
- performs audits of non–law enforcement CORI requestors to confirm that each requestor has security protection over the information obtained through the iCORI database in accordance with Section 2.21(4)(d) of Title 803 of the Code of Massachusetts Regulations, which was effective during the audit period
- ensures that all authorized law enforcement personnel who have access to criminal justice information complete cybersecurity awareness training in accordance with Sections 5.2.1 through 5.2.3 of the United States Department of Justice Federal Bureau of Investigation’s “Criminal Justice Information Services (CJIS) Security Policy,” dated June 1, 2020
- reconciles funds received for CORI requests to the Massachusetts Management Accounting and Reporting System (MMARS) in accordance with the Office of the Comptroller of the Commonwealth’s “Cash Recognition and Reconciliation Policy,” dated July 1, 2004.
Below is a summary of our findings and recommendations, with links to each page listed.
Finding 1 |
DCJIS does not perform audits of non–law enforcement CORI requestors to ensure that this information is properly stored and safeguarded. |
Recommendations |
|
Finding 2 |
DCJIS did not ensure that Criminal Justice Information System Single Sign On Application (CSSOA) users completed cybersecurity awareness training. |
Recommendations |
|
Finding 3 |
DCJIS does not reconcile all revenue recorded in the iCORI database. |
Recommendations |
|
1. This database contains Massachusetts-only criminal activity and personally identifiable information such as names, birthdates, addresses, and social security numbers.
Table of Contents
- Abbreviations
- Overview of the Audited Entity
- Audit Objectives, Scope, and Methodology
-
- The Department of Criminal Justice Information Services Does Not Perform Audits of Non–Law Enforcement Criminal Offender Record Information Requestors To Ensure That This Information Is Properly Stored and Safeguarded
- DCJIS Did Not Ensure That Criminal Justice Information System Single Sign on Application Users Completed Cybersecurity Awareness Training
- DCJIS does not reconcile all revenue recorded in the iCORI database