Salem, OR—Today, Secretary of State Dennis Richardson released an audit of The Oregon Liquor Control Commission (OLCC). The audit titled: Cannabis Information Systems Properly Functioning but Monitoring and Security Enhancements are Needed found that OLCC has taken positive steps to establish information systems for recreational marijuana regulation. http://sos.oregon.gov/audits/Documents/2018-07.pdf
However, auditors also found several weaknesses associated with the agency's new IT systems used for marijuana licensing and tracking.
The audit also found that OLCC has not implemented an appropriate agency-wide IT security management program.
In 2014, voters approved Measure 91, which legalized the production, sale, and use of recreational marijuana in Oregon. State law requires applicants for recreational marijuana business licenses and renewals to submit their application to OLCC. The law also requires the agency to implement a system to track recreational marijuana from seed to sale. In response, OLCC contracted with external vendors to develop, host, and support the Marijuana Licensing System and Cannabis Tracking System (CTS). We found that these systems are functioning properly to facilitate licensing of marijuana businesses and to track marijuana products within the state.
OLCC requires Marijuana businesses to track a number of items in the CTS, including daily sales activity, inventory transfers, lab test results, inventory adjustments, and marijuana waste. OLCC has developed initial processes to use this data to identify potential instances of noncompliance in the marijuana industry.
However, auditors determined that immature regulatory processes and poor data quality increase the risk that compliance violations in the recreational marijuana program will go undetected. Specifically, auditors found the following issues increased the risk that OLCC may not detect potential violations or illegal activity:
• Reliance on self-reported data from marijuana businesses;
• Inconsistent weight measurement systems;
• Allowing untracked marijuana inventory in the first 90 days of licensure;
• Poor or insufficient data quality in the Cannabis Tracking System; and
• An insufficient number of trained inspectors needed for on-site investigations.
Additionally, auditors concluded that better practices are needed to manage marijuana applications and application vendors. They identified the following specific weaknesses:
• OLCC lacks processes to monitor some third-party service providers;
• OLCC does not have a process for reconciling data transmitted by the licensing system to the tracking system;
• Test data exists in the Marijuana Licensing System production environment, increasing the risk that program decisions may be based on unreliable data; and
• User account management processes are lacking, which increases the risk of inappropriate access to marijuana systems.
Although the marijuana licensing and tracking systems are hosted and supported by external vendors, OLCC's information technology (IT) division is responsible for the agency's network security, web application design and development, database administration, and software development.
Auditors determined OLCC lacks an appropriate IT security management program based on the following identified weaknesses:
• OLCC lacks an up-to-date security plan;
• IT assets are not sufficiently tracked;
• OLCC has not set server or network device baselines and does not have a process to monitor for unauthorized changes or devices;
• Management has not developed processes to identify IT security vulnerabilities;
• Antivirus solutions are not effectively managed;
• Servers and workstations are running on unsupported operating systems;
• Physical access controls should be improved; and
• Long-standing information security issues remain unresolved, including insufficient and outdated policies and procedures necessary to safeguard information assets.
Auditors also found OLCC should develop a disaster recovery plan and improve backup media testing processes.
The audit includes 17 recommendations to address the risk of undetected compliance violations, weaknesses related to marijuana vendor and application management, IT security management weaknesses, and weaknesses related to disaster recovery and backup media testing.
Read the full audit on the Secretary of State website.