State Pot Information Systems Could Use Improvement, Audit Shows

SALEM, OR — While cannabis information systems for regulating the sale and distribution of recreational marijuana are working as they should, a recent audit of how the Oregon Liquor Control Commission is monitoring those systems showed needs for improvement, Secretary of State Dennis Richardson announced Wednesday.

The audit, "Cannabis Information Systems Properly Functioning but Monitoring and Security Enhancements are Needed," revealed several weaknesses in the OLCC-designed system that could potentially create problems for the 4-year-old cannabis industry.

In the report released Feb. 7, auditors explained that OLCC "has taken positive steps to establish information systems for recreational marijuana regulation" — they just need some shoring up.

"We identified several weaknesses associated with OLCC’s new (information technology) systems used for marijuana licensing and tracking. They include data reliability issues and insufficient processes for managing marijuana applications and vendors," Richardson and Audits Division Director Kip Memmott wrote in their report. "In addition, OLCC has not implemented an appropriate agency-wide IT security management program. We identified eight IT security issues that significantly increase the risk that OLCC’s computer systems could be compromised, resulting in a disruption of OLCC business processes."

In response, OLCC officials on Wednesday acknowledged the truth to "many of the findings released … in the Oregon Secretary of State’s Information Technology audit," but ensured the "overall health of the agency’s IT infrastructure remains sound."

Following voter approval of recreational cannabis production, sale, and use in 2014, state legislators designated the OLCC oversight authority for licensing and tracking cannabis businesses and products, respectively. Using the Cannabis Tracking System (CTS), OLCC authorities monitor "daily sales activity, inventory transfers, lab test results, inventory adjustments, and marijuana waste," which the commission requires cannabis businesses to track, the audit explained.

"OLCC has developed initial processes to use this data to identify potential instances of noncompliance in the marijuana industry," Richardson said. "However, auditors determined that immature regulatory processes and poor data quality increase the risk that compliance violations in the recreational marijuana program will go undetected."

Processes auditors determined could create issues related to effective monitoring included:

• Reliance on self-reported data from marijuana businesses;
• Inconsistent weight measurement systems;
• Allowing untracked marijuana inventory in the first 90 days of licensure;
• Poor or insufficient data quality in the Cannabis Tracking System; and
• An insufficient number of trained inspectors needed for on-site investigations.

Additional issues were reportedly found when auditors examined the way in which OLCC officials contract out some licensing and tracking processes to third-party agencies. Among the weaknesses, auditors found:

• OLCC lacks processes to monitor some third-party service providers;
• OLCC does not have a process for reconciling data transmitted by the licensing system to the tracking system;
• Test data exists in the Marijuana Licensing System production environment, increasing the risk that program decisions may be based on unreliable data; and
• User account management processes are lacking, which increases the risk of inappropriate access to marijuana systems.

And beyond the monitoring and management of physical product and third-party agency activities, auditors learned many of the OLCC's IT protocols — managed by the OLCC itself — could also use improvements.

Among the IT weaknesses related to "the agency's network security, web application design and development, database administration, and software development," auditors found:

• OLCC lacks an up-to-date security plan;
• IT assets are not sufficiently tracked;
• OLCC has not set server or network device baselines and does not have a process to monitor for unauthorized changes or devices;
• Management has not developed processes to identify IT security vulnerabilities;
• Antivirus solutions are not effectively managed;
• Servers and workstations are running on unsupported operating systems;
• Physical access controls should be improved; and
• Long-standing information security issues remain unresolved, including insufficient and outdated policies and procedures necessary to safeguard information assets.

"Auditors also found OLCC should develop a disaster recovery plan and improve backup media testing processes," Richardson said, noting, "The audit includes 17 recommendations to address the risk of undetected compliance violations, weaknesses related to marijuana vendor and application management, IT security management weaknesses, and weaknesses related to disaster recovery and backup media testing."

(A full .pdf copy of the audit can be read at the Secretary of State website.)

“We are constantly evaluating ways to improve our systems, and are taking prompt action to prioritize the staff time and resources necessary to move us into better compliance with audit recommendations and state protocols,” OLCC Executive Director Steve Marks said in a statement. “We appreciate the breadth and detail of the audit and will use its key findings to improve and build out an IT system that will help the OLCC now and in the future."

Image via ShutterStock