Legislative Summary Document - Information System Vulnerability Assessment Page: 3 of 3
This report is part of the collection entitled: Texas State Auditor's Office: Reports and was provided to The Portal to Texas History by the UNT Libraries Government Documents Department.
Extracted Text
The following text was automatically extracted from the image on this page using optical character recognition software:
Information System Vulnerability Assessment
SAO Contact: Pat Keith, Chief Information Officer
(512) 936-9500" Twenty-five vulnerability assessments (40 percent) resulted
in ratings of poor, indicating that significant vulnerabilities
were found (see text box).
" Twenty-one vulnerability assessments (33 percent) found
enough security weaknesses to result in ratings of fair.
" Seventeen vulnerability assessments (27 percent) resulted in
ratings of adequate, indicating that major vulnerabilities
were not found.
Testing results alone, however, do not fully depict the risks the
State faces with respect to its information systems. A
vulnerability assessment does not usually encompass an entire
system's infrastructure, nor can it provide assurances over time.
Vulnerability assessments represent a snapshot of the security
assessment was conducted.profile of selected system components at the time the
The scope of vulnerability assessment testing is driven by the size of the state entity; the importance of the system tested;
and, in the case of the SAO, the scope of the audit. Additionally, if information system issues are known or suspected,
testing may be changed to accommodate those issues. Some systems are known to be vulnerable yet are also critical to the
operation of a state entity. Because testing could interfere with critical operations, direct testing of these systems may be
avoided.
Confidentiality
Vulnerability assessment results constitute sensitive information because they could be used by others to gain unauthorized
access to an information system. The sensitivity of this information is recognized in Texas Government Code, Section
2054.077(c), which states that a vulnerability report and any information or communication prepared or maintained for use in
the preparation of a vulnerability report is confidential and is not subject to disclosure under Texas Government Code,
Chapter 552. Appropriately, information that could be used to harm information systems and/or the information itself should
not be made available for public use. The SAO has developed both public and detailed/confidential reports for vulnerability
assessments, thereby providing high level information for the public and still maintaining the confidentiality of sensitive
information. State entities at which vulnerability assessments have been conducted receive both reports so that they can
manage public inquiry and remedy system weaknesses.
The SAO is prepared to brief the Legislature on vulnerability assessments and other technology-related issues. For further
information, contact Pat Keith, Chief Information Officer, at (512) 936-9500.
January 2003 SAO No. 03-396
-2-Rating Scheme
Poor - Either (1) DIR gained proprietary information
from and control of target systems, or (2) the SAO
identified vulnerabilities or combinations of
vulnerabilities that place the system at severe risk.
Fair - Either (1) DIR gained proprietary information
from or control of target systems, or (2) the SAO
identified vulnerabilities that could allow system
penetration given more time.
Adequate - Either (1) DIR was unable to gain
proprietary information from or control of target
systems, or (2) the SAO did not identify major
vulnerabilities that put systems at risk.
Search Inside
This report can be searched. Note: Results may vary based on the legibility of text within the document.
Tools / Downloads
Get a copy of this page or view the extracted text.
Citing and Sharing
Basic information for referencing this web page. We also provide extended guidance on usage rights, references, copying or embedding.
Reference the current page of this Report.
Texas. Office of the State Auditor. Legislative Summary Document - Information System Vulnerability Assessment, report, February 2003; Austin, Texas. (https://texashistory.unt.edu/ark:/67531/metapth517424/m1/3/?rotate=0: accessed July 16, 2024), University of North Texas Libraries, The Portal to Texas History, https://texashistory.unt.edu.; crediting UNT Libraries Government Documents Department.