The State Courts Administrator (OSCA) and the Missouri Court Automation Committee need to do a better job of managing and securing the courts' automation system, according to a state audit report released Wednesday.
Auditor Nicole Galloway's 30-page report covers OSCA and the state courts' system of case and record management.
The audit said OSCA management hasn't "fully established and documented user account management policies and procedures" nor established any procedures to regularly review user accounts and related privileges to confirm access rights.
The audit said OSCA management also hasn't fully implemented elements of an information security program, noting weaknesses exist that "threaten the confidentiality, integrity and availability of OSCA information and systems."
Officials also don't have a risk assessment and management program in place and don't ensure all users are identified with confidential, regularly changed passwords.
OSCA's response contends responsibility to review local court user accounts is with the local authority, usually the circuit clerk or the presiding circuit judge.
"This topic will be presented to the Missouri Court Automation (MCA) Committee to consider a security guideline," the response said.
Although the audit doesn't focus on the committee, it does note a 1994 state law established the state court automation program, as well as an oversight body for the program, the MCA."
The auditor's report also noted the MCA has decision-making authority for all aspects of court automation.
By law, the committee's 21 members include 10 judges from the Supreme Court down to associate circuit judges, four circuit court employees, the commissioner of administration, four lawmakers and two members of the Missouri Bar.
Citing a U.S. General Accounting Office report on computer system security issues, the state audit report raised several concerns about unauthorized access.
The OSCA response acknowledged the JIS management system "is deficient in its password capacity," but noted the system is accessed only through the court's network and can't be seen by anyone without authorization.
OSCA also reported the security issue is being addressed in development of the new case and record management system by OSCA employees.
The audit report also said court officials need to define the end goal, or objective, of the state's court automation project.
The auditors said OSCA needs to set an end date for court automation because "a project is a temporary process, which has a clearly defined start and end time, a knowable set of tasks, a management structure, and a budget that is developed to accomplish a well-defined goal or objective."
But, OSCA responded, "The CRMS is defined by OSCA as an ongoing process," not a temporary project with an end date.
"Since the auditors' visit, the MCA has developed a detailed strategic plan which will provide a road map for future court automation including the CRMS," OSCA said.
Historically, the court system has asked the Legislature for more money for creating the statewide automation system and for improving its equipment and software - but generally received only the funding generated by a $7 per case court automation filing fee launched in 1994.
OSCA's response in the auditor's report noted the Court Automation Committee's new strategic plan "contemplates the availability of fiscal and staff resources."