Preparing for a Motor Vehicle Data Exchange
By Vincent Iovino
You get a call to your office: “Hey, we received an email from the State and they are requiring us to complete an audit of our data exchange controls.” They forward the email, you read the request, and realize there are about 50 days to complete the audit. Wait. What?
So, exactly what is a Motor Vehicle Data Exchange audit? The data that your organization receives from the Department of Motor Vehicles (DMV) may contain, but are not limited to, a person’s name, address, the last five years of driving history, and whether the license is suspended or revoked. Since your organization receives driver’s license information in bulk, the State requires your organization sign a Memorandum of Understanding (MOU). The MOU establishes the conditions and limitations under which the data is provided by the State. As you read the 32-page MOU, you may be wondering how best to incorporate all of the different regulations and State requirements into your audit report. Don’t panic; here are five tips to help you complete your comprehensive audit in a timely manner.
Tip #1: What is the focus of the data exchange audit?
The MOU requires that your audit indicate that there are data security policies and procedures in place to protect personal data and for personnel to follow. Specifically, there are two requirements to the audit. The first is that the audit shall certify that the data security policies and procedures have been approved by a Risk Management IT Professional (see Tip #2).
Secondly, the audit shall also certify that any and all deficiencies or issues found during the audit have been corrected and measures enacted to prevent recurrence. This is where the extension is very helpful as your organization will need time to correct issues and implement mechanisms (see Tip #5).
Tip #2: What is a Risk Management IT Security Professional?
In many organizations, the Risk Management IT Security Professional is your Chief Information Security Officer (CISO). But, what if your organization is like ours, and doesn’t have a CISO?
We reached out to the State and they sent us their definition, which included job responsibilities and required certification(s). Basically, a Risk Management IT Security Professional evaluates security risks, identifies the likelihood and consequences of a security breach, and implements and monitors control mechanisms to protect data. Additionally, they should have three to five years of combined IT and security work experience in systems analysis, application development, and systems administration. Individuals with credentials, such as Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Risk and Information Systems Control Certification (CRISC), or Certified Information Security Auditor (CISA) may qualify as a Risk Management IT Security Professional.
Tip #3: Structuring your audit program.
Your audit program should evaluate the internal controls ability to protect the data from unauthorized access, distribution, use, modification, or disclosure. The State of Florida’s MOU focuses on seven main objectives, which include:
- Is information exchanged only as authorized by the MOU?
- Is information securely stored (physically and logically)?
- Are your data security controls and standards in alignment with the MOU?
- Are unauthorized users able to view, retrieve, or print data exchange information?
- Are users instructed about the confidential nature of the data and the possible civil and criminal sanctions for the unauthorized use of the data?
- Is access to the data monitored on an ongoing basis?
- Is the information transmitted using TLS version 1.2 or higher?
Below is a summary explanation for each section of our audit program.
1. Is information exchange data only used as authorized by the MOU?
Information exchanged will not be used for any purposes not specifically authorized by the MOU and its attachments. Unauthorized use includes, but not limited to, queries not related to a legitimate business purpose, personal use, and the dissemination, sharing, copying, or passing of this or any unauthorized information to unauthorized persons.
The Driver’s Privacy Protection Act, 18 USC Section 2721 makes personal information contained in motor vehicle or driver’s license records confidential and exempt from disclosure. Unauthorized use of DMV-related data increases the risk of inappropriate disclosure of exempt motor vehicle information.
The MOU’s Attachment I contains 14 purposes for which motor vehicle and driver license records personal information can be released. As a local government, we claimed No. 1 Local government under exemption and No. 6 as a self-insured entity in order to comply with our insurance by ensuring city drivers do not have suspended or revoked licenses. We used this as the baseline while examining the use of the data exchanged. Our Risk Management Department runs two queries a year to review to see if city drivers have a valid driver’s license. We receive a billing log that shows when and the total amount of records transmitted.
It is here that you need to check where your exemptions are claimed and granted.
2. Is information securely stored (physically and logically)?
Information obtained from the Department of Motor Vehicles will be stored in a location that is physically and logically secure from access by unauthorized persons. If your organization stores hard copies, identify all areas where the information resides. If in a file cabinet or desk, see if the office is locked and who has key and or badge access.
Identify all servers, workstations, network drives that electronically store DMV-related data. In your audit program, test the following control activities:
- Facility monitoring (surveillance systems, camera, guards, exterior lighting)
- Alarm systems (fire, burglary, water humidity, power)
- Secure storage of back-up data drives.
- Physical locks to the server room.
- Server is enclosed in a key locked cage.
- Password Management (criteria)
- Antivirus / Malware protection
- Intrusion detection systems
- Badge access is appropriately restricted
3. Are your data security controls and standards in alignment with the MOU?
The City shall develop security requirements and standards consistent with Section 282.318, Florida Statutes, Florida Administrative Code Rule 74-21, and the FLHSMV External Information Security Policy to ensure the protection of FLHSMV information, applications, data, resources and services.
This is the biggest part of the entire report, so let’s break it down into manageable sections.
- Data Security Policies and Procedures:
Based on Cybersecurity sections Identify, Protect, Detect, Respond, and Recover, we tested our organization’s policies and procedures for the following:
• Access Control
• Network Security
• Personnel Security
• Asset Management
• Asset Disposal
• Acceptable Use of Assets
• Data Privacy
• Facilities Security
• Disaster Recovery and or Business Continuity Plan
• Security Incident Handling and Communication
We identified that our policy did not include a list of reportable incidents or when to report such events. The MOU states that reportable event include:
• Physical loss, theft, or destruction of the DMV-related data.
• Unauthorized disclosure, access, sharing user credentials, unauthorized activity, or transmission of data using DMV information resources.
• Data has been altered or destroyed or access that is denied outside of normal business hours.
• Lost identification badges.
• Violation of any portion of the External Information Security Policy.
- Risk Management IT Professional approval of the Data Security Policies and Procedures:
Sit with the Risk Management IT Professional (see Tip #2) and review your findings of the organization’s policies as they relate to the data exchanged. Also, see if they have identified any additional risks. Once the policies adequately address data security, have the Risk Management IT Professional formally document that they have reviewed and approved the policies.
- IT resources prioritization based on classification, criticality, and or business value:
The Florida Highway Safety and Motor Vehicle External Information Security Policy #A-02 Data Security 7.0, Data classification, requires that the City abide by the data classification in accordance with Federal Information Processing Standards (FIPS) Publication 199. Examine how IT assets (physical systems and devices) are inventoried and if documentation classifies the in-scope systems as either Public, Sensitive, or Confidential.
- Server and workstation patches:
Patching is a process of applying updates to improve the security of the software that runs the information systems. Work with your IT Department and see if the in-scope systems are up-to-date with their operating systems and security patches. Information systems operating with outdated patches are at an increased risk of compromise from vulnerabilities.
- Identify and document vulnerabilities:
Risk assessments are systematic process to evaluate the potential risk that may occur. During our audit, we learned that IT performed vulnerability scans but did not include the in-scope systems. Whether risk assessments or vulnerability scans are performed, ensure that all of the critical and high-risk areas are adequately mitigated and measures enacted to prevent recurrence.
- Disaster Recovery and or Business Continuity Planning on in-scope systems:
Review your City’s Business Continuity Plan (BCP) to ensure that it includes the in-scope data exchange systems. Additionally, make sure that the BCP include a lessons learned section as required in 60GG-2.003 Protect Information, Protection Processes and Procedures Number 9 and60GG-2.006 Recover, Recovery Planning Number 1.
4. Are unauthorized users able to view, retrieve, or print data exchange information?
Access to the information received from the HSMV will be protected in such a way that unauthorized persons cannot view, retrieve, or print the information. To determine whether a user is authorized, start with the onboarding process. See if user accounts have an associated request and were approved by the application owner. Equally important, examine the off-boarding process and see if terminated users were promptly disabled from the information systems.
Identity Access Management controls of uniquely identifiable, least privileged, segregation of duties. Look for generic user IDs that have access to DMV-related data, users that have access that doesn’t align to their job duties, and access that can circumvent controls to prevent malevolent activity.
5. Are all users with access to the information exchanged instructed about the confidential nature of the data and told about the civil and criminal sanctions for unauthorized use of the data?
All personnel with access to the information exchanged be instructed of and acknowledge their understanding of the confidential nature of the information. All personnel with access to the information will be instructed about and acknowledge their understanding of the civil and criminal sanctions specified in state and federal law for unauthorized use of the data. Examine your organization’s security training materials to see whether it contains information on civil and criminal penalties and that users have signed their acknowledgement. If necessary, the DAVID system has training materials that can be used to help meet these requirements.
6. Is access to the information exchanged monitored on an ongoing basis?
All access to the information must be monitored on an ongoing basis. If available, examine copies of your organization’s prior annual certification statements for control weaknesses. See if monitoring checks access to data after termination, after transfer, abnormal (outlier) dates and times (nights, weekends), and not for business-related purposes. If there were any areas identified during monitoring, see whether mitigating controls were implemented to prevent reoccurrence,
7. Is the information exchanged data received and transmitted using TLS version 1.2?
All data received from the FLHSMV shall be encrypted during transmission to Third Party End Users using Transport Layer Security (TLS) version 1.2 or higher encryption protocols. If not available, create a data process flow diagram and see if there are sections where the data travels in an unsecure manner. We identified that the inbound and outbound data did travel, from our application, unencrypted.
Tip #4: What is Addendum III?
While reading the MOU, there is mention of complying with Addendum III. You ask the department for a copy but they don’t have it. What is Addendum III and how do you get a copy?
Addendum III is the Department of Highway Safety and Motor Vehicles External Information Security Policy. The policy applies to all agents, vendors, contractors, and consultant (External entities) who use and /or have access to the data exchanged information.
Tip #5: Don’t rush your audit.
If you find that you need additional time to perform a comprehensive audit, then reach out to your contact and request an extension. Hopefully the five tips help you plan and scope properly since internal audit resources are allocated at the enterprise priority level. It’s been my experience that the State has always been cordial in granting additional time. I suggest an extension of 90 days to give yourself time to complete the audit.
About the Author
Vincent Iovino is the Information Systems Auditor for the City of Gainesville, Florida. He has been an internal IT auditor for 17 years where his goal is to deliver value-add reports by highlighting achievements and providing recommendations in a collaborative manner. His audits utilize a governance, risk, and compliance methodology consisting of the COBIT Framework, NIST special publications, and compliance control objectives such as PCI and HIPAA regulations.