JTC authorizes drafting of bill to let committee order independent IT security audits of OIT

The Joint Technology Committee authorized drafting of a bill concept that would allow JTC to request an independent information‑security audit of the Office of Information Technology (OIT) and its vendor contractors through the Office of the State Auditor (OSA). The chair explained that OSA would retain professional discretion over audit methodology and contractor selection, and that OSA would contract with qualified IT security firms to perform technical testing if appropriate.

Committee materials listed four potential triggers for the audit: (1) a credible breach or data exfiltration of a state IT system or vendor‑managed system that processes state data; (2) a CISO failing to report (the committee agreed to remove this trigger); (3) remediation verification — a vote within 90 days to verify OIT's claim that recommendations were remediated; and (4) a material discrepancy between an annual OIT report and prior audits or information requests. The auditor's report would be transmitted to JTC, Legislative Audit Committee, Joint Budget Committee and the governor within 180 days.

Members discussed scope — process audit versus forensic/system testing — and cost. The chair said OSA routinely contracts industry experts; members noted forensic audits are generally used for criminal investigations but that contracted vendors can test systems where needed. The committee discussed tailoring scope to save money; staff cited an estimated audit contract cost in the range of $150,000 to $500,000 and noted the Technology Risk Prevention and Response (TRPR) fund held about $7.5 million entering the year.

The committee voted to give drafting authority for the independent IT security audit concept; staff will prepare language that clarifies triggers, scope, procurement approach and reporting timelines for the committee's review.