<!-- Swiftype Variables -->

Pension Funds

Oregon to act on audit recommendations to improve IT planning, disaster recovery

Oregon Public Employees Retirement System, Salem, plans to implement recommendations made by the audits division of Oregon's secretary of state office in order to improve information technology strategic planning and disaster recovery.

Oregon PERS oversees the administration of the $76.7 billion Oregon Public Employees Retirement Fund.

The retirement system was the subject of an October audit that revealed severe deficiencies in IT efforts that posed "substantial risks to beneficiaries and the state," the audit report said. One area of blame has been numerous pieces of legislation and court rulings on pension reform efforts, the report said.

"Each legislative change required PERS to make changes to how their IT systems operate," the report said. "When legislative reforms were subsequently overturned, some work-in-progress had to be abandoned and already implemented changes needed to be reworked to undo the portions affected by the court cases. According to PERS, these changes also strained the IT capacity of the agency and did not allow foundational IT programs to progress as planned."

In June 2017, the Oregon Legislature instructed PERS to respond to "several security and disaster recovery issues," according to the report, which included the mandate to develop and implement a cybersecurity program. The audit was completed to determine whether the pension fund can improve IT strategic planning practices and whether it can recover their information systems in case of a disaster. The audit found that the PERS staff spent most of its time just maintaining existing IT systems and was not monitoring staff workloads or managing time spent on IT projects.

Among the recommendations, all of which PERS agreed to implement by June 30, 2019 or 2020, are to develop sufficient resources to complete the disaster recovery plan, clearly define security roles and properly vet all individuals before granting access to PERS' IT resources, and ensure that all individuals receive sufficient security awareness training.

In a memo to the audits division, Kevin Olineck, director of Oregon PERS, said: "We are committed to improving our capabilities in these areas and have identified opportunities for improvements in recent years which this audit report validates. We are incorporating these practices as we hone our focus on strategic planning and communication with stakeholders about our continuing progress toward change."