REPORT DIGEST HUMAN RIGHTS COMMISSION COMPLIANCE EXAMINATION FOR THE TWO YEARS ENDED JUNE 30, 2019 Release Date: November 5, 2020 FINDINGS THIS AUDIT: 4 CATEGORY: NEW -- REPEAT -- TOTAL Category 1: 1 -- 2 -- 3 Category 2: 0 -- 0 -- 0 Category 3: 0 -- 1 -- 1 TOTAL: 1 -- 3 -- 4 FINDINGS LAST AUDIT: 4 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov SYNOPSIS • (19-01) The Human Rights Commission (Commission) did not publish its decisions timely. • (19-02) The Commission did not maintain adequate internal controls related to cybersecurity and the security and control of confidential information. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS DECISIONS NOT PUBLISHED TIMELY The Human Rights Commission (Commission) did not publish its decisions timely. We noted the following: • Fourteen of 18 (78%) decisions tested were published to the Commission’s website 126 to 805 days after the decisions were made. • Two of 22 (9%) decisions tested were published to the Commission’s website 404 days after the decisions were made. In addition, 9 of 40 (23%) decisions tested were not published to the Commission’s website as of the date of testing. As of the date of testing, 640 to 1,158 days had elapsed since these decisions had been rendered. (Finding 1, pages 12-13). This finding has been repeated since 2007. We recommended the Commission publish decisions within the timeframes outlined in the Act. The Commission agreed with the finding and indicated corrective action has been taken. WEAKNESSES REGARDING CYBERSECURITY AND THE SECURITY AND CONTROL OF CONFIDENTIAL INFORMATION The Commission did not maintain adequate internal controls related to cybersecurity and the security and control of confidential information. The Commission had computer systems that contained confidential or personal information such as names, addresses, and Social Security numbers. During the examination of the Commission’s cybersecurity program, practices, and control of confidential information, we noted the Commission: • Failed to establish and communicate policies, procedures, and processes to manage and monitor the regulatory, legal, environmental, and operational requirements; • Failed to establish and document cybersecurity roles and responsibilities; • Failed to perform a comprehensive risk assessment to identify and ensure adequate protection of information (i.e. confidential or personal information) most susceptible to attack; • Failed to classify data to establish the types of information most susceptible to attack to ensure adequate protection; and, • Lacked formalized procedures to identify and protect personal or confidential information, including notification procedures in the event of a breach of security. (Finding 2, pages 14-15). This finding has been repeated since 2015. We recommended the Commission: • Establish and communicate the Commission’s security program (formal and comprehensive policies and procedures) to manage and monitor the regulatory, legal, environmental, and operational requirements. • Establish and document cybersecurity roles and responsibilities. • Perform a comprehensive risk assessment to identify and classify data to ensure adequate protection of confidential or personal information most susceptible to attack. • Classify data to establish the types of information most susceptible to attack to ensure adequate protection. • Establish formalized procedures to identify and protect personal and confidential information, including notification procedures in the event of a breach of security. The Commission partially agreed with the finding, and stated it has no in-house staff wholly dedicated to cybersecurity matters, as these functions have been primarily assigned to the Department of Innovation and Technology (DoIT). The Commission stated it will review and update its policies and inquire with DoIT as to possible training and process improvements. OTHER FINDINGS The remaining findings pertain to inadequate controls over performance reporting and vacancies on the Illinois Torture Inquiry and Relief Commission. We will review the Commission’s progress towards the implementation of our recommendations in our next compliance examination. ACCOUNTANT’S OPINION The accountants conducted a compliance examination of the Commission for the two years ended June 30, 2019, as required by the Illinois State Auditing Act. The accountants stated the Commission complied, in all material respects, with the requirements described in the report. This compliance examination was conducted by the Office of the Auditor General’s staff. JANE CLARK Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:meg