Objectives

To determine whether the Department of Corrections and Community Supervision (Department) provides sufficient oversight to ensure that the independent network, kiosks, and tablets used by Incarcerated individuals are secure, and whether secure messaging accessed by these Individuals complies with Department Directives. The audit covers the period from February 2019 through August 2022.

About the Program

The Department is responsible for the confinement and rehabilitation of approximately 31,000 individuals in its custody at 44 facilities throughout the State. The Department has contracted with Securus and its subsidiary JPay Inc. (Provider) to provide incarcerated individuals (Individuals) with access to tablets and kiosks (tablet program). Department-issued directives (Department Directives) contain policies and procedures governing the tablet programs available to incarcerated individuals. Through loaned tablets, general population Individuals have access to Department-approved educational material; the ability to purchase Department-approved music, videos, e-books, and other media; and the opportunity to communicate with family and friends using a fee-based secure messaging system through an account created on the Provider’s website. Individuals in specialty populations are allowed limited access to two types of tablets: a law library tablet that contains access to law library material and a static content tablet that provides telephone access and Department-approved, preloaded applications, such as educational material, videos, e-books, music, and games. While the static and law library tablets used by the specialty populations receive periodic software updates through Wi-Fi, all other tablets are not Wi-Fi enabled, and must be synced to a kiosk to receive updates and to send or receive secure messages. All secure messages are subject to content screening by authorized facility staff. Upon release or transfer out of the Department’s custody or when opting out of the tablet program, the Individual’s assigned tablet shall be returned to the Provider, as outlined in Department Directives. Facility employees are responsible for inspecting the physical security and condition of kiosks daily, and must complete and note any damage or evidence of tampering on a daily safety checklist. The tablet program was implemented in 2019. During the audit period, the Department had 1,093 active kiosks and 26,563 active general population tablets. According to the State’s Information Security Policy, all State government entities, including their third parties (e.g., local governments, consultants, vendors, and contractors) are required to maintain systems at a vendor-supported level to ensure the accuracy and integrity of information.

Key Findings

• According to the Department, it is not responsible for the tablet program, which it describes as a relationship between the Provider and Individuals. This position has resulted in limited assurance of compliance with Department Directives.
• The Department does not know how many Individuals have opted in/out of the tablet program and does not internally monitor the number of active tablets at its facilities. Instead, the Department relies on the Provider to maintain these records at both the statewide and facility levels.
• The Department does not verify the identity of community members who are in correspondence with Individuals through secure messaging, and its secure message content screening process does not adequately capture all risks to Individuals and others.
• The Department is not adequately overseeing the security and configuration of certain assets, and does not ensure systems are maintained at vendor-supported levels required to preserve the accuracy and integrity of Department information.

Key Recommendations

• Strengthen the Department’s responsibility and role in the relationship between the Provider and Individuals.
• Develop, implement, and adhere to an internal process to effectively monitor program participation and tablet inventory at both the facility and statewide levels.
• Implement a process to ensure that Individuals’ correspondence with community members via secure messaging complies with Department Directives.
• Ensure that systems are maintained at vendor-supported levels. Until then, the Department should work with the Office of Information Technology Services to submit the required exception request form.
• Implement the remaining technical recommendations detailed in the preliminary report.