Archive for Wednesday, February 25, 2009

KU earns poor score on computer security audit

February 25, 2009, 1:35 p.m. Updated February 25, 2009, 5:48 p.m.


— A follow-up audit to a 2005 report on computer security at Kansas University and two other schools has found numerous policy shortcomings.

The Legislative Division of Post Audit report, released Wednesday, said that few of the policy recommendations from its 2005 audit had been fully implemented by the institutions.

The report focused on KU, Kansas State University and Emporia State University.

KU had implemented the fewest policy recommendations from the 2005 audit: five of 33 recommendations.

The policies were aimed at maintaining the security and integrity of information on computer systems at the schools, the audit said. The policies dealt with security best practices in the areas of access controls, data controls, general controls, incident response, operations, physical security, system development, and security management, the report stated.

K-State had implemented seven of 33 recommendations, and Emporia State, 28 of 41.

“Despite their importance, the findings of this follow-up audit show that the three universities generally have done a poor job implementing the policy recommendations from the 2005 audit,” the new audit said.

“While it may be difficult to develop and approve policies in a university setting because of the need to develop consensus among numerous constituencies, the universities have had three years to address these policy recommendations,” the report stated.

Denise Stephens, vice provost for information services at KU, said the school was working to “take closer central control of the network.”

She said KU has reorganized its information technology department.

Even so, state Rep. Virgil Peck Jr., R-Tyro, and chairman of the House-Senate Legislative Post Audit Committee, said several of the committee members were disturbed by the universities’ lack of progress.

He said the committee plans to have the audit division do follow-up reports on a quicker timeframe.


Daniel Kennamore 9 years, 3 months ago

And where, pray tell, are the universities supposed to find the $$$ to implement these recommendations when the state keeps cutting their funding?

KSChick1 9 years, 3 months ago

OMG. Irishlad do you not know that KU and the Athletics dept are separate corporations? Money for one is not money for the other. Geesh.

kmat 9 years, 3 months ago

They are separate, but shouldn't profit be shared with the university? Not fair that the university struggles, but the athletics dept had more money than they know what to do with.

The problem is that KU doesn't care about the students. I graduated in the early 90's. Even back then, I was told by a dean that the university cared about getting research grant money, not money to improve the school. He said there was a reason we were assigned an ID # and that's all the university thought of us, the students are just #'s.

I love the Jayhawks, but am not proud of KU.

justthefacts 9 years, 3 months ago

Not a huge fan of sports myself. But anyone who pays attention to bottom line information will realize that for every dime you cut out of a sucessful sport's program, you lose a dollar of other income. That department's success funds a lot of other things. So taking money away from them only hurts the rest of the University, in toto.

davidsmom 9 years, 3 months ago

Good grief, kmat. You get a student ID because that's how the system identifies you. My kids had student IDs in elementary school that followed them to high school graduation. My husband and I have employee IDs. As customers we have customer IDs. As employers we have employer IDs. Where on earth did you get the idea that an ID# means you don't matter?

lawthing 9 years, 3 months ago

I never understood the politics of University athletics. We know that a professional basketball team makes enough to give the players million dollar bonus's.

The KU teams combined must bring in revenue comparible to that of the pro's.

Yet have to pay the players very little outside of some barter scholarships.

So where does all that money go?

Chris Ogle 9 years, 3 months ago

You can't fix stupid

not what MOM said.

cthulhu_4_president 9 years, 3 months ago

"The KU teams combined must bring in revenue comparible to that of the pro's." "So where does all that money go?

To fund the other 15 or so men's and women's sports that produce zero revenue from tix and merch but still have to be equipped, practice, travel, and play. Just FYI.

PhilPell 9 years, 3 months ago

Before everyone starts crying "OH, THE MONEY! Where will the money come from?!" at least look at the audit:

Most of these aren't technical controls which require large technology purchases. Nearly all are POLICY issues. It's not a question of heavy engineering but of institutional will.

It'd be easier if it were engineering and money.

KU is so large and its IT assets are so broadly dispersed that getting all of the stakeholders to agree to the policy statements required by the audit borders on the impossible. That being said, it has been done at other institutions and can be done at KU, just not the way it's always been done.

Don't force change from the top, develop it from the bottom. Let faculty and staff know that having a written policy will keep them out of jail in the event of a data breach. Keep regulated information on trusted systems and let the faculty do whatever they want on untrusted systems while making sure that information and access from one does not bleed into the other. Right now it's the wild west because executive management won't support IT best practice and the rank and file know they don't have to listen.

I know most of the IT leadership at KU and they are capable, competent IT professionals. Until they are given support from above to hold the rank and file to current policy they'll never be able to close the audit findings with new, collaborative policies. This is not a failure of Information Technology but of the institution as a whole. That being said, all it would take is for one faculty member to be fined or (heaven forbid) get jail time for mishandling FERPA data and they'd be all ears.

Commenting has been disabled for this item.