Archive for Wednesday, February 25, 2009

KU earns poor score on computer security audit

February 25, 2009, 1:35 p.m. Updated February 25, 2009, 5:48 p.m.


— A follow-up audit to a 2005 report on computer security at Kansas University and two other schools has found numerous policy shortcomings.

The Legislative Division of Post Audit report, released Wednesday, said that few of the policy recommendations from its 2005 audit had been fully implemented by the institutions.

The report focused on KU, Kansas State University and Emporia State University.

KU had implemented the fewest policy recommendations from the 2005 audit: five of 33 recommendations.

The policies were aimed at maintaining the security and integrity of information on computer systems at the schools, the audit said. The policies dealt with security best practices in the areas of access controls, data controls, general controls, incident response, operations, physical security, system development, and security management, the report stated.

K-State had implemented seven of 33 recommendations, and Emporia State, 28 of 41.

“Despite their importance, the findings of this follow-up audit show that the three universities generally have done a poor job implementing the policy recommendations from the 2005 audit,” the new audit said.

“While it may be difficult to develop and approve policies in a university setting because of the need to develop consensus among numerous constituencies, the universities have had three years to address these policy recommendations,” the report stated.

Denise Stephens, vice provost for information services at KU, said the school was working to “take closer central control of the network.”

She said KU has reorganized its information technology department.

Even so, state Rep. Virgil Peck Jr., R-Tyro, and chairman of the House-Senate Legislative Post Audit Committee, said several of the committee members were disturbed by the universities’ lack of progress.

He said the committee plans to have the audit division do follow-up reports on a quicker timeframe.


PhilPell 5 years, 1 month ago

Before everyone starts crying "OH, THE MONEY! Where will the money come from?!" at least look at the audit:

Most of these aren't technical controls which require large technology purchases. Nearly all are POLICY issues. It's not a question of heavy engineering but of institutional will.

It'd be easier if it were engineering and money.

KU is so large and its IT assets are so broadly dispersed that getting all of the stakeholders to agree to the policy statements required by the audit borders on the impossible. That being said, it has been done at other institutions and can be done at KU, just not the way it's always been done.

Don't force change from the top, develop it from the bottom. Let faculty and staff know that having a written policy will keep them out of jail in the event of a data breach. Keep regulated information on trusted systems and let the faculty do whatever they want on untrusted systems while making sure that information and access from one does not bleed into the other. Right now it's the wild west because executive management won't support IT best practice and the rank and file know they don't have to listen.

I know most of the IT leadership at KU and they are capable, competent IT professionals. Until they are given support from above to hold the rank and file to current policy they'll never be able to close the audit findings with new, collaborative policies. This is not a failure of Information Technology but of the institution as a whole. That being said, all it would take is for one faculty member to be fined or (heaven forbid) get jail time for mishandling FERPA data and they'd be all ears.


cthulhu_4_president 5 years, 1 month ago

"The KU teams combined must bring in revenue comparible to that of the pro's." "So where does all that money go?

To fund the other 15 or so men's and women's sports that produce zero revenue from tix and merch but still have to be equipped, practice, travel, and play. Just FYI.


kungfumastah 5 years, 1 month ago

KU's network service is pay-to-play. KU Athletics is one of the biggest customers of the KU IT department, therefore they DO reinvest in the university, by purchasing some of the best services KU ITS has to offer. They want to be on the cutting edge of technology, so they pump a lot of money into the various IT services that are offered.

However, they have the money to do it. Does the College of Liberal Arts and Sciences? Probably not. What about the Social Welfare school? Doubt it either.

So not everybody benefits, but they do pump a lot of money back in for their various needs/wants/desires.


Chris Ogle 5 years, 1 month ago

You can't fix stupid

not what MOM said.


irishlad33 5 years, 1 month ago

very, very good question????? lawthing


lawthing 5 years, 1 month ago

I never understood the politics of University athletics. We know that a professional basketball team makes enough to give the players million dollar bonus's.

The KU teams combined must bring in revenue comparible to that of the pro's.

Yet have to pay the players very little outside of some barter scholarships.

So where does all that money go?


davidsmom 5 years, 1 month ago

Good grief, kmat. You get a student ID because that's how the system identifies you. My kids had student IDs in elementary school that followed them to high school graduation. My husband and I have employee IDs. As customers we have customer IDs. As employers we have employer IDs. Where on earth did you get the idea that an ID# means you don't matter?


Marion Lynn 5 years, 1 month ago

Yeah right.

Hackable by any junior high student.


You can't fix stupid.


justthefacts 5 years, 1 month ago

Not a huge fan of sports myself. But anyone who pays attention to bottom line information will realize that for every dime you cut out of a sucessful sport's program, you lose a dollar of other income. That department's success funds a lot of other things. So taking money away from them only hurts the rest of the University, in toto.


irishlad33 5 years, 1 month ago

Amen to that!!!!!!!!!! kmat.....pretty soon the University of Kansas Athletics will be the University formerly known as Kansas University.....UUUUUUHHHHHH....I think I'll go to the University of Kansas Athletics and play either fuutball or basketball and maybe I'll go to the pros and make millions of dollars so I can sit on the bench and scratch me nuts like Gooden and Lefrenz do!!! If by some miracle I don't make the pros then I will go to the local McD's and be assisant manager that makes 10,000 a year. Yeah it is missing a few 000's and a comma but hey it is definitely better than sitting in some stupid classroom and actually applying meself to learning something important. But Burrito Billy Self told me I will make the pros and he is the basketball God so I know I will get mine in the end.......KU athletics and KU university may be different (corporations) but they both contain the name Kansas University so that makes them one in the same. But hey I don't make a six or seven figure salary like the administrators and coaches at KU I know absolutely nothing about nothing.....except that daddy KU at any given time can take as much money out of its son's corporation (KU athletics) and apply it to another daughter say the university computer lab if it wants


kmat 5 years, 1 month ago

They are separate, but shouldn't profit be shared with the university? Not fair that the university struggles, but the athletics dept had more money than they know what to do with.

The problem is that KU doesn't care about the students. I graduated in the early 90's. Even back then, I was told by a dean that the university cared about getting research grant money, not money to improve the school. He said there was a reason we were assigned an ID # and that's all the university thought of us, the students are just #'s.

I love the Jayhawks, but am not proud of KU.


KSChick1 5 years, 1 month ago

OMG. Irishlad do you not know that KU and the Athletics dept are separate corporations? Money for one is not money for the other. Geesh.


irishlad33 5 years, 1 month ago

I'll tell ya where to get it....take it from the national championship basketball program....since they seem to have more money than they know what to do with....Maybe crybaby Burrito Billy Self(ish) will give some of his bonus money or even salary to fix the issue....or maybe not!!!!!! It seems like the right time for KU to wake up and smell the coffee as to what an education really sure the hell ain't bouncing a damn ball around the court. Or maybe it is since KU seems to care more about getting athletes into the pros than getting an athlete a diploma. Phoggy Allen fieldhouse is sure getting a marvelous makeover and the football program has a brand new facility...... but KU can't take the time or effort to fix known problems from an audit report that seem to be a hell of a lot more important. But I can't make the decision because I don't make a six figure salary........


Daniel Kennamore 5 years, 1 month ago

And where, pray tell, are the universities supposed to find the $$$ to implement these recommendations when the state keeps cutting their funding?


Commenting has been disabled for this item.