A recently released audit examining the security of state government computer systems demands immediate attention from Kansas officials.
The review, conducted by Legislative Post Audit, determined that the current level of computer security at state government agencies could leave Kansans’ personal information vulnerable and that many Kansas agencies aren’t complying with requirements to provide detailed information technology plans.
State Rep. Peggy Mast, R-Emporia, responded to the report by saying the Kansas Legislature should have “serious hearings” about the security of state computer systems. Even better would be for the state agencies already charged with ensuring proper computer security to act now rather than waiting for legislators to debate the issue.
The audit found that 75 state agencies are running 353 computer systems that contain sensitive data. That’s everything from birth certificates to tax returns and other documents that include what should be tightly guarded Social Security numbers. It also determined that 17 of the 45 agencies that hold information considered “high risk” had not had an independent evaluation of their computer security in the past three years.
That lax attitude has been tolerated, the audit said, by the state’s information technology officials, who “did not follow up on missing plans, and in one year did not send necessary templates and instructions to all agencies.” Officials in the Office of Information Technology Services responded by making excuses about the difficulty of hiring enough computer security experts in Topeka, especially at the current wages, which range from $53,000 to $123,000 a year.
Furthermore, the state computer situation isn’t new, according to Scott Frank, head of the Legislative Post-Audit. The state’s computer security has been reviewed periodically for years, he said, and problems always are found. “I don’t think there was a time when the state had a very solid, well-thought-out approach to security,” he said.
There is no excuse for state agencies not ensuring the security of sensitive information on Kansas residents who are required to provide that information for various purposes. Kansans can choose not to submit a credit card number or other information to purchase something online, but they can’t choose not to comply with state requirements to provide information to complete a voter registration, a tax return or other state business. Once that information is in a state computer system, it is the state’s responsibility to make sure it is secure.
It may be impossible to make the state system 100 percent safe, but the recent audit confirms that Kansas officials are falling far short of doing the best they can to make sure sensitive personal information isn’t compromised.