[ISN] Security breach report comes out, recommends suspensions

From: InfoSec News (isn@private)
Date: Fri Jun 23 2006 - 12:38:50 PDT


http://thepost.baker.ohiou.edu/articles/2006/06/22/news/14120.html

Sean Gaffney
skatripp at gmail.com
June 22, 2006

Ohio University suspended two administrators and created a new
position at the recommendation of a network security report Tuesday.

The university suspended - Tom Reid, director of Communication Network
Services and Computer Services and - Todd Acheson, manager of Internet
and Systems, until a disciplinary investigation is completed according
to a university news release. Both men will still be paid while on
suspension.

At a later date, Reid and Acheson will have a chance to respond to the
findings prior to the university's final determination, which could
include termination, according to the news release.

Two independent consultants have been brought in to temporarily manage
the Central Information Technology Management Team, according to the
release.

The report follows a three-week comprehensive analysis of the network
security breaches conducted by Moran Technology Consulting of
Naperville, Ill. The audit analyzed the department and employees,
searching for negligence or faults that contributed to the security
breaches, according to the release.

A new position, Chief of Staff to the Chief Information Officer has
been created and national search has been launched to fill the
position, according to the release.  - Bill Sams is presently the
chief information officer and associate provost for information
technology.

As a result of the report, the Information Technology departments will
be restructured to establish "clear roles, responsibilities, and
accountabilities," according to the release.

Two departments, CNS and Computer Services, were already combined to
ease unnecessary competition and friction that contributed to
department malfeasance. Unnecessary competition between the
departments resulted in negligence, Sams has said in previous
interviews.

OU President - Roderick McDavis is working with university officials
and others to solve the problem.

"I am angry and embarrassed by the computer security system lapses
that were undetected before my time as leader of the university,"  
McDavis said the release.

McDavis decreased the IT budget by $1 million since taking office in
2004. There was a 3 percent reduction in the IT budget last year, and
as a 12 percent reduction was being implemented this year, the
security breaches were detected, said university spokesman - Jack
Jeffery.

That was "part of the standard reductions made across the university,"
during 2006 fiscal year, Jeffery said. "We wanted to make sure we
weren't cutting from the academic programs," he added.

Sams has previously said that the university has a reached a critical
point in budget cuts and will need to replace funds in the IT budget.

Next week, McDavis will request that the OU Board of Trustees
"authorize up to $2 million to invest in securing information
technology systems," according to the release.

The total cost to recover from the security breaches will be millions
of dollars, Sams said.

Since April 21, 365,000 personal identities have been compromised in
security breaches at Ohio University.

The latest breach was detected on a university computer that housed
IRS 1099 tax forms for 2,480 vendors and independent contractors who
worked for the university between 2004 and 2005, according to the
university's Web site. The university also discovered that a computer
hosting a "variety of Web-based forms" that included class lists
containing the social security numbers of about 4,900 current and
former students had been accessed.

The data is fragmentary and it is not certain if the compromised
information can be traced to individuals, according to the
university's Web site.

Employees, students, alumni and contractors have been urged to monitor
credit reports and request fraud watches be placed on their report.  
About 24 people have expressed to the university that they have been
victims of identity theft in the past year, according to an Associated
Press article.

Copyright © 2006 The Post



_________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.
www.blackhat.com



This archive was generated by hypermail 2.1.3 : Fri Jun 23 2006 - 13:00:37 PDT