http://www.athensmessenger.com/main.asp?SectionID=1&SubSectionID=273&ArticleID=9229 By CASEY S. ELLIOTT Staff Writer The Athens Messenger 3/23/2008 A recently released state audit says Ohio University's information technology department is understaffed, but OU says a plan is in place to add employees. The audit, released Tuesday by the Ohio State Auditor's Office, covers the period from July 2006 to June 2007. The university has been revamping its information technology operations since several computer security breaches were discovered in 2006 that exposed the personal information of students, faculty, staff and alumni. The auditors noted that staffing levels in the IT department seem inadequate. "It was a constant concern to all individuals that were interviewed," the report states. "A large number of previous-year management letter comments were not able to be addressed due to resource constraints that are in place." The October 2006 management letter for the fiscal year 2006 audit recommended security changes and moving the system towards a centralized one. The university's response to auditors was that the university has a plan in place to increase staffing levels in the IT department, and that over the next three years, 24 new positions will be added. Last year, the university's new chief information officer, Brice Bible, outlined a multi-million-dollar plan, which the OU Board of Trustees approved, for revamping information technology operations. It included plans to hire the 24 people over a period of time. The recently released audit report also raised questions about programmer access in regard to the Student Information System. "Within SIS, 11 programmers have update access to production program source libraries and data, which creates a segregation of duties conflict," the report states. "In addition, there are 19 users with Power User Functionality within SIS." The audit recommendation was to review security settings and limit the number of programmers with access to update program source libraries and data. If not feasible, the university should consider systematically logging all program and data changes. They also recommended centralizing network management and security within the university. The university's response was that only three people are responsible to move the changes to production, even though 11 programmers have access. Also, all requests to move programming changes to production are tracked electronically. The university stated they would consider reducing the number of power users, but the majority of the changes will take place with the new SIS replacement project. In the audit were recommendations in other areas. The audit recommended that the university revise its journal entry policies to implement an "effective process of checks and balances, and segregation of duties." University Controller Gina Fetty said the journal entry signing issue was resolved before the auditors left. However, the university knew auditors would still place it in their report, since it was discovered during the audit process. Other items the auditors felt needed to be addressed included creating a formalized policy on ethics and conduct; conducting an overall risk assessment of the university's control environment; tracking salaried administrative employee vacation time in a centralized location; and updating the employee master file so that employees who have had their pay adjusted, or who have left their job, have that information corrected so checks are not sent out erroneously. Copyright 2008 The Athens Messenger ___________________________________________________ Subscribe to InfoSec News http://www.infosecnews.org/mailman/listinfo/isn
This archive was generated by hypermail 2.1.3 : Tue Mar 25 2008 - 00:29:03 PST