[ISN] Audit reaffirms need for more IT staff at OU

From: InfoSec News (alerts@private)
Date: Tue Mar 25 2008 - 00:12:39 PST


http://www.athensmessenger.com/main.asp?SectionID=1&SubSectionID=273&ArticleID=9229

By CASEY S. ELLIOTT
Staff Writer
The Athens Messenger
3/23/2008

A recently released state audit says Ohio University's information 
technology department is understaffed, but OU says a plan is in place to 
add employees.

The audit, released Tuesday by the Ohio State Auditor's Office, covers 
the period from July 2006 to June 2007. The university has been 
revamping its information technology operations since several computer 
security breaches were discovered in 2006 that exposed the personal 
information of students, faculty, staff and alumni.

The auditors noted that staffing levels in the IT department seem 
inadequate.

"It was a constant concern to all individuals that were interviewed," 
the report states. "A large number of previous-year management letter 
comments were not able to be addressed due to resource constraints that 
are in place."

The October 2006 management letter for the fiscal year 2006 audit 
recommended security changes and moving the system towards a centralized 
one.

The university's response to auditors was that the university has a plan 
in place to increase staffing levels in the IT department, and that over 
the next three years, 24 new positions will be added.

Last year, the university's new chief information officer, Brice Bible, 
outlined a multi-million-dollar plan, which the OU Board of Trustees 
approved, for revamping information technology operations. It included 
plans to hire the 24 people over a period of time.

The recently released audit report also raised questions about 
programmer access in regard to the Student Information System.

"Within SIS, 11 programmers have update access to production program 
source libraries and data, which creates a segregation of duties 
conflict," the report states. "In addition, there are 19 users with 
Power User Functionality within SIS."

The audit recommendation was to review security settings and limit the 
number of programmers with access to update program source libraries and 
data. If not feasible, the university should consider systematically 
logging all program and data changes. They also recommended centralizing 
network management and security within the university.

The university's response was that only three people are responsible to 
move the changes to production, even though 11 programmers have access.

Also, all requests to move programming changes to production are tracked 
electronically. The university stated they would consider reducing the 
number of power users, but the majority of the changes will take place 
with the new SIS replacement project.

In the audit were recommendations in other areas.

The audit recommended that the university revise its journal entry 
policies to implement an "effective process of checks and balances, and 
segregation of duties."

University Controller Gina Fetty said the journal entry signing issue 
was resolved before the auditors left. However, the university knew 
auditors would still place it in their report, since it was discovered 
during the audit process.

Other items the auditors felt needed to be addressed included creating a 
formalized policy on ethics and conduct; conducting an overall risk 
assessment of the university's control environment; tracking salaried 
administrative employee vacation time in a centralized location; and 
updating the employee master file so that employees who have had their 
pay adjusted, or who have left their job, have that information 
corrected so checks are not sent out erroneously.

Copyright 2008 The Athens Messenger


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn 



This archive was generated by hypermail 2.1.3 : Tue Mar 25 2008 - 00:29:03 PST