A state audit has revealed flaws in the university's computer and wireless networks that make them vulnerable to hackers who could access sensitive personal information.
But the Office of Information Technology, which is responsible for protecting the networks, defended its work and called the results an improvement over earlier audits. Jeffrey Huskamp, OIT's vice president and chief information officer, played down the risks and said he was "very pleased with the trajectory that we're on."
"We keep getting better and better," he said. "There's not something to be scared about. There's not something to be worried about."
OIT is responsible for the computer system hosting payroll, student grades, student and employee personal information, financial aid and more. In some instances, hacking would be easy, the audit said. For example, it noted people could access the wireless network in an unsecured mode.
"Wireless connections made involving an unencrypted session exposed the wireless transmissions to improper disclosure," the audit said. "Software is readily available on the Internet that can intercept and scan unencrypted wireless network traffic to obtain confidential information."
The Office of Legislative Audits found four areas of concern:
- The internal computer network could be accessed through the Internet, meaning, unauthorized users could see and change student grades. Also, 23 employees, including three former employees, had unnecessary access to devices protecting the internal network.
- The firewall protecting the main frame computer wasn't set up to log all activity or alert network administrators to problems. Security logs weren't regularly reviewed, and when they were, it wasn't documented.
- The wireless network could be accessed without secure encryption, leaving confidential information open for viewing.
- Changes to critical system files, such as those for student accounts and financial aid, weren't logged.
The last two concerns were also cited in a January 2006 audit.
In a written response to the audit, the university agreed to fix all the security problems by June 2010.
"We pretty much do this kind of risk mitigation on a regular basis," Huskamp said. "[The Office of Legislative Audits] gives us additional information, then we can use the information to close the hole and make it so it's not a finding anymore."
The OLA conducted the audit, from December 2008 to June 2009 by examining records and talking to and observing employees. The university is frequently audited, as dictated by the state legislature, to make sure state funds are properly spent and no laws are violated.
OIT officials stressed the findings in the audit would be taken care of and that the university community shouldn't worry.
"The bottom line is the two auditors spent 15 months digging around trying to find things," Huskamp said. "If you put this much effort into this thing ... that's the kind of risk in this."
OIT did disagree that one of the findings was a "repeat." In its written response, OIT said a recommendation in the last audit that it log changes to system files didn't call those files "critical," and was thus a different recommendation.
A system glitch that allowed anyone to access a university account with only the person's e-mail address discovered last March was not mentioned in the audit, OIT officials said. That hole was repaired after a student brought it to OIT's attention.
cwells at umdbk dot com
is a member of the 
1 comments Log in to Comment
You must be logged in to comment on an article. Not already a member? Register now