University of Wisconsin System officials are being admonished to make progress on long-identified weaknesses in the university’s information technology security, as recommended in a report by the Legislative Audit Bureau.
Administrators have failed, to develop a comprehensive system-wide IT security program, as previously urged by state auditors and specified in policy adopted by the UW Board of Regents in 2015, the LAB report said.
“IT security is critical,” said Rep. Samantha Kerkman, R-Salem Lakes, and co-chair of the Assembly’s Joint Audit Committee. “I appreciate the work of UW System to address previously-identified IT weaknesses. However, it is clearly time for a comprehensive approach.
UW should report its progress on a comprehensive system-wide IT security program to Kerkman’s committee by Aug. 21, the LAB said.
LAB has reported various concerns related to IT security policies, procedures and controls at UW System since the early 1990s, the audit report said.
“Although UW System Administration has taken some steps to address IT weaknesses identified by LAB, such weaknesses increase the risk that unauthorized or erroneous transactions could be processed or changes could be made to accounting, payroll and student data,” the report said.
What’s more, inadequate security increases the risk of identity theft from those with information on the system, LAB said. “Failure to provide an appropriate level of protection for UW systems and data increases the risk that personally identifiable information could be accidentally or maliciously exposed.”
And poor security makes UW’s IT system vulnerable to attack, the audit bureau found.
“Finally, ineffective or inconsistent general IT controls may lead to increased risks of cyberattacks and loss of data or intellectual property, which could lead to a significant financial loss,” the audit report said.
Some of the findings of LAB’s review “were too sensitive to communicate publicly,” and were transmitted to the institutions involved in confidential memoranda, the report said.
LAB reported weaknesses in UW System’s IT security policies, procedures, and controls during audits for fiscal years 2014-15 and 2015-16 audits, along with recommendations for the development of system-wide IT security policies and procedures, implementation of corrective actions to concerns at individual institutions, and procedures for assessing the level of protection provided for UW systems and data.
Individual institutions have taken steps to respond to LAB recommendations for them, including password controls, the LAB report said.
“However, many of these corrective actions were completed late during FY 2016-17, and we also identified new areas of concern,” the report said.
UW has developed system-wide policies in five areas, but other areas of concern have not yet been addressed, LAB said.
UW System President Ray Cross said in a written response to LAB that the system is “committed to being responsible stewards of its information technology systems and data.”
In 2017, the UW System approved continued implementation of information security policies and procedures that address authentication, security awareness, data classification, incident response and acceptable use, Cross said, itemizing the five areas of progress noted by LAB.
“Protecting our systems is a priority, and we continue to take the necessary steps to develop and maintain a comprehensive IT security program," System spokeswoman Stephanie Marquis said Tuesday. "We value the input the Audit Bureau has provided as we continue to implement best practices.”
UW’s report to the Legislature next summer on the status of the development of a comprehensive IT security program should include policies and standards established and a summary of steps it has taken to address high-risk areas identified by a third-party vendor, LAB said.