Security weaknesses in the University of Wisconsin System’s IT infrastructure increase the risk it could be subject to a cyberattack or that student data could be exposed, a new state audit has found.
The audit says the UW System failed to develop a “comprehensive IT security program” as recommended in prior audits — and as required by the policy of its Board of Regents.
The nonpartisan state Legislative Audit Bureau issued the audit Tuesday. It said the security weaknesses identified in the audit “increase the risk that unauthorized or erroneous transactions could be processed or changes could be made to accounting, payroll, and student data.”
“Failure to provide an appropriate level of protection for UW systems and data increases the risk that personally identifiable information could be accidentally or maliciously exposed,” the audit said.
The audit recommends UW System officials report to lawmakers by August on their progress improving IT security.
Auditors noted they reported weaknesses in UW System’s IT security in previous audits of the System for the 2014-15 and 2015-16 fiscal years. The UW System is working to implement some of its past recommendations to bolster IT security, but the new audit identifies an additional area of concern — details of which were shared with the affected institutions in confidential memos.
“We determined that the detailed results of our review were too sensitive to communicate publicly,” the audit said.
UW System President Ray Cross, in a response to the audit findings included in the document, said the System looks forward to updating lawmakers by Aug. 31, as the audit recommends.
UW System spokeswoman Stephanie Marquis said work is underway throughout the System to bring IT security practices in line with national standards.
“We value the input the Audit Bureau has provided as we continue to implement best practices,” Marquis said.