Leaked reports from the
"AUB's IT environment is insecure," revealed an internal report issued by AUB, which Al-Akhbar was able to obtain recently.
The report, which was supposed to be published months ago, states a summary of the finds by the
The IT environment at AUB is improperly protected because it seriously lacks the knowledge concerning confidentiality, policies and procedures, as well as the absence of mechanisms to log-on and an awareness of data integrity. The report comes about after the university's Internal Audit Office (IAO) seeked to gain access to a specific mailbox.
"Because the needed mailbox data was stored on an encrypted archival tape, it was not readily accessible," the report stated, adding the entire email database was restored to hard disks.
"Asserting that IT did not possess the needed software tool to extract specific mailboxes from the disks in a form that would allow the establishment of an audit trail, IA[O] took possession of the disks and moved them to the IA[O] office," the report noted.
At this point, the IAO did not approach the IT department to seek a technical solution, rather copied all the database onto two hard disks which were then removed from the
While members from the IT department were invited to attend (the disk-destroying ceremony), they did not as "the disks had no verifiable chain of custody, and could not confirm that the disks being destroyed were the original and only copies of the database."
The FWG was then mandated to follow up on concerns raised by two senior staff members of the IT department in terms of data privacy after news broke in
While sources claimed that the two senior staff members were subsequently expelled from the university over these objections, another source stated that the expulsion was related to the IAO's discovery that there were shortcomings in their work, particularly in terms preserving information security and confidentiality.
The leaked report reveals a hidden dispute between the ITO and the IAO concerning the management of the confidentiality of the data. Al-Akhbar tried to get answers regarding this subject from the university's administration, who waited two days before announcing that it will not comment on the content of the report currently in Al-Akhbar's possession.
The university's administration stated that it will soon comment on the issue and publish an official report.
AUB's official report concluded that the IT environment of the university is insecure, and indeed the entire database of the university was copied and transferred from the
The report also notes that the FWG was composed of members of the faculty with the aim of investigating the incident.
Ten interviews were conducted in
Sources have alluded there are charges against a senior staff member in the university for smuggling the data to
The report also notes the university's administration refused the request by the FWG to conduct interviews with members of the IT department within the IAO, despite the fact the FWG had already met with Cartwright. Furthermore, the FWG was denied access to relevant documents possessed by the IA office and the Vice President of Legal Affairs.
This has led to the conclusion that the FWG's work is still incomplete and loopholes remain, thereby motivating the university's senior management to insist on keeping the report's findings under wraps.
The report also states that since the beginning of 2013 the IAO had been seeking to gain access to the mailbox database without offering any clarifications for why it seeks to do so, whether in terms of looking into security, criminality, or a request by Lebanese authorities or foreign security services.
The FWG report ends with a set of conclusions and recommendations, notably that the IT environment at AUB is improperly protected because it seriously lacks the knowledge concerning confidentiality, policies and procedures, as well as the absence of mechanisms to log-on and an awareness of data integrity.
The report pointed out that the security measures currently in place that manages and stores communications and emails were insufficient.
According to information obtained by Al-Akhbar, one student within the
In regards to the security and confidentiality of the university's data, the report noted that communication between the IA office, IT office, and upper management lacked clarity, timeliness, and documentation.
It added that the mailbox data needed for the IA's investigations could have been retrieved from disks from the
"There appears to have been no valid reason for IA to remove the disks from the Data Center," the report said, concluding that "a policy should be developed which disallows removal of data from the
This article is an edited translation from the Arabic Edition.
Most Popular Stories
- Obama Administration Releases Proposal to Regulate For-Profit Colleges
- Elizabeth Vargas' Husband Marc Cohn Addresses Rumors
- Keurig Adds Peet's coffee, Alters Starbucks deal
- Quiznos Files for Chapter 11
- U.S. to Relinquish Gov't Control Over Internet
- Is Malaysian Airlines Flight 370 in Andaman Sea?
- Koch Brothers Step up Anti-Obamacare Campaign
- SoCalGas Reaches Record Spend on Diversity Suppliers
- Vybz Kartel Convicted of Murder
- U.S. Consumer Sentiment Falls in Early March