News Column

Audit: State lacks good computer security ; Audit: 353 systems contain sensitive data

July 23, 2014

Andy Marso; Andy Marso andy.marso@cjonline.com

The state's lack of computer security may make citizens' personal information vulnerable, according to an audit released Tuesday.

The state's internal auditors described information technology security as a longstanding problem in Kansas government, and legislators on the Legislative Post Audit Committee asked the state's information technology agency to provide an estimate of what it would cost to implement the auditors' recommendations.

"It's time that we really address this," said Rep. Peggy Mast, R- Emporia.

Mast said the Legislature should have "serious hearings" about the state's ability to protect sensitive information within agency computer systems.

The audit determined that 75 state agencies are running 353 computer systems that contain sensitive data.

By law, agencies are required to submit three-year information technology plans, but auditors determined that not all agencies were following that law because "agencies think they are time consuming and provide little value to them."

The audit also found little oversight of that requirement, noting that the state's "Chief Information Technology Architect did not follow up on missing plans, and in one year did not send necessary templates and instructions to all agencies."

The audit also determined that 17 of the 45 agencies that hold data considered "high risk" had not had an independent evaluation of their security in the past three years.

Anthony Schlinsog, director of the state's Office of Information Technology Services, was not available to answer questions Tuesday. John Byers, the office's chief information security officer, said the office struggles to find enough computer security experts in Topeka.

Compliance requirements prohibit his office from outsourcing security work to the private sector, so Byers said his agency would have to look to recruit experts from outside the area and bring them to Topeka.

"That will not be an easy task at our current wages," Byers said.

Auditors found that computer security employee pay ranges from $53,000 to $123,000, depending on the state agency.

Sen. Julia Lynn, a member of the Legislative Post Audit Committee whose private sector experience includes recruiting information technology specialists for clients of Allied Global Services, said Byers was correct.

"It's difficult to find really good IT people in the private sector that are going to come in and work for these salaries," Lynn said. "These are really low for the kinds of positions that are out there."

Rep. Tom Burroughs, D-Kansas City, said the state should proceed in securing citizens' personal information, regardless of cost.

Scott Frank, head of the Legislature's division of post audit, said the division has been auditing the state's computer security periodically for years and has always found problems.

"I don't think there was a time when the state had a very solid, well-thought-out approach to security," Frank said.

The most secure agencies, Frank said, tend to be those like the state treasurer and the state pension system, that auditors nicknamed "ATM" agencies or "the ones you can pull money out of."

But other agencies operate computer systems that have personally identifiable information that could be used by identity thieves. The state's computer system is disjointed, and security levels vary widely from agency to agency, auditors said.

"I think it's time for the state to really take a look at a rational, organized approach to security," Frank told the committee.


For more stories covering the world of technology, please see HispanicBusiness' Tech Channel



Source: Topeka Capital Journal (KS)


Story Tools






HispanicBusiness.com Facebook Linkedin Twitter RSS Feed Email Alerts & Newsletters