IOWA CITY — Many of the technology practices and systems used by University of Iowa police do not comply with best practices or federal mandates, leaving spaces, computer servers and “sensitive and confidential data” vulnerable.
“Department of Public Safety management should ensure all employees who have physical access to restricted areas have background checks, fingerprints on file with the department and have completed the required level of (federal) training,” according to an internal audit made public this week.
The audit, to be reviewed at next week’s Board of Regents meeting, found 13 areas of concern — warranting the highest warning that findings could “seriously affect several areas within the university” and expose the UI to “unacceptable risks or liability.”
“Hardware infrastructure within (the Department of Public Safety) is not aligned with security best practices and ITS policies, increasing the risk to highly sensitive data,” according to the audit.
The critical audit comes on the heels of an equally critical audit of UI public safety’s emergency preparedness — including its ability to handle bomb threats, health crises and hostage situations.
On the information technology audit, UI Department of Public Safety Director Scott Beckner said he appreciates the internal review and stressed, “Nothing in this audit poses a risk to the physical safety of students, faculty or staff on campus.”
“Keeping up with advancements in information technology and cybersecurity is a growing challenge for law enforcement agencies nationally,” Beckner said in a statement. “Our department now has a valuable road map for how we can align our information technology infrastructure and cybersecurity practices with best practices.”
ARTICLE CONTINUES BELOW ADVERTISEMENT
Specifically, Beckner cited the need to partner with the broader campus’ new OneIT initiative — a point of criticism in the audit.
Auditors found that while the university is moving toward a unified, integrated technology community, “DPS has not been an active voice in the process due to the lack of a formal IT unit or dedicated IT staff and management.”
In fact, according to the audit, UI public safety has one person providing “critical technology infrastructure support” and a second person performing support tasks, “for which they were not hired.”
The UI told The Gazette that Josh Kennedy, security supervisor, provides IT support for the department, along with Dave Visin, an associate director of the department.
The recent audit raises concerns around the department’s “data retention and disposal policies,” reporting they haven’t been reviewed and documented, “increasing the risk that DPS data will not be managed in compliance with (federal) and university policies.”
According to the audit, most DPS data is stored indefinitely, “increasing the risk associated with data breaches and the costs incurred for storage and maintenance of excessive data.”
Also, security settings “contain multiple weaknesses,” increasing the risk that sensitive data could be accessed by unauthorized people. For example, auditors found seven administrator accounts with passwords that never expire, including four assigned to external vendors.
In terms of the UI department’s physical spaces, auditors found Iowa is not consistently meeting federal policy, which requires background checks, fingerprints on file and biennial training for employees with access to restricted areas.
ARTICLE CONTINUES BELOW ADVERTISEMENT
The two public safety employees providing IT support for network and system administration have not completed the required training, according to the audit. Neither have public safety workers handling cash and credit cards.
Four employees who have access to restricted spaces — like the evidence room and data center — don’t have fingerprints on file. And seven employees reportedly received no federal training, despite having access to restricted areas.
Three former student workers retained access to the department’s perimeter doors after their employment ended, the audit said.
“One individual with no confirmed affiliation with DPS also had access to perimeter doors,” according to the audit, which added, “Individuals with access to personal or sensitive data do not consistently lock office doors and workstations when they are not present.”
Auditors questioned whether one of the restricted doors had a maintenance problem due to an excessive amount of “forced door” alerts in the past month. Restricted doors also had a high number of “door held open” alerts, indicating employees hold doors open regularly.
UI officials told The Gazette the department already has made progress on audit recommendations, and it’s partnering with the broader campus to complete the rest of the recommendations by a 2021 deadline.
“It is important to do this right, and that process will require time, expertise and collaboration across various disciplines to ensure access to programs that are necessary for daily operations are not interrupted,” according to a UI statement.
l Comments: (319) 339-3158; firstname.lastname@example.org