By CASEY S. ELLIOTT
The Athens Messenger
A recently released state audit says Ohio University's information
technology department is understaffed, but OU says a plan is in place to
The audit, released Tuesday by the Ohio State Auditor's Office, covers
the period from July 2006 to June 2007. The university has been
revamping its information technology operations since several computer
security breaches were discovered in 2006 that exposed the personal
information of students, faculty, staff and alumni.
The auditors noted that staffing levels in the IT department seem
"It was a constant concern to all individuals that were interviewed,"
the report states. "A large number of previous-year management letter
comments were not able to be addressed due to resource constraints that
are in place."
The October 2006 management letter for the fiscal year 2006 audit
recommended security changes and moving the system towards a centralized
The university's response to auditors was that the university has a plan
in place to increase staffing levels in the IT department, and that over
the next three years, 24 new positions will be added.
Last year, the university's new chief information officer, Brice Bible,
outlined a multi-million-dollar plan, which the OU Board of Trustees
approved, for revamping information technology operations. It included
plans to hire the 24 people over a period of time.
The recently released audit report also raised questions about
programmer access in regard to the Student Information System.
"Within SIS, 11 programmers have update access to production program
source libraries and data, which creates a segregation of duties
conflict," the report states. "In addition, there are 19 users with
Power User Functionality within SIS."
The audit recommendation was to review security settings and limit the
number of programmers with access to update program source libraries and
data. If not feasible, the university should consider systematically
logging all program and data changes. They also recommended centralizing
network management and security within the university.
The university's response was that only three people are responsible to
move the changes to production, even though 11 programmers have access.
Also, all requests to move programming changes to production are tracked
electronically. The university stated they would consider reducing the
number of power users, but the majority of the changes will take place
with the new SIS replacement project.
In the audit were recommendations in other areas.
The audit recommended that the university revise its journal entry
policies to implement an "effective process of checks and balances, and
segregation of duties."
University Controller Gina Fetty said the journal entry signing issue
was resolved before the auditors left. However, the university knew
auditors would still place it in their report, since it was discovered
during the audit process.
Other items the auditors felt needed to be addressed included creating a
formalized policy on ethics and conduct; conducting an overall risk
assessment of the university's control environment; tracking salaried
administrative employee vacation time in a centralized location; and
updating the employee master file so that employees who have had their
pay adjusted, or who have left their job, have that information
corrected so checks are not sent out erroneously.
Copyright 2008 The Athens Messenger
Subscribe to InfoSec News