Legislative Post Audit report identifies IT concerns at state agencies, school districts
Legislative Post Audit report identifies IT concerns at state agencies, school districts
This video is geo-restricted.
Error 931.
13 News at Six
By Phil Anderson
Published: Dec. 13, 2022 at 7:17 PM GMT
TOPEKA, Kan. (WIBW) - A report from the Kansas Legislative Division of Post Audit that was released this week identified a number of information technology security concerns found over a three-year period at state agencies and school districts.
The report was made public during a session on Monday at the Statehouse.
According to the report, the Legislative Post Audit division conducted studies on 20 different state entities, including the Kansas Department of Transportation; the Kansas Department for Aging and Disability Services; the Kanas Department of Labor; and the Kansas Public Employees Retirement System.
Other entities included in the audit included the University of Kansas; Wichita State University; Kansas State University; Emporia Unified School District 253; and Seaman Unified School District 345.
One of the 20 state entities was audited twice.
The report stated that 10 of the 21 IT audits conducted over the past three years found that entities “did not substantially comply with applicable IT security standards and best practices.”
According to the Legislative Post Audit report, the state agencies and school districts “consistently struggled” in four areas: vulnerability remediation; incident response and continuity of operations planning; security awareness training; and IT system compliance.
“These audit results show security weaknesses exist not only at an entity-wide basis, but more importantly on systems that hold some of the most sensitive data these entities administer,” the report stated. “Without proper account security, data protection and systematic approaches to identify and patch known vulnerabilities and eliminate unsupported products, entities face increased risks of security incidents affecting those systems.”
The report also stated that “state and local entities could face significant consequences if hackers are able to access an entity’s network or confidential data because of poor security controls. A significant security breach could disrupt an entity’s mission-critical work and their reputation would be sorely damaged. A breach also could require costly customer credit report monitoring and could create legal liabilities or financial penalties for school districts of state agencies.”
Officials with the Legislative Post Audit said individual agencies are given the task of making sure their departments are complying with IT standards.
All of the 20 entities audited over the past three years received individual recommendations to fix the problems that were identified.
Alex Gard, a principal IT auditor for the Legislative Division of Post Audit, said the report showed several areas where improvements are needed.
Gard told 13 NEWS that “roughly half or so of the entities didn’t look so great” and that they “had some significant progress that needed to be made.”
Among areas noted for improvement were IT security training for employees of state agencies and school districts.
Gard said “users are kind of one of the first lines of defense in any company or organization.”
He noted that “despite any number of technical controls you could put in place, like computer programs” that would “stop bad guys,” sometimes all a user would have to to do “is click on a bad link and it will circumvent all of these controls, and then you’re kind of up a creek.”
The best way to avoid that potential problem, Gard said, “is to train your users and train them regularly and train them in the different types of things they need to be watchful for.”
While precautions to prevent problems need to be taken Gard said, state agencies and school districts also need to be prepared in the event of an IT security breach: “You want to have your plan in place ahead of time that will help you detect, contain isolate and figure out how to deal with a problem and get you a solution
Officials said a Legislative Post Audit Report is conducted every three years that takes a look at IT security at several state agencies and school districts.
The report that was made public Monday stated that follow-up work for the entities that were audited in 2022 will take place in the fall of 2023.
State Sen. Robert Olson, R-Olathe, who is chairman of the Legislative Post Audit Committee, told 13 NEWS on Tuesday that the state has made marked improvement in information technology security over the past 8 to 10 years.
“From where we started to where we are today,” Olson said, “we’re in much better shape.”
Olson said he believes the state agencies and school districts that have been audited are taking information technology security very seriously.
He added that information technology security at state agencies and school districts has “improved greatly.”
Entities that have been found to be lacking in information technology security report back to the Legislative Post Audit committee within six months to follow up on the progress they are making, Olson said.
This video is geo-restricted.
Error 931.
13 News at Six
By Phil Anderson
Published: Dec. 13, 2022 at 7:17 PM GMT
TOPEKA, Kan. (WIBW) - A report from the Kansas Legislative Division of Post Audit that was released this week identified a number of information technology security concerns found over a three-year period at state agencies and school districts.
The report was made public during a session on Monday at the Statehouse.
According to the report, the Legislative Post Audit division conducted studies on 20 different state entities, including the Kansas Department of Transportation; the Kansas Department for Aging and Disability Services; the Kanas Department of Labor; and the Kansas Public Employees Retirement System.
Other entities included in the audit included the University of Kansas; Wichita State University; Kansas State University; Emporia Unified School District 253; and Seaman Unified School District 345.
One of the 20 state entities was audited twice.
The report stated that 10 of the 21 IT audits conducted over the past three years found that entities “did not substantially comply with applicable IT security standards and best practices.”
According to the Legislative Post Audit report, the state agencies and school districts “consistently struggled” in four areas: vulnerability remediation; incident response and continuity of operations planning; security awareness training; and IT system compliance.
“These audit results show security weaknesses exist not only at an entity-wide basis, but more importantly on systems that hold some of the most sensitive data these entities administer,” the report stated. “Without proper account security, data protection and systematic approaches to identify and patch known vulnerabilities and eliminate unsupported products, entities face increased risks of security incidents affecting those systems.”
The report also stated that “state and local entities could face significant consequences if hackers are able to access an entity’s network or confidential data because of poor security controls. A significant security breach could disrupt an entity’s mission-critical work and their reputation would be sorely damaged. A breach also could require costly customer credit report monitoring and could create legal liabilities or financial penalties for school districts of state agencies.”
Officials with the Legislative Post Audit said individual agencies are given the task of making sure their departments are complying with IT standards.
All of the 20 entities audited over the past three years received individual recommendations to fix the problems that were identified.
Alex Gard, a principal IT auditor for the Legislative Division of Post Audit, said the report showed several areas where improvements are needed.
Gard told 13 NEWS that “roughly half or so of the entities didn’t look so great” and that they “had some significant progress that needed to be made.”
Among areas noted for improvement were IT security training for employees of state agencies and school districts.
Gard said “users are kind of one of the first lines of defense in any company or organization.”
He noted that “despite any number of technical controls you could put in place, like computer programs” that would “stop bad guys,” sometimes all a user would have to to do “is click on a bad link and it will circumvent all of these controls, and then you’re kind of up a creek.”
The best way to avoid that potential problem, Gard said, “is to train your users and train them regularly and train them in the different types of things they need to be watchful for.”
While precautions to prevent problems need to be taken Gard said, state agencies and school districts also need to be prepared in the event of an IT security breach: “You want to have your plan in place ahead of time that will help you detect, contain isolate and figure out how to deal with a problem and get you a solution
Officials said a Legislative Post Audit Report is conducted every three years that takes a look at IT security at several state agencies and school districts.
The report that was made public Monday stated that follow-up work for the entities that were audited in 2022 will take place in the fall of 2023.
State Sen. Robert Olson, R-Olathe, who is chairman of the Legislative Post Audit Committee, told 13 NEWS on Tuesday that the state has made marked improvement in information technology security over the past 8 to 10 years.
“From where we started to where we are today,” Olson said, “we’re in much better shape.”
Olson said he believes the state agencies and school districts that have been audited are taking information technology security very seriously.
He added that information technology security at state agencies and school districts has “improved greatly.”
Entities that have been found to be lacking in information technology security report back to the Legislative Post Audit committee within six months to follow up on the progress they are making, Olson said.
