A legislative committee says three of the state's largest universities didn't take enough of its recommendations to change school IT policies for computer safety.
Back in 2005 the committee reviewed the IT security for Emporia State University, the University of Kansas and Kansas State University. At that time, the committee made policy recommendations. Recently, they checked up on the schools again to see if the universities made the recommended changes.
The report shows ESU fully implemented 28 of its 41 recommendations; KSU implemented seven of 33; and KU implemented five of 33.
Emporia State University President, Dr. Mike Lane, said that number comes from a variety of things. "There are a couple of points in the confidential side of it with which we don't agree. In fact, there are other state policy boards that define things with which we are compliant and LPA said, 'you need to change in additional manners.' We probably are not gonna make those changes," Lane said.
Lane also said ESU is only about halfway through the recommended changes and will continue to better the university's computer security.
"We do have several more things that our technical staff will be looking at over the next year," said Lane, who insists that even before the changes began, the university's private information was secure.
He said some of the recommendations may not be necessary or cost effective. "Security is very important but you always have to weigh a cost-benefit analysis on what security it. It doesn't make sense to spend $100 to save $5," Lane said.
"When you get somebody like Legislative Post Audit to come in and do a review you're getting an independent set of eyes that look at it and give you an opportunity to see things from a different perspective," Lane said. "So I don't think we had a significant risk in 2000, but I do think the suggestions that they made, which we've implemented to date and the suggestions that we'll implement over the next year-and-a-half, will improve security."
Lane adds that some changes at Emporia were coming whether there was an audit or not. "We've really made a variety of changes, some of which came directly as a result of the Legislative Post Audit, some of came as a result of the fact that we changed our enterprise resource programming system. We now have an entirely new system," Lane said.
Part of that new system includes moving away from using student social security numbers as identifiers and implementing clean desk, clean screen policies so that if a faculty or staff member leaves their desk, after a specified period of time they'll have to log back in.