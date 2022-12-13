TOPEKA, Kan. (WIBW) - A report from the Kansas Legislative Division of Post Audit that was released this week identified a number of information technology security concerns found over a three-year period at state agencies and school districts.

The report was made public during a session on Monday at the Statehouse.

According to the report, the Legislative Post Audit division conducted studies on 21 entities state agencies including the Kansas Department of Transportation; the Kansas Department for Aging and Disability Services; the Kanas Department of Labor; and the Kansas Public Employees Retirement System.

Other entities included in the audit included the University of Kansas; Wichita State University; Kansas State University; Emporia Unified School District 253; and Seaman Unified School District 345.

The report stated that 10 of the 21 entities that were audited in the past three years “did not substantially comply with applicable IT security standards and best practices.”

According to the Legislative Post Audit report, agencies and school districts “consistently struggled” in four areas: vulnerability remediation; incident response and continuity of operations planning; security awareness training; and IT system compliance.

“These audit results show security weaknesses exist not only at an entity-wide basis, but more importantly on systems that hold some of the most sensitive data these entities administer,” the report stated. “Without proper account security, data protection and systematic approaches to identify and patch known vulnerabilities and eliminate unsupported products, entities face increased risks of security incidents affecting those systems.”

The report also stated that “state and local entities could face significant consequences if hackers are able to access an entity’s network or confidential data because of poor security controls. A significant security breach could disrupt an entity’s mission-critical work and their reputation would be sorely damaged. A breach also could require costly customer credit report monitoring and could create legal liabilities or financial penalties for school districts of state agencies.”

Officials with the Legislative Post Audit said individual agencies are given the task of making sure their departments are complying with IT standards.

All of the 21 entities audited over the past three years received individual recommendations to fix the problems that were identified.

The report also stated that follow-up work for the entities that were audited in 2022 will take place in the fall of 2023.

State Sen. Robert Olson, R-Olathe, who is chairman of the Legislative Post Audit Committee, told 13 NEWS on Tuesday that the state has made marked improvement in information technology security over the past 8 to 10 years.

“From where we started to where we are today,” Olson said, “we’re in much better shape.”

Olson said he believes the state agencies and school districts that have been audited are taking information technology security very seriously.

He added that information technology security at state agencies and school districts has “improved greatly.”

Entities that have been found to be lacking in a certain in a certain information technology area report back to the Legislative Post Audit committee within six months to follow up on the progress they are making, Olson said.

To view the report, visit www.kslpa.org/audit-report-library/3-year-summary-of-security-controls-in-selected-state-and-local-entities-2020-2022/.

