Computer systems on North Carolina’s 59 community college campuses and at the North Carolina Community College System office are at a high risk for intrusion or misuse, the State Auditor’s Office said in an audit report released Thursday.
The yearlong audit of all community college campuses and the central office analyzed security practices, disaster recovery procedures, and systems development and software for computer systems that contain both financial information and student records at the colleges. Detailed reports of weaknesses discovered in the community college systems were provided to individual campuses on a confidential basis.
Auditors began assessing the campus and central office information systems in April 2003. Auditors found that only one campus had developed adequate, formal information technology standards, policies, and procedures that promoted good security. While some security controls on the campuses and the System Office were effective, others posed extreme security risks.
Auditors also found that access controls, which restrict the use of information systems to those with an authorized need, were inadequate and ineffective across the entire system. In addition, auditors found that the Systems Office did not include security requirements in its policies and procedures for implementing new critical applications. Procedures to notify campuses of changes to the critical operating system were ineffective.
Auditors found 10 community colleges were not secure from preventable physical threats such as fire, water, electrical problems, and vandalism. Because most of the community college network is physically secure, auditors rated that risk as low.
Auditors found that only six community college campuses had adequate disaster recovery plans that would be needed in case of an extended disruption. Fifteen campuses had no formal disaster recovery plan. In addition, the community colleges are relying on the Systems Office as an alternate disaster recovery site, but the office has only enough space on its backup server to handle a few campuses at a time.
Auditors said the problems uncovered in the series of audits relate to the operating systems of the colleges, and are not associated with the Colleague systems the community colleges are developing. The security issues must be addressed separately from that standardized system for student and financial information.
“This is the first time we have undertaken such a sweeping audit of the entire community college system,” Campbell said in releasing the report. “Since the individual campuses and the Systems Office in essence form an interrelated network, we thought their information systems should be examined as a whole rather than separate pieces.
“Computer security, as we have said for some time, is a critical issue for state government,” Campbell said. “The personal and financial information contained on community college computer systems should receive the highest level of protection in this era of identity theft and unauthorized intrusions. Community college officials, from both the individual campuses and the Systems Office, have assured us that they take security issues as seriously as we do and are moving to make their technology systems more secure.”
A summary report covering the 59 separate campuses and the Systems Office is available online. Individual reports on the campuses and central office are available from the Office of the State Auditor home page. Move your cursor over the “Audit Reports” button, then click on “Information Systems” in the pop-up box. A list of reports, with the new reports at the top, will be displayed. Clicking on the campus in which you are interested will take you to that report. Printed copies of the reports can be obtained by filing a request under the Audits section of the web site or by calling the Office of the State Auditor at 919-807-7500.