By RACHEL MIPRO
Kansas Reflector
TOPEKA — Kansas auditors found serious flaws in several state agencies’ IT security measures, according to survey results spanning from January 2020 to December of this year.
The audit of 21 state agencies and school districts tested 40-50 IT security and control items. One entity was audited twice and counted as two separate entities. Out of the 21 entities, 10 scored poorly or very poorly in vulnerability tests — below 50% in security and IT standards.
During a legislative post audit committee meeting Monday, Alex Gard, principal IT auditor in the Kansas Legislative Division of Post Audit, said some of the entities surveyed hadn’t fixed problem areas since the last time they were audited.
“State agencies and school districts continue to have similar IT security issues to those we’ve identified in audits we’ve conducted over the past 20 years,” Gard said. “Several entities were audited for the second or third time during the past 10 years or so, and some entities improved from one audit to the next, while others had repeated findings.”
Gard said most of the problems stemmed from either a lack of proper oversight, or a lack of staff resources to address IT security issues. Most of the audited entities had some level of unsupported software, and in some cases, the entities didn’t have any IT security training or security plans for keeping data safe.
Gard said some entities also failed phishing tests, or didn’t dispose of sensitive information in a safe manner.
“Overall, we found significant security issues in many systems with respect to account security, data protection, scanning and patching and risk and security assessment,” Gard said.
Rep. John Barker, R-Abilene, said lawmakers needed to actively address gaps in IT security. He said he was worried the state was vulnerable to losing sensitive information.
“I just think the Legislature at some point needs to address this issue so we can see some improvement,” Barker said. “Wait till we get hacked.”
Barker said he wasn’t sure if the state’s IT problems came from leadership issues, or a lack of experienced personnel, but thought more needed to be done.
“Overall, the state, it doesn’t seem like we’re making any progress,” Barker said.
For future IT security audits, starting in 2023, lawmakers decided to choose a broader audit plan that would focus on more entities, testing a few set IT areas instead of an intensive evaluation of fewer entities.
“It does cast a broader net, and then it does help us identify more potential problems,” said Sen. Mike Thompson, R-Shawnee.
During the meeting, lawmakers also approved auditing K-12 school districts to evaluate the estimated costs of providing educational opportunities for every public school student to meet performance outcome standards set by the Kansas State Board of Education.
The audit also would evaluate the relationship between costs for these educational opportunities and the outcome of the expenditures.