Internal audit report finds issues in University of Iowa Department of Public Safety Information Technology
The internal audit report on the University of Iowa Department of Public Safety-Information Technology found many critical issues that need corrected.
June 5, 2019
An internal audit report from the University of Iowa reported to the state Board of Regents audit and compliance committee determined that the UI Department of Public Safety-Information Technology had issues that posed a high risk to the university.
The UIPD has its own information technology infrastructure and operational applications, seperate from the UI Information Technology Services. This includes an active directory environment, software systems, firewall, vehicle and body cameras, and servers and technology devices.
The audit looked at multiple areas of UIPD IT and compared the issues with the UI ITS as well as the Federal Criminal Justice Information Security policies, Petrice Sayre, Board of Regents Chief Audit Executive, said.
The auditors found that one UIPD employee was responsible for critical IT support with a second person having limited support tasks. Neither employee had IT support in their job description, Sayre said.
Through the report, it was also found that the UIPD IT infrastructure controls didn’t align with security practices and policies of ITS, Sayre said.
“By not receiving ITS services, critical intrusion detection and vulnerability scanning tools are not being used,” Sayre said. “Nor is the Department of Public Safety using the enterprise-wide anti-virus and anti-malware solution.”
RELATED: Audit reveals discrepancies in UI emergency preparedness
The active directory also showed sign of weakness, increasing the risk for security issues, Sayre said. The UIPD system isn’t monitored, audit logs aren’t reviewed, and security incident response plans don’t exist; increasing the possibility that unauthorized events won’t be tracked correctly, she said.
“While there are many IT issues to be worked on between the [Department of Public Safety] director and the CIO, we found no evidence of a security breach or a misuse of data,” Sayre said. “This was a complex audit, and addressing these findings will take time to see where these systems align. The use of a red dot for coding on this report is due to the criticality of these services and the multi-departmental cooperation it will require.”
The UIPD will use the report as a way to align the information technology infrastructure and cybersecurity practices with UI ITS through the UI’s OneIT initiative, Scott Beckner, UIPD assistant vice president and director, said in a statement.
“Nothing in this audit poses a risk to the physical safety of students, faculty, or staff on campus,” Beckner said in his statement. “Keeping up with advancements in information technology and cybersecurity is a growing challenge for law enforcement agencies nationally.”
The UIPD has already implemented some of the recommendations from the audit report and is working with ITS to complete the rest of the recommendations by the deadline of July 2020, UI media relations director Anne Bassett said in an email to *The Daily Iowan*.
“The data stored in the UI Department of Public Safety’s data center is considered highly sensitive, and the department is required to comply with the Criminal Justice Information Services Security Policy,” Bassett said in her email. “Historically, the department has taken on the bulk of IT responsibilities in order to maintain the integrity of sensitive data and investigative files with ITS providing some support.”
ITS has been working to incorporate UIPD into the OneIT initiative in a way that supports the sensitive data the department maintains, Bassett said. ITS has also developed solutions for protected confidential data the UIPD houses while still providing support from OneIT, she said.