Kansas IT security audit offers fresh evidence government administrators tone deaf to flaws

TOPEKA — The Kansas Legislature’s audit of nine state agencies and three public school districts exposed basic information technology security lapses related to training, protection of employee accounts and preparation for hacking attempts.

The review was ordered by a joint House and Senate committee due to apprehension top administrators at public agencies hadn’t made a priority of IT security. The report indicated 10 of the 15 reviewed had failed to deal with fundamentals such as routinely changing computer passwords or closing accounts of former employees. Eight of 15 fell short in terms of security training of personnel, including some that offered no training. Also, eight of 15 weren’t prepared to deal with security incidents.

“When entities don’t have adequate security controls the risk increases that confidential data is compromised, lost or stolen,” said Alex Gard, an IT auditor with the Legislature’s auditing division. “These findings demonstrate a continued lack of top management oversight and supervision of entities’ IT security functions.”

The auditors didn’t publish the detail of shortcomings at specific schools or agencies. Those audited included the Hutchinson, Bonner Springs and Lansing school districts as well as the state Department of Administration, Kansas Highway Patrol, Fort Hays State University, State Banking Commissioner, Board of Tax Appeals, Commission on Veterans Affairs and the Behavioral Science Regulatory Board.

Sen. Caryn Tyson, a Republican from Parker, said it was disappointing six of the 15 had previously been found to have deficient IT security systems. She said it was puzzling the Kansas Department of Education rejected recommendations by auditors for upgrading school district IT security despite the risk of student data being exposed or exploited by nefarious people.

“There’s my concern,” Tyson said. “I think we need to take some major actions this (2024) session.”

Training of new employees about fundamentals of computer security should be common practice across government, said Sen. Mike Thompson, a Republican from Johnson County. It shouldn’t require special IT security knowledge or expensive training programs for agency and district administrators to compel their workers to regularly change passwords, he said.

“It would be one very important way of changing the culture in these agencies so that very simple sort of thing is addressed right out of the gate,” he said.

In 2018, the Legislature adopted the state’s initial cypersecurity law. That statute was amended during the 2023 session in wake of audits documenting IT oversight problems. The latest audit, released last week, highlighted ongoing issues with security. Auditors said compliance problems were evident at small and large agencies, but potential exposure of sensitive data differed from place to place.

Under state law in Kansas, agency heads were responsible for security compliance within that agency. The new audit concluded “agency leaders don’t know or sufficiently prioritize their IT security responsibilities. Agency leaders also may not sufficiently monitor whether their staff implement controls adequately.”

Auditors said a flaw in state law was that no consequence existed in statute for agencies that disregarded IT security challenges. In addition, auditors said, local school districts weren’t required by the state to adopt basic security standards.

A factor contributing to IT security gaps included the growing shortage of IT security experts willing to leave the private sector for government employment, the report said.

The assessment conducted from January through April was based on consideration of five security control elements in the categories of security training, account monitoring and incidence response. The evaluation was based on IT protocols included in the state’s security policy. Auditors conducted interviews and reviewed documents while also testing the 15 entities with email phishing experiments.