Audit finds cybersecurity concerns at Montana State University, University of Montana

Auditors recommend Board of Regents more directly manage security policy

By: - April 6, 2022 6:51 pm

A Legislative Audit Division report finds information security concerns at both Montana State University and the University of Montana. (Provided by Tima Miroshnichenko via Pexels.com)

Cybersecurity is at risk at both Montana State University and the University of Montana, and both campuses are vulnerable to data breaches and ransomware attacks, according to an information systems report from the Legislative Audit Division.

“Each university is in a place where they are spending valuable time reacting to the effects of risks as opposed to proactively assessing risks,” the report said. “ … Critical practices like risk management, although resource-heavy, need more attention.”

The March 2022 audit, called “Information Security in the Montana University System,” reviewed security programs and also governance, such as the role played by the Board of Regents and Montana Office of the Commissioner of Higher Education, in cybersecurity. It said the Regents and Commissioner’s Office need to more directly manage security policy and offer direction to the campuses.

“The universities have struggled to develop security programs and risk assessment procedures,” reads the opening of the report, submitted by legislative auditor Angus Maciver. “OCHE and the Board of Regents have not established a direction with the clear roles and responsibilities needed to support university security programs and enforce strong security practices.”

In their responses included with the audit, both campuses and the Commissioner’s Office agreed with the findings and pledged to address shortcomings, and the report noted the flagships indicated they already are making progress. Commissioner Clayton Christian said in his response that his office will establish a workgroup and recommend to the Regents a plan that will ensure the Montana University System, or MUS, protects sensitive information.

“The recommendations from this audit will give us impetus to further develop IT governance and information security programs across the MUS,” wrote Christian.

A spokesperson for the Commissioner’s Office declined to comment further pending a public review of the findings. The Legislative Audit Committee will review the report at its next meeting April 25 and 26. 

“As part of its standard practice, legislative audit asks each agency to refrain from commenting on pending audits until the public meeting,” wrote Helen Thigpen in an email. “As such, we have no comment to provide on the security audit at this time.”

The audit noted MUS comprises 16 campuses and more than 40,000 students each semester. It said the audit reviewed policies at the Commissioner’s Office and security practices and policies at both campuses, but not at affiliated campuses, although they are expected to rely on the lead flagships for direction.

Data breaches have occurred at other higher education institutions, the report said. It noted consequences have included compromising sensitive information collected by universities about students and employees, such as credit and bank account information, intellectual property, and health information.

The audit also said FERPA, the Family Educational Rights and Privacy Act, protects the disclosure of student records such as Social Security numbers and parent/guardian information, and federal security requirements also protect campus research for the Department of Defense.

***

The audit noted the lack of attention to cybersecurity can harm a university’s reputation and also be costly including with potential security fines. It said in 2021, UM received a $44,000 quote for HIPAA specific cybersecurity insurance.

“This was after their previous insurance provider refused to renew the policy because the security program at UM posed too much risk,” the report said. “The new quote represented a 300 percent increase in cost from the previous year ($11,000) and was accompanied by a $100,000 deductible without the additional coverage the previous insurance offered.”

The report said UM opted out of HIPAA-specific coverage after consulting with the state’s chief risk officer. It said UM continues to be covered by the state’s general cybersecurity insurance policy.

The audit also noted consistent leadership and strategy are needed to “create a culture of security” at UM. It said the IT division at the Missoula campus has had multiple changes and temporary staff since 2018.

The audit made the following recommendation to UM: “The University of Montana needs to develop a strategic road map and clearly define the role of key security staff to be able to improve their security program. This strategy needs to be supported by a comprehensive risk assessment to communicate and prioritize the risks the university is facing.”

In response to the specific recommendations, UM agreed it would “update and formalize job descriptions” for related positions; it said descriptions for key positions have not changed since 2020, but the ones reviewed in the audit were formatted differently, and UM will use the same template in the future for all role descriptions.

The audit also recommended a full IT risk assessment to develop strategic initiatives and the appropriate budget, and UM concurred with the item and plans to implement it by June 2023: “The university will complete a comprehensive IT risk assessment and implement strategic initiatives with an eye toward maturing the security program and increasing security awareness.”

***

MSU appears to have a culture that understands security, but it lacks a “structured approach” in deciding where to make strategic improvements, the report said. That means “it is hard to ensure overall, comprehensive security exists,” and it is hard to evaluate security initiatives for improvements.

“MSU does not have a formal risk management process within IT,” the report said. “They contracted outside help for a risk assessment in 2018, but the risk assessment only addressed the Banner system.

“While Banner is the primary system for student information at the university, it is only one application within IT operations at MSU. A risk management program within IT needs to be established to better identify and articulate risks to all IT operations within MSU.”

The report said a “lack of framework adoption” was recognized in the 2018 risk assessment “and continues to be a point of concern that needs to be addressed by MSU.” It also said MSU indicated it is making progress on a structured approach.

MSU agreed it needs to “complete a comprehensive IT risk assessment to develop a formal approach for maturing security procedures,” and it will do so by April 2023. The Bozeman campus said it will address risk as related to the Gramm-Leach Bliley Act, which the Federal Trade Commission said requires certain financial institutions “to explain their information-sharing practices to their customers and to safeguard sensitive data.”

***

As part of the review, the report said the Legislative Audit Division contracted with an outside consultant to conduct testing and run a phishing campaign at each university. It said the phishing exercises included an email crafted to look like a survey from the IT department.

“From testing, each university had two high concerns and five moderate concerns found in testing,” the report said. “For the phishing campaign, UM results were rated as a high concern, and MSU was rated as a low concern when compared to similar organizations.”

(“The results of this (contract) work have been omitted from this report,” said the audit. “This information could be used by malicious actors to attack or harm the universities.”)

While current Department of Defense contracts are not affected, the report said neither flagship is fully in compliance with requirements to become certified for future DOD contracts. The report said the campuses must make “significant progress.”

The report also said both universities identified concerns with managing multiple campuses and their different resources, an issue in other states as well, and that policies need to minimally meet state laws. It also said the Commissioner’s Office needs to clearly define the boundaries of the security programs at UM and MSU in order to ensure accountability.

“Without this action, the entire university system faces challenges in progressing security programs,” the report said.

The report said the findings related to each campus’s security programs will be reported as federal noncompliance for the student financial aid federal assistance program in a report anticipated to be issued in June 2022. According to the Legislative Audit Division, it isn’t likely the campuses will face serious penalties as a result unless the U.S. Department of Education sees chronic noncompliance.

Recommendations to the Board of Regents:

We recommend that the Board of Regents and the universities review and enforce university system security policy that includes:

  • Clear direction within policy to manage a security program and mandate a consistent security framework, going above and beyond maintaining security policies.
  • Requirements for Board of Regents security policy to be reviewed continuously.

We recommend that the Board of Regents establish system-wide IT governance that ensures:

  • OCHE has an active role in improving security posture of the university system,
  • Security policy addresses the requirements of data security statute and other relevant federal requirements,
  • There is clear allocation of security responsibility, authority and accountability, and
  • Communication and reporting mechanisms are formalized between various entities that oversee or make decisions within the university system.

The Commissioner’s Office concurs and will address the recommendations, the report said.

Source: Legislative Audit Division report on Montana University System information security

Our stories may be republished online or in print under Creative Commons license CC BY-NC-ND 4.0. We ask that you edit only for style or to shorten, provide proper attribution and link to our web site. Please see our republishing guidelines for use of photos and graphics.

Keila Szpaller
Keila Szpaller

Keila Szpaller is deputy editor of the Daily Montanan and covers education. In Montana since 1998, she loves hiking in Glacier National Park, wandering the grounds of the Archie Bray and sitting on her front porch with friends. Before joining States Newsroom Montana, she served as city editor of the Missoulian, the largest news outlet in western Montana. She worked there from 2006 to 2020. As a Missoulian reporter, she was named a co-fellow by the Education Writers Association to report on a series about economic mobility; grantee of the Society of Environmental Journalists for a project on conservation from the U.S. to Africa; and Kiplinger Fellow in Digital Media and Public Affairs Journalism. She previously worked at the Great Falls Tribune and Missoula Independent, and she earned her master’s in journalism from the University of Montana. She lives in Missoula with her husband, Brock, who is also her favorite chef, and her pup, Henry, who is her favorite adventure companion. She believes she deserves to wear the T-shirt with this saying: “World’s most mediocre runner.”

MORE FROM AUTHOR