Skip to Content, Navigation, or Footer.
The Daily Cardinal Est. 1892
Wednesday, April 24, 2024
Officials raise concerns over Madison IT security


Officials raise concerns over Madison IT security

This September a team of UW-Madison staff unveiled a new process to reduce the time it takes to eliminate former employees from accessing information technology systems, but the new process still takes longer than many others used throughout the University of Wisconsin System.  

Before Sep. 15, employees who left UW-Madison could access information technology systems for several hundred days after their departure, according to UW-Madison's Administrative Process Redesign team, which designed the revamped, two-week process.  

UW-Madison employees could have access to various IT systems, including social security numbers, payroll information, transcripts and other personal information.  

Darin Harris, who led the APR team, said UW's Office of Risk Management reported to APR that the time lag under the old system carried an estimated $50 million risk to the university.  

A New Process  

Enjoy what you're reading? Get content from The Daily Cardinal delivered to your inbox

APR was founded in 2006 by the UW-Madison Office of Administration to improve efficiency and communication throughout campus using teams of staff and adminstrators from different university departments.

APR launched the team to reduce the amount of time old employees could access IT systems in 2007. According to APR Director Alice Gustafson, the new process will remove employees' IT access in about two weeks, improving the old process by about 90 percent.  

""To some degree we do not know if the two-week lag is the right decision,"" Gustafson said, noting that the team weighed several factors in their decision, such as making sure transferring employees and other specially classified employees wouldn't have their access removed while still making ""a pretty significant gain … in terms of notification.""

Ed Meachen, associate vice president for learning and information technology in the UW System, said there is ""no overarching UW System policy"" governing how quickly old employees must have their IT access removed.

However, Meachen said the two-week time lag in employee removal is ""very specific to UW-Madison.""

""That is really a very, very serious problem. No question about it. I mean I think that is totally unacceptable,"" he said. ""Madison is large and complex and has a huge bureaucracy, [but] it is very unacceptable for [the removal process] to be more than a few days after an employee leaves.""

Although UW-Madison's departed employee removal is now estimated at two weeks, Meachen said campuses like Stevens Point, Green Bay and Eau Claire remove departed employees within hours of their departure.  

The Old Process

The APR team calculated that, under the old process, it took 206 days on average to remove old employees from university IT systems, though HR representatives had promptly removed employees from payroll. Instead, the new centralized process will automatically send an e-mail to the designated HR division representative once an employee is indicated as departed, prompting the representative to electronically request IT removals for that employee, according to the APR website.

Before APR introduced the new removal process to campus on Sep. 15, human resource departments looking to remove access for old employees were directed to fill out authorization forms and send them to DoIT Security, who then permanently removed the employee's access for those systems.  

However, according to an APR report filed Aug. 24, 2009, HR representatives relied much more on six-month audits of the various IT systems to determine which employees needed removal. The report stated that only one authorization form and 12 e-mail requests for employee removal were sent to DoIT Security over a three-month period.

""The expectation of the supervisor is to turn off that access as quickly as possible, oftentimes you are hoping it happens the day the employee terminates. The APR project did not affect that responsibility of the supervisor,"" Vice Chancellor for Administration Darrell Bazzell said.

According to APR's website, supervisors could also contact DoIT Security directly in certain situations to remove access immediately.  

The APR website cited several reasons for the time lag, including the lack of a centralized location for all removal forms and the lack of oversight by HR representatives to make sure supervisors were filling out and sending the forms to DoIT Security.

Brian Rust, who worked on the APR team, said DoIT officials remove departed employees from the server within 72 hours after receiving the authorization form from the HR departments.

""[The entire process] could take longer … definitely. It is dependent upon a lot of things,"" Rust said. ""The process that they are trying to improve is to make it an electronic process, to make it instantaneous instead of a step-by-step notification system.""

According to Gustafson, 1,000   employees or students had authorization to university systems in July 2009, though their degree of access varied.  

""Some people have access into systems and availability to data, and other people have just a log-in ID and not much access beyond that,"" Gustafson said.

Risk to UW-Madison

According to Harris, the amount of time old employees had access to IT systems in the old system created a large risk for UW-Madison.

Although APR used $50 million as an assessment of the liability to the university, Harris said the estimate was a ""suspicious number"" because the Office of Risk Management, which produced the estimate, did not provide a detailed breakdown of that calculation.  

According to APR's website, not all IT systems used by UW-Madison employees are covered under the new process.  

""What we tried to do is go after the [systems] that sort of fit a category that we could get our hands around,"" Gustafson said, noting that IT systems integrated throughout the UW System were among those not included.  

The team members hope the new process will reduce UW's risk for the covered systems by 100 percent, according to APR's website.

Rust said DoIT Security is ""extremely strict"" and works hard to secure all of the university information behind locked firewalls maintained by ""data custodians.""

""Enrollment data, all of the student information, grades, course schedule, things like that for every type of data, we have a data custodian,"" Rust said. ""He or she is the ultimate authority for granting permission to access the information.""

How UW-Madison stacks up

Representatives from several other state-funded entities, including the UW-Milwaukee and the Wisconsin Department of Justice, said their processes for IT removal had less lag time than UW-Madison's processes.

William Cosh, communications officer from the Wisconsin Department of Justice, said eight to ten representatives from his office remove departed employees' access to IT systems ""immediately"" after they leave.

 ""A staff person in the HR office deactivates key access into the building and collects access keys and IDs when the person leaves,"" he said. ""Another person deactivates access to networks … [and] certain programs that the person worked with.""

Cosh said employees are only removed after their supervisor fills out an electronic form indicating the employee's estimated departure date and time.

UW-Milwaukee removes departed employees' IT access within just a few days, according to Chief Information Officer Bruce Maas.

According to Maas, most departing employees do not lose access to systems like e-mail and file storage for several months after their leaving. However, employees who worked with sensitive data lose access to those systems ""almost immediately"" and those who leave ""under adverse"" conditions are removed from all IT systems immediately as well.  

An e-mail sent to Gustafson seeking a response to the comments made by UW-Milwaukee and UW System representatives was not answered. However, Ron Kraemer, chief information officer for UW-Madison, responded that he was ""not familiar in depth with [the] particular project.""

Support your local paper
Donate Today
The Daily Cardinal has been covering the University and Madison community since 1892. Please consider giving today.

Powered by SNworks Solutions by The State News
All Content © 2024 The Daily Cardinal