Political Runoff

A periodic look at Kansas politics
Posted September 16, 2017 10:06 pm - Updated September 16, 2017 11:15 pm

Kansas revenue's movement of IT staff rekindles anxiety about security shortcomings

The Kansas Department of Revenue moved employees with high-level computer database access to sensitive personal information of Kansans from a secure area in Landon Office Building next to the Capitol to a renovated grocery store in Topeka.

Apparently, concerns were expressed by front-line staff within the revenue department that the new office lacked security systems to shield IRS and other data from prying eyes of unauthorized state workers, even if key-card access effectively blocked the public from intruding. In the end, according to revenue employees fearful of being fired if they spoke publicly, the objections related to information security were brushed aside Wednesday by top agency administrators who signed off on the transfer.

The revenue department didn’t respond to an inquiry about the move. It would be helpful to know the following: Why relocate the dozen or so IT employees just two months after moving them from Docking State Office Building to Landon? Is the agency certain it is fully meeting IRS security expectations? Did the revenue department’s own IT security chief endorse this staff transfer?

Perhaps everything will be fine, but persistent computer security breaches in government and private industry don’t inspire much confidence.

The conflict rekindles interest in an examination of Kansas state government IT security by the Division of Post Audit, which works for the Kansas Legislature.

In a benchmark study in July 2014, auditors compiled an inventory of confidential or sensitive data across all state agencies. The list included health, education, credit card, vehicle, insurance, Social Security and other information few people want on the loose.

Auditors identified a lack of standard IT practices and absence of enterprise-level IT security when handling information in the hands of state government.

“There is no one really in charge making sure security practices are being followed,” said Katrin Osterhaus, who leads the IT auditors.

She said auditors concluded some state agency executives were unaware of their responsibility to make IT security a priority. Auditors put it in simple terms: “IT security is not seen as integral part of carrying out the agency’s mission.”

While alarming IT security assessments of individual agencies were shared with Kansas lawmakers, the public has been denied access to the level of detail that might convince them millions of dollars should be spent to upgrade computer security.

Failure to address IT security deficiencies is problematic because Kansas taxpayers have no choice when asked to provide information to the state.

A person has options when a company asks for private information to obtain a credit card, but there is only one Kansas Department of Revenue.

In December 2016, state auditors published a summary of security problems found within a sample of 20 state agencies. The review classified 483 vulnerabilities as critical, high, moderate or low in severity. More than 110 were viewed as critical or high, with the remainder at the lower end of the scale.

The largest block of shortcomings were in physical security, access control, personnel security, data protection, security awareness training and system configuration. This broader category accounted for 300 security lapses among the 20 agencies. Problems included insufficient physical security at data centers, weak password controls, poorly installed virus systems, lack of firewalls and improper employee background checks.