Say Anything Blog

This is Part 2 of a series reviewing the North Dakota State Auditor’s Report for 2005-2006.

As many people know, the ConnectND system is has been a financial blackhole for many years.  Some of the items found in the State Auditor’s Report starting on page 19 are just plain funny:

Excess Superuser Access

We found seven individuals and two system accounts that had improperly been given the ability to modify security rights. Access to data should be provided based on the individual’s demonstrated need to view, add, change, or delete data. There is a risk that unauthorized changes could have been made to roles, permission lists, and user accounts from accounts that were improperly given the Security Administrator role. We notified the Information Technology Department (ITD) of the accounts with the Security Administrator role. ITD promptly remove this role from those accounts.

Ability to Update One’s Own Payroll Data

Initially, we noted approximately 1,200 user accounts were not tied to the user’s employee ID.
The vast majority of these were for NDUS accounts. We reviewed users with access to update payroll information and found that there were 93 of them. Sixty of the 93 user accounts were Ability to Update One’s Own Payroll Data Initially, we noted approximately 1,200 user accounts were not tied to the user’s employee ID. The vast majority of these were for NDUS accounts. We reviewed users with access to update payroll information and found that there were 93 of them. Sixty of the 93 user accounts were 15 not tied to the employee ID. During our final review, we noted an additional six state accounts and four NDUS accounts were not tied to the user’s employee ID. One of the state accounts had update access to payroll information.

Inappropriate Access to Social Security Numbers

Several screens throughout the system display social security numbers. This increases the risk of improper disclosure of Social Security Numbers. The Family Educational Rights and Privacy Act guidelines indicate Social Security Numbers should not be used as identifiers. NDUS collects and uses Social Security Numbers because federal reporting requires the use of Social Security Numbers.

Credit Card Numbers Inappropriately Stored

Schools inappropriately enter and store credit card numbers in the System, increasing the risk of credit card fraud. Payment Card Industry Data Security Standards which apply to merchants accepting credit card payments state that a merchant has the duty to protect stored data relating to such payments. NDUS does not have a formal policy against storing credit card numbers.

The debackle that is ConnectND is just a small part of why Higher Education keep increasing.