Audit faults privacy, purchase controls on U.Md. campus

“It’s unusual to have this many findings about informational security systems and controls,” said Bruce Myers, the state’s lead legislative auditor.

The finding from the report completed by Maryland’s Office of Legislative Audits most concerned Myers, in part because it had been cited in a 2006 audit, which said that the university’s “online application was not adequate to protect critical data.”

“Users could view user accounts other than their own,” the report said. And “student assignment folders and faculty grade books were at risk of disclosure and compromise from the general public.”

In addition, an employee who resigned in June 2006 was found to have made purchases using a university credit card totaling more than $500,000. During two months in 2005, the employee purchased $8,800 of electronic equipment that was delivered to a home address.

Further examination of the account showed other purchases where the products were missing, and a lack of supervisor approval. “To have things delivered to your house, that’s certainly a red flag,” Myers said.

The university, based in Adelphi, is one of 11 degree-granting institutions that comprise the University System of Maryland. About 85 percent of its credit hours come from online courses taken throughout the world. The university serves nearly 90,000 students, earning nearly $300 million in revenue. In fiscal 2008 it received about $25 million in Maryland state funds.

A response letter to the audit signed by William Kirwan, chancellor of the University System of Maryland, agreed with each of the 13 recommendations of the auditors, from changing default passwords and enabling more security features, to consulting with the Office of the Attorney General about the alleged miscreant employee.

“Implementation of many of these recommendations has already been completed,” the letter said.