free online slots

Auditors find security breach in NeSIS access

Computer system security was one of the three “significant deficiencies” the Nebraska Auditor of Public Accounts identified in its management letter of the Nebraska State College System, released Tuesday.

“We noted 13 State College users with access to NeSIS had the ability to log in as any established user by bypassing the established authentication process,” the report stated. The issue involved the anonymous ability to access accounts, as well as the lack of any recorded history when doing so.

“These users were not limited to accessing subordinate, student, or employee accounts.  The ability did not require knowledge of another user’s password, nor would the user know if their account was accessed or compromised in this manner,” the letter states.

The APA’s office stated that having such broad and unrestricted access to accounts and information was an accountability issue.

“When users are allowed to circumvent established authentication controls, there is a decrease in accountability as one of these 13 users could log into NeSIS as someone else, and any changes made in the production environment would appear to have been performed by the actual owner of the user account.”

The auditor’s office recommended that unrestricted access such as this be removed, or limited if complete removal was not practical, and that a history and identity log be created to allow such actions to be documented in the future.

“We recommend the State College System remove this access.  If this access is required in unique situations, we recommend it be temporarily granted only when needed.  We also recommend implementing controls to immediately identify and document users who authenticate to NeSIS by bypassing established authentication processes.”

In the in-letter response, the NSCS acknowledged the issue, and said it was “reviewing and removing, where appropriate, the identified individuals who have the ability to change a user’s password.”

Further, the NSCS administration also stated that it would create a system to track NeSIS user’s access of other employee’s accounts.

“The NSCS has initiated a change request that will allow for ‘checking out’ a password into a user’s account, based on the roles assigned to the person making the request and the roles assigned to the person whose account is being requested.  These requests will be tracked,” the letter stated.

Comments

Comments are closed.

Recent News Articles

Senate presents leadership skills learned at conference

Dec. 3, 2014

The CSC Student Senate hosted a conference Tuesday and Wednesday in the Student Center Ponderosa Room. The first presentation by Senate Vice President Taylor Strong covered conflict resolution, communication, and personal leadership.


CAB chairwoman resigns

Dec. 3, 2014

In an emotional meeting, Kelsey Empfield stepped down as CAB Chair Tuesday evening. Empfield will be student teaching during the spring semester and had to give up her position of CAB Chair. Vice Chair of Programming Andy Martin will be taking over.


Campus, community creates ‘swag’

Dec. 3, 2014

Chadron campus and community members volunteered a portion of their weekend to ensure Chadron’s Christmas would have “swag”.
Led by Lucinda Mays, administration and finance grounds supervisor, about 15 volunteers participated in the campus-sponsored swag decorating Nov. 22 in the Sandoz Center Chicoine Atrium.


Swag decorating slated for Saturday

Nov. 19, 2014

Led by Lucinda Mays, there will be a group of students, and others that will be making greenery swags to decorate for the holidays 9 a.m., Saturday in the Mari Sandoz Center. These will be used to decorate the Main Gates, the Student Center and several service organizations around town. Each participant will create a […]


Jon Hansen speaks about changes to board policy

Nov. 19, 2014

In an all campus meeting Thursday, Jon Hansen, vice president of enrollment management, marketing and student services briefed the attendees on the approved revisions to NSCS Board Policy 3020 which provides the policies and procedures involving sexual violence or sexual harassment reporting. These revisions were approved by the Board of Trustees at the board meeting Nov. 7.