An Albertan watchdog has told Athabasca University yet again to up its online security get its disaster plan in order, following recommendations made six years ago.
On Nov. 7, Alberta’s auditor general Merwan Saher tabled his October report, which includes two repeated recommendations for Athabasca University.
The recommendations, which were first made in 2010, are provide backup in the event of a systems failure and to improve monitoring and reporting of online security violations.
Athabasca University President Neil Fassina said he was aware of the recommendations, and that the institution is working to assuage them.
Recommendation 1: Backup systems
This year’s report states in 2010, the university was told to do a risk assessment and build an off-site backup system to keep the online institution going in case of a disaster.
It was also told to complete and test its disaster recovery plan to make sure services continue if there ever were a disaster. The report says the university prepared a plan in 2008, but in 2010 it was found that it had not been updated or tested since. The auditor general made this recommendation again in 2013, as well.
The report also notes that, in 2012, the university initiated a project to update its “recovery plans and capabilities and was assessing disaster recovery scenarios and pilot test cases for its disaster recovery strategy,” but the project is still “in progress.”
“Management must prioritize resources to establish IT resumption capabilities, which are critical to the university’s mandate to reliably provide accessible online learning,” the report reads. “The university would likely not recover significant IT systems in a reasonable period of time if a system failure occurred.”
Fassina said the project is still “mid-stream.”
“We do continue to move towards what the auditor general has referred to as ‘disaster recovery,’” he said. “What we’ve done in close to the last year is, we’ve shifted the framework.”
He said, in addition to disaster recovery, the school is moving to a system that is “more about business continuity than about disaster recovery.”
“It’s about uptime on the system,” Fassina said. “We’re moving in the direction of being able to make it, even if something did happen to the system, the user would never know because it is simultaneous backup, as compared to traditional disaster recovery.”
He added that, until the project is complete, the school has put in place “redundancy systems” including two backup generators at the university’s Athabasca data farm.
The report stated that the school’s management had stated it was unable to obtain finances to test the plan and establish an offsite disaster recovery facility.
“We’re working within the funds that we do have available to us and we’re putting the pieces in place to move to that business continuity framework as sort of one step at a time in a lockstep manner,” Fassina said. “Each of the systems that we have at Athabasca … has to be integrated. It’s not like you can flip a switch and the whole thing turns over to a new system. We’re taking each piece in as we go.”
Recommendation 2: Online security
A second set of repeated recommendations told Athabasca University to up its game in terms of online security.
The report states that the institution has to formalize its access and security monitoring procedures to detect security threats, report access and security violations to senior management, and identify and resolve the root causes.
“Failure to actively monitor access and security violations allows an intruder to probe for weaknesses or entry points to the university’s financial information systems,” the report reads.
The report also states that in September 2014, the school implemented a set of computer security incident response procedures; however, it was still failing to perform regular periodic reviews of access and security violations, except when security violations occurred.
“What we’re doing next is we’re actually putting pieces into our network where it’s an automatic monitoring forum,” Fassina said. “If someone is trying to tap in, there’s a switch within the network that lets us know that we’re trying to do it and it locks the network down.”
He added that the school had not suffered any of the “breaches that we’re trying to prevent.”
