redacted ndus special report

ITD and NDUS Joint Investigation Special Report The North Dakota University

Systems Inconsistent Application of its Data Classification and Information Technology Security Standards Allowed for the Unauthorized Access of the

System and Continues to Put Confidential Data at Risk AUDIT REPORT

I N F O R M A T I O N S E C U R I T Y

Information Security Section Information Technology Department State of North Dakota Bismarck, ND 58505

July 2014 ORIGINAL SUBMISSION 07-30-2014

North Dakota University System Kirsten Franzen, Chief Compliance Officer North Dakota Information Technology Department Michael Barbere, Information Systems Security Analyst

Warning This report contains restricted information for official use. Distribution is limited to authorized officials.

i

Reports on Information Systems Security The State of North Dakota Information Technology Department (ITD) contains the ITD Security Section. The ITD Security Section is tasked with developing, promoting, and administering Information Assurance (IA) policy, processes, and procedures within statutory defined executive branch state agencies. Additionally, the ITD Security Section is tasked with researching the findings of internal and external information security audit reports, and reporting to ITD management the results of the audit findings. ITD management and relevant committees will review the audit findings and approve appropriate corrective action. The ITD Security Section will issue corrective action plan reports and provide updates and review of the reports on a periodic basis. The ITD Security Section does not normally conduct reviews of North Dakota University System as they are explicitly exempted from ITDs statutory responsibilities under North Dakota Century Code (N.D.C.C.) 54-59-05.1 The Chief Information Officer for the North Dakota University System requested that ITD provide assistance with this special investigation.

1 North Dakota Century Code (N.D.C.C. 54-59-05) is the primary legislative statute in North Dakota law that describes the powers and duties of the department to provide, supervise, and regulate information technology of all executive branch state entities. The statute explicitly excludes the institutions under the control of the board of higher education.


ii

Authority Statutory responsibilities under the N.D.C.C. 15-10-172 establishes that the NDUS is responsible for providing confidentiality by creating rules for data held in the course of operating its business functions. In accordance with the provisions of this statute the NDUS CIO is authorized to develop and publish information technology standards for the NDUS institutions.3 The Chief Information Officers Council exists to provide for a collaborative, consensus building alliance with campus presidential appointees in order to establish strategic information technology, initiatives, priorities, policies, and procedures. Published policies and procedures are compulsory and binding for all employees, students, and other users of NDUS computing and networking resources. NDUS employees are required, on an annual basis, to provide acknowledgment of the applicable laws, policies, and procedures surrounding the operation and use of University System computer resources and network systems.4

2 North Dakota Century Code Chapter (N.D.C.C. 15-10-17) is the primary legislative statute in North Dakota law that delineates powers and duties to the State Board of Higher Education. This statute contains a provision that the State Board of Higher Education and its designees are required to adopt rules to protect the confidentiality of student records and medical records. 3 North Dakota University System policies and procedures are used to implement State Board of Higher Education policies. These policies and procedures are made available on the NDUS website. 4 1901.2 Computer and Network Usage is the primary NDUS procedure document that establishes the rules governing access to and use of computing and networking resources. The 1901.2 Computer and Network Usage procedure document is listed in the NDUS Annual Notification of Policies.


iii

Table of Contents

Executive Summary ..................................................................................................................................... iv

Background ................................................................................................................................................... 1

Objectives, Scope, and Methodology ........................................................................................................... 4

Findings and Recommendations ................................................................................................................... 6

Appendixes

Appendix A: Acronyms and/or Definitions ............................................................................. A-1

Appendix B: NDUS CTS Organizational Charts .................................................................... B-1

Appendix C: Interview Conducted with Mick Pytik ............................................................... C-1

Appendix D: Interview Conducted with Mark Diers .............................................................. D-1

Appendix E: Interview Conducted with Craig Cerkowniak ................................................... E-1

Appendix F: Interview Conducted with Brad Miller ............................................................... F-1

Appendix G: Interview Conducted with Erik Johnson ............................................................ G-1

Appendix H: Interview Conducted with Kathy Mattson ......................................................... H-1

Appendix I: Interview Conducted with Rick Anderson ...........................................................I-1

Appendix J: Interview Conducted with Janie Adam ............................................................... J-1

Appendix K: Interview Conducted with Bill Walker .............................................................. K-1

Appendix L: Interview Conducted with Robert Peterson ....................................................... L-1

Appendix M: Interview Conducted with Madhavi Marasinghe .............................................. M-1

Appendix N: Interview Conducted with Rosi Kloberdanz ...................................................... N-1

Appendix O: Interview Conducted with Dick Jacobson and Jacobson Position Description . O-1

Appendix P: Interview Conducted with Marv Hanson ............................................................ P-1

Appendix Q: NDUS Procedures 1901.2 Computer and Network Usage ............................. Q-1

Appendix R: NDUS Data Classification and IT Security Standard ........................................ R-1

Appendix S: Campus Solutions Server ........................... S-1

Appendix T: NDUS-CND-014 ConnectND Access Request for SFTP.................................. T-1

Appendix U: NDUS-CND-017 NDUS Confidential Information Agreement ........................ U-1

Appendix V: CIS MS-ISAC Forensic Analysis Report .................................................... V-1

Appendix W: 2013 NDUS Annual Notification of Policies .................................................... W-1

References: ....................................................................................................................... REF-1


iv

EXECUTIVE SUMMARY

Background On February 7, 2014, the NDUS Core Technology Services (CTS) discovered suspicious activity on the

server. This server functions as a secure and encrypted file transfer system. The impacted server housed personally identifiable information (PII), such as names and Social Security numbers (SSN), for more than 290,000 current and former students and about 790 faculty and staff. On February 14, 2014, NDUS CIO, Dr. Lisa Feldner contacted ITDs CIO, Mike Ressler for help in the investigation. The ITD Security Section activated its Security Incident Response Team (SIRT) and contacted NDUS Security to offer assistance. ITD recommended leveraging its relationship with the Multi-State Information Sharing and Analysis Center (MS-ISAC), in order to obtain a forensic analysis of the server. ITD was able to assist in procuring MS-ISAC forensic services for NDUS. On March 6, 2014, MS-ISAC issued a report on its investigation that conclude the following:

Three accounts were certainly compromised. One of these accounts is from a privileged user that was also the likely source of the initial compromise.

The system logs were insufficient to determine when the compromise initially occurred. However, correlation with other log information indicated that the system was compromised at least as early as October 4, 2013.

The activity from the compromised accounts indicate that there may have been attempts to use the system to either send spam or as relay point to lunch further attacks and obfuscate the attackers origin.

Due to the lack of available system logs, it is inconclusive if any of the aforementioned PII stored on the server was exfiltrated.

Objective

On April 28, 2014, Dr. Feldner requested a follow-up investigation on the incident to be conducted by an ITD Information Systems Security Analyst and the NDUS Chief Compliance Officer. The criteria for the follow-up investigation is to interview a list of employees provided by Dr. Feldner and determine the following:

Are you aware of and you understand the NDUS/CTS security policies and procedures? Do you believe that CTS security and procedures are adequate? Do you feel you have the appropriate resources and support to do your job? Have you been hindered, by anyone within the organization, in performing your assigned duties? Do you understand how/when to escalate an issue? Are you afraid to escalate an issue above your supervisor? Do you get sufficient support from management?

Results of Investigation

Our evaluation of the adequacy of NDUS CTS managerial and operational controls found an overall lack of awareness and adherence to internal policies and procedures with regard to the handling of confidential electronic data assets. Consequently, the CTS approach to system security resulted in insufficient technical controls for the system and had a direct contribution to the subsequent unauthorized access.


v

Through the investigation, we have identified 8 reportable findings. We have categorized 6 of the findings as operational and 2 of the findings as managerial in nature. We ranked 7 of the findings as high-impact, and ranked 1 as low-impact.

Operational Findings:

1. NDUS-14-OPER-01 Inadequate Awareness and Application of the NDUS Data Classification and Information Technology Security Standards High impact

2. NDUS-14-OPER-02 Inadequate Risk Management Policy and Procedures High impact 3. NDUS-14-OPER-03 No Formal System Security Planning or High impact 4. NDUS-14-OPER-04 No Formal System Interconnection Implementation Plan High impact 5. NDUS-14-OPER-05 No Formal Incident Response Policy or Incident Tracking System High

impact 6. NDUS-14-OPER-06 No Evidence That Policies and Procedures are Reviewed and Updated

Low impact

Managerial Findings:

1. NDUS-14-MANA-01 Organizational Structure High impact 2. NDUS-14-MANA-02 Personnel Issues High impact

Recommendation

We recommend that NDUS/CTS implement appropriate corrective actions to resolve all of the reportable findings that we have identified in this investigation.


1

BACKGROUND

Mission/Business Objectives

It is of primary importance to understand the mission/business objectives or functions of an information system to determine the adequacy of the safeguards surrounding its operation. The primary business objective of the system known as is to securely transfer confidential files between entities in support of the ConnectND system.5 Stated otherwise, the

system exists as a managed interconnection system for the transfer of confidential data between interdependent organizations and systems.6

Data Classification Informs Controls

The objective of is to securely transfer confidential files; therefore, the data has been pre-classified as confidential. This data classification should have a direct impact on the development of the system controls. Controls are the activities, techniques, technologies, policies and procedures that allow an organization to meet the intended objectives of an information system. The integrity of the system depends on general controls, which are critical to ensuring the reliability, confidentiality, and availability of data. In the absence of a risk-informed security categorization made by the information owner, it is important to use other sources to inform control selection.

NDUS has specified Procedures that are used to implement the policy directives of the State Board of Higher Education (SBHE).7 These are standards that the NDUS CIO is authorized to develop and publish. Any electronic data asset of the NDUS or the Institution shall be classified as Public, Private, or Confidential according to the NDUS Data Classification and Information Technology Security Standard.8

Confidential Data Confidential data is information that is not to be publicly disclosed. The disclosure, use, or destruction data can have adverse effects on the NDUS or Institution and possibly carry significant civil, fiscal, or criminal liability. This designation is used for highly sensitive information whose access is restricted to selected, authorized employees. The recipients of confidential information have an obligation not to reveal the contents to another individual unless that person has valid need to know for the information. Confidential information must not be copied without authorization from the identified owner.

The data classification standard is designed to define NDUS and institution security responsibility. However, it does this with overly broad controls that are unhelpful in creating an appropriate baseline for measuring a minimal acceptable-risk standard. The absence of specific control objectives often leads to the application of known best practices and acquiring widgets, solutions, software or appliances to solve business objectives. The ugly truth is that it is impossible to purchase technology to solve information security. Security is an ongoing, cyclical process that requires a combination of changes to business processes and organizational culture that incorporates meeting control objectives. The following subsections demonstrates that a technical solution without the requisite general controls had a direct impact on the unauthorized access of system and continue to put NDUS confidential data at risk.

5

6

7 8


2

Technical Solution

Interconnection Plan and System Security Plan

is not an encapsulated out-of-the-box solution for managing the interconnections between information technology systems that are owned and operated by different organizations, including organizations within a single department or entity. To ensure that interconnected systems are connected properly and securely it is important to establish a System Interconnection Implementation Plan.

A System Security Plan is a formal document that provides an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements. The system security plan also delineates responsibilities and expected behavior of all individuals who access the system. The system security plan should be viewed as documentation of the structured process of planning adequate, cost-effective security protection for a system.10

Documented System Controls

In the absence of either an established system security plan or system interconnection implementation plan,

9


3

Missed Opportunities

The interviews conducted throughout the investigation uncovered multiple opportunities to correct security related issues with Specifically, the system was removed from its old hardware platform and was move to a virtualized environment. Security concerns regarding the system were brought up by employees at that time but management did not direct any system changes. The server remained on an end-of-lifecycle (EOL) operating system.14 The system was in continuous operation without new bug fixes, security errata, product enhancements, and technical support availability after February 29, 2012.

Summary

The lack of general controls allowed for the system to begin to act as a file repository. A continual aggregation of confidential data files on the server required additional disk allocation. The single most compelling piece of evidence that a lack of general controls had a direct correlation with the requirement for the breach notification was the lack of procedures to ensure that confidential data was removed in accordance with the business objectives and operation procedures of the system. Had the system established controls to enforce its mission objectives of a confidential file transfer system, and did not store files in direct contradiction to multiple operation documents, the unauthorized access would likely have risen to the level of a mild nuisance incident.

Multiple NDUS CTS employees raised concerns regarding the security of to management on multiple occasions. Their concerns with the security of the system were set aside to ensure that the availability of the system remained consistent. The missed opportunities by NDUS CTS management to act upon the information provided by those with knowledge of the security concerns with are addressed in the subsequent sections.


4

OBJECTIVE, SCOPE, AND METHODOLOGY

Objective

On April 28, 2014, Dr. Feldner requested a follow-up investigation on the incident to be conducted by an ITD Information Systems Security Analyst and the NDUS Chief Compliance Officer.

Scope

The criteria for the follow-up investigation is to interview a list of employees provided by Dr. Feldner and determine the following:

Are you aware of and you understand the NDUS/CTS security policies and procedures? Do you believe that CTS security and procedures are adequate? Do you feel you have the appropriate to do your job? Have you been hindered, by anyone within the organization, in performing your assigned duties? Do you understand how/when to escalate an issue? Are you afraid to escalate an issue above your supervisor? Do you get sufficient support from management?

Given the questions to be asked, it was understood that this was not to be a full-scale technical controls or forensic style audit. Accordingly, we did not perform penetration testing or perform evaluate internal controls. All evaluation and conclusions of internal controls are reported from responses throughout the follow-up investigation and reported in the Results of Investigation section. We performed fieldwork in Bismarck, Grand Forks, and Fargo between May 2, 2014 and May 30, 2014

Methodology

We reviewed general controls and conducted interviews in accordance with the directive provided by Dr. Feldner. We performed this review by interviewing staff and reviewing policies, procedures, and supporting documentation.

The principle criteria used for this review included:

The National Institute of Standard and Technology (NIST) Special Publication (SP) 800-18 Revision 1, Guide for Developing Security Plans for Federal Information Systems

NIST SP 800-30 Rev. 1, Guide for Conducting Risk Assessments NIST SP 800-37 Rev. 1, Guide for Applying the Risk Management Framework to Federal

Information Systems: A Security Life Cycle Approach. NIST SP 800-47, Security Guide for Interconnecting Information Technology Systems NIST SP 800-53 Rev. 4, Security and Privacy Controls for Federal Information Systems and

Organizations NIST SP 800-60 Rev. 1, Guide for Mapping Types of Information and Information Systems to

Security Categories NIST SP 800-61 Rev. 2, Computer Security Incident Handling Guide NIST SP 800-92, Guide to Computer Security Log Management NIST Federal Information Processing Standards, Publication (FIPS PUB) 199, Standards for

Security Categorization of Federal Information and Information Systems NDUS Data Classification Information Technology Security Standards


5

We conducted this performance audit in accordance with generally accepted auditing standards. Michael Barbere holds a Global Information Assurance Certification (GIAC) Systems and Network Auditor (GSNA) valid through September 30, 2017. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on the ordered objectives and scope.


6

FINDINGS AND RECOMMENDATIONS

Our evaluation of the adequacy of the NDUS CTS general controls found an overall lack of formal policies and procedures with regard to operation of the system. NDUS CTS demonstrated an informal approach to security operations. Additionally, NDUS CTS had significant accountability issues with personnel.

We identified 8 reportable findings. We have categorized 6 of the findings as operational and 2 of the findings as managerial in nature. We ranked 7 of the findings as high-impact, and ranked 1 as low-impact.

Operational Findings:

1. NDUS-14-OPER-01 Inadequate Awareness and Application of the NDUS Data Classification and Information Technology Security Standards High impact

2. NDUS-14-OPER-02 Inadequate Risk Management Policy and Procedures High impact 3. NDUS-14-OPER-03 No Formal System Security Planning or High impact 4. NDUS-14-OPER-04 No Formal System Interconnection Implementation Plan High impact 5. NDUS-14-OPER-05 No Formal Incident Response Policy or Incident Tracking System High

impact 6. NDUS-14-OPER-06 No Evidence That Policies and Procedures are Reviewed and Updated

Low impact

Managerial Findings:

1. NDUS-14-MANA-01 Organizational Structure High impact 2. NDUS-14-MANA-02 Personnel Issues High impact

Due to the lack of available system logs, it is inconclusive if any of the aforementioned PII stored on the server was exfiltrated. We believe the weaknesses are collectively and, in some cases, individually significant and led directly to the compromise that occurred on the system. Moreover, we believe that these weaknesses are not resolved and continue to affect the confidentiality, integrity, and availability of NDUS held confidential data.

To help improve general controls, we made recommendation for each of the specific weaknesses identified in this report. A positive response to the findings and effective implementation of the recommendations 15 Appendix U contains The Center for Internet Security Multi State Information Sharing and Analysis Center report titled Forensic Analysis Report North Dakota University System. This document details a forensic analysis case referred to the Center for Internet Security on February 14, 2014.


7

will result in a higher level of security, more detailed procedures to reduce operational vulnerabilities, and greater security awareness by management and staff.

AWARENESS AND APPLICATION OF THE NDUS DATA CLASSIFICATION AND INFORMATION TECHNOLOGY SECURITY STANDARDS

The NDUS Data Classification and Information Technology Security Standards are based on the potential impact on an organization should certain events occur which jeopardize the information and information systems. Security categories are to be used in conjunction with vulnerability and threat information in assessing risk to an organization. This standard establishes the role and responsibility for determining the data classification as the owner of the data. NDUS defines three security classifications for electronic data assets:

Public Data - Public data is defined as data that any entity either internal or external to the NDUS can access. Open record laws of North Dakota may apply.

Private Data - Private data includes information that the NDUS or Institution is under legal or contractual obligation to protect. Private information may be copied and distributed within the NDUS only to authorized users. Private information disclosed to authorized external users must be done so under a non-disclosure agreement.

Confidential Data - Confidential data is information that is not to be publicly disclosed. The disclosure, use, or destruction of Confidential Data can have adverse effects on the NDUS or Institution and possibly carry significant civil, fiscal, or criminal liability. This designation is used for highly sensitive information whose access is restricted to selected, authorized employees. The recipients of confidential information have an obligation not to reveal the contents to another individual unless that person has a valid need to know for the information. Confidential information must not be copied without authorization from the identified owner

According to the data classification standard, any data that has not received a classification from its owner should be presumptively assigned the confidential classification. Due to the widespread use of the system, it is understood that files containing all three data security classifications were stored on the server at the time of the breach.

The classification intends to inform which controls should apply to information systems and subsystems. The security controls contained within the data classification standard would not facilitate compliance with any potential applicable federal laws such as the Privacy Act or the Health Insurance and Portability and Accountability Act (HIPAA) Security Rule.

NDUS-14-OPER-01 Inadequate Awareness and Application of the NDUS Data Classification and Information Technology Security Standards High impact

Data classification should be well understood throughout the organization with awareness campaigns, periodic training, and acknowledgement statements.

The data classification standard was not used by information owners to safeguard information or information systems.

Additionally, the standard contains only a date of April 26, 2005. The standard does not contain a revision number, revision date, or effective date.


8

Recommendation

We recommend that NDUS further develop its data classification standard or replace the standard with security categories that more accurately reflect the potential impact on the organization.

We believe a training or awareness campaign is necessary to ensure the widespread understanding of the data classification standard. This training should be developed with the objective of ensuring full participation of all NDUS and Institutional staff. The training or awareness campaign should be accompanied with signed acknowledgement of data classifications and the implications on information and information systems.16 This acknowledgement should be signed by employees on an annual basis.

RISK MANAGEMENT POLICY AND PROCEDURES

The NDUS and institutions depend on information technology and the information systems that are developed from that technology to successfully carry out their mission and business objectives. NDUS information and information systems are subject to serious threats that can have an adverse impacts on organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the State of North Dakota by compromising the confidentiality, integrity, or availability of information being processed, stored, or transmitted by those systems. Threats to information and information systems include environmental disruptions, human or machine errors, and purposeful attacks. Cyber attacks on information systems today are often aggressive, disciplined, well-organized, well-funded, and in a growing number of documented cases, very sophisticated. Given the significant and growing danger of these threats, it is imperative that leaders at all levels of an organization understand their responsibilities for achieving adequate information security and for managing information system-related security risks.17

Assessing the NDUS CTS security lifecycle approach involves evaluating the following:

If the information system-related security risk management strategy is consistent with the organizations mission/business objectives and overall risk strategy established by the senior leadership through the risk executive (function);18

If the information security requirements, including necessary security controls, are integrated into the organizations enterprise architecture and system development life cycle processes; and

If the risk management strategy supports consistent, well-informed, and ongoing security authorization decisions (through continuous monitoring), transparency of security risk management-related information, and reciprocity.19

16 Appendix V contains the 2013 Annual Notification of Policies. This acknowledgment document includes a section on IT Policies that contains a link to 1901.2 Computing Facilities Procedures. However, the IT Policies section does not make mention of the data classification standard. 17 NIST Special Publication 800-37 Guide for Applying the Risk Management Framework to Federal Information Systems A Security Life Cycle Approach provides guidance for planning, establishing, and maintaining an organized risk management lifecycle approach to the system development life cycle. 18 The risk executive (function) is an individual or group within an organization that helps to ensure that: (i) risk-related considerations for individual information systems, to include authorization decisions, are viewed form organization-wide perspective with regard to the overall strategic goals and objectives of the organization in carrying out its core missions and business functions; and (ii) managing information system-related security risk is consistent across the organization, reflects organizational risk tolerance, and is considered along with other types of risk in order to ensures mission/business success. The head of the agency/organization may choose to retain the risk executive (function) or to delegate the function to another official or group. 19 Reciprocity is the mutual agreement among participating organizations to accept each others security assessments.


9

NDUS and NDUS Institution responsibilities should have a written policy that clearly describes the security lifecycle and policies that support it. The following risk management procedures contained within 1901.2 Computer and Network Usage is the totality of risk management language that were located during the review:

5.1 Risk Management Periodic risk assessment of information systems infrastructure and data shall be completed by NDUS and Institutions. Any discovered vulnerabilities should be presented to the appropriate campus and NDUS officials.

The networking services and computer operations personnel are responsible for providing adequate disaster recovery plans and procedures for critical systems under their responsibility in the event of a natural or man-made disaster.

NDUS-14-OPER-02 Inadequate Risk Management Policy and Procedures High impact

NDUS had not established an adequate security plan that addresses the evaluation criteria. Specifically, we noted the following:

NDUS officials stated that there were limited staff resources and elements of confusion on roles and responsibilities related to the risk management and security life cycle.

Recommendation

We recommend that NDUS develop and implement an adequate risk management lifecycle plan for security planning and management that provides security control structure foundation and that reflects senior managements commitment to addressing security risks.

Additionally we recommend that NDUS appoint a chief information security officer with direct reporting to only the NDUS CIO and/or NDUS Deputy CIO.

SECURITY PLANNING

The object of system security planning is to improve protection of information system resources. All information systems have some level of sensitivity and require protection as party of good management practices. The protection of a system must be documented in a system security plan.

The purpose of the system security plan is to provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements. The system security plan also


10

delineates responsibilities and expected behavior of all individuals who access the system. The system security plan should be viewed as documentation of the structured process of planning adequate, cost-effective security protection for a system. It should reflect input from various manager and responsibilities concerning the system, including, information owners, the system owner, and the senior information security officer.

In order for the plans to adequately reflect the protection of the resources, a senior management official must authorize a system operate. The authorization of a system to process information, granted by a management official, provides an important quality control. By authorizing processing in a system, the manager accepts its associated risk.

Management authorization should be based on an assessment of management, operational, and technical controls. Since the system security plan establishes and documents the security controls, it should form the basis for the authorization, supplemented by the assessment report and the plan of actions and milestones. In addition, a periodic review of controls should also contribute to future authorizations. Re-authorization should occur whenever there is a significant change in processing, but at least every three years.20

20 NIST Special Publication 800-18 Revision 1 Guide for Developing Security Plans for Federal Information Systems provides guidance for planning, establishing, and maintaining a systems security plan for information systems.


11

NDUS-14-OPER-03 No Formal System Security Planning High impact

NDUS had not established a system security plan for Specifically, we noted the following:

NDUS had not developed a system security plan to document important security considerations. Additionally, the system security plan should provide references to more detailed documents, such as contingency plans, certification and accreditation statements, incident handling plans, and any assessment results.

Recommendation

We recommend that NDUS develop and implement a security plan that provides an adequate security control structure foundation and that reflects senior managements commitment to addressing security risks.

INTERCONNECTION PLANNING

System interconnection is a section within a system security plan that establishes the appropriate controls inherent with the connection of two or more systems. An Interconnection Security Agreement (ISA), and a Memorandum of Understanding/Agreement (MOU/A) is needed between systems (not between workstations/desktops or publicly accessed systems) that are owned/operated by different organizations.


12

At a minimum, the implementation plan should

NDUS-14-OPER-04 No System Interconnection Implementation Plan High impact

NDUS had not established an effective approach for interconnecting the system that addresses the following four phases of the interconnection life cycle:

Planning the interconnection: the participating organizations perform preliminary activities; examine all relevant technical, security, and administrative issues; and form an agreement governing the management, operation, and use of the interconnection.

Establishing the interconnection: the organization develop and execute a plan for establishing the interconnection, including implementing or configuring appropriate security controls.

Maintaining the interconnection: the organizations actively maintain the interconnection after it is established to ensure that it operates properly and securely.

Disconnection the interconnection: on or both organizations may choose to terminate the interconnection. The termination should be conducted in planned manner to avoid disrupting the other partys system. In response to an emergency, however, one or both organization may decide to terminate the interconnection immediately.

Recommendation

We recommend that NDUS develop and implement an interconnection security plan that addresses each phase of the interconnection life cycle, and emphasizes security measures that should be taken to protect the connected systems and shared data. Moreover, establishing and interconnection security plan includes

21 NIST Special Publication 800-47 Security Guide for Interconnecting Information Technology Systems provides guidance for planning, establishing, maintaining, and terminating interconnections between information technology systems that are owned and operated by different organizations.


13

establishing ISAs and MOU/As with interconnected internal NDUS entities and with any external interconnected systems.

COMPUTER SECURITY INCIDENT HANDLING

Introducing well established security controls and assessments can demonstrate due diligence and duty of care. Preventive activities based on the results of system security planning and risk assessments can lower the number of computer security incidents. However, not all incidents can be prevented. An incident response capability is therefore necessary for rapidly detecting incidents, minimizing loss and destruction, mitigating the weaknesses that were exploited, and restoring IT services.22

Establishing and incident response capability should include the following actions:

Creating an incident response policy and plan Developing procedures for performing incident handling and reporting Setting guidelines for communicating with outside parties regarding incidents Selecting a team structure and staffing model Establishing relationships and lines of communication between the incident response team and

other groups, both internal (e.g., general counsel) and external (e.g., Information Technology Department)

Determining what services the incident response team should provide Staffing and training the incident response team.

The incident response team should maintain records about the status of incidents, along with other pertinent information. Using an application or a database, such as an issue tracking, helps ensure that incidents are handled and resolved in a timely manner. The incident response system should have the ability to safeguard incident data and restrict access to it because it often contains sensitive information.

NDUS-14-OPER-05 No Formal Incident Response Policy or Incident Tracking System High impact

NDUS has not developed a formal incident response policy or computer security incident tracking system.23

Recommendation

We recommend that NDUS develop and implement an incident response policy that addresses purpose, scope, requirements, roles, responsibilities, incident classification, incident response organizational model, and contains a statement of management commitment. Additionally, we recommend that NDUS and institutions use a centralized issue tracking system that can effectively handle computer security incidents in a secure manner.

POLICY AND PROCEDURES

22 NIST Special Publication 800-61 rev.2 Computer Security Incident Handling Guide assists organizations in establishing computer security incident response capabilities and handling incidents efficiently and effectively. 23 Brad Miller had developed a security incident tracking system. However, it was not widely adopted and fell into a state of disuse.


14

Formalized policies and procedures should address purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. These policies and procedures should be disseminated throughout the organization. Finally, policies and procedures should be reviewed and updated with a frequency that is defined by the organization.

NDUS-14-OPER-06 No Evidence That Policies and Procedures are Reviewed and Updated Low impact

NDUS has not updated the 1901.2 Computer and Network Usage Procedures since April 26, 2005.

Recommendation

We recommend that NDUS conduct a formal review of procedures, at least annually, and include a revision version number and review date on its policies and procedures.

ORGANIZATIONAL STRUCTURE

As mentioned above, simply purchasing technology does not alone mitigate information security risks. The human element is a crucial part of security processes, and it can be either a major strength or major vulnerability. In this breach event, employee conduct not only deterred identifying and addressing risks, but also obstructed the breach response.

Security, compliance, and risk mitigation affect everyone in an organization. Every individual at every level should have some sense of urgency regarding the safety of organizational data. That said, when everyone is responsible, no one is accountable. It is therefore crucial that key employees not only possess the responsibility for the security function, but are also held accountable for the quality of its functioning. The scope of authority and responsibility of these key employees is ordinarily discernable through the organizational structure, as is illustrated in an organizational chart.

There is no perfect organizational structure, and many organizations have successfully adopted alternatives to the traditional hierarchical chain-of-command arrangement. Some organizations are better served by a structure that emphasizes work-flow or communication flow. While the shape may differ, all effective organizations must clarify each employees areas of accountability, areas of influence, and the distinction between the two. Particularly in public organizations, the source of decision-making authority must be clear. Any delegation of that authority, whether in whole or in part, should be well-defined.

NDUS-14-MANA-01 Organizational Structure

In 2007, the North Dakota Legislature took a step to centralizing IT planning and services for North Dakota Higher Educational institutions. By statute, IT services were to be integrated. See N.D.C.C. 15-10-44. This process of integration culminated in December 2012, when Core Technology Services (CTS), a division of NDUS, became the hub for all institutions IT services. Many employees migrated from their respective institutions, chiefly NDSU and UND, to CTS. While the organizations have merged, CTS employees are located in three physical locations: Fargo, Grand Forks, and Bismarck.

This merger has yielded an organizational structure that is confusing and in some cases, redundant. Reading and interpreting the CTS organizational chart was a constant challenge during this investigation. Positions are ill-defined. Duties overlap among positions; conversely, there are gaps in responsibility. This has led to hard feelings, confusion, and misplaced expectations among employees.


15

It also appears that historically, prior to the consolidation, management chose to address workplace conflicts and performance issues through restructuring rather than direct corrective action. Organizational decisions were made to accommodate personality clashes rather than being informed by job function. This problem is particularly notable with security personnel. IT Security Officer Brad Miller is in the Infrastructure and Operations Division, reporting to Director Rick Anderson, who in turn reports to Deputy CIO Darin King. IT Security Officer Dick Jacobson reports to Assistant CIO Rosi Kloberdanz. The reasons for this are both historical and personality-driven. The factions represent employees from UND and NDSU that were not integrated during the merger. The other reason provided for this is that Jacobson and Kloberdanz wanted to work together. The investigation revealed that outside of Kloberdanz, Jacobsons colleagues view him as difficult to work with and his work as deficient. This issue will be addressed more specifically below. However, rather than addressing Jacobsons performance directly, management chose to adapt the organizational structure to minimize these concerns. This tactic is rarely, if ever, successful, with the problem often becoming intractable. This appears to be the case here.

This structure does not facilitate the security function. Jacobson chairs a security committee comprising security representatives from each campus. Miller sits on that committee and represents UND. Outside of the security committee, Miller and Jacobson, the two individuals focused primarily on security, do not communicate frequently or often work together. Jacobsons current reporting relationship does not appear to serve any functional purpose. Kloberdanzs work and expertise is unrelated to the security function. Also, while Miller is now an NDUS employee, he provides services fairly exclusively to UND. This is consistent with management direction, but does not appear to be in the spirit of integrated services as mandated by the legislature. See N.D.C.C. 15-10-44.

Neither Miller nor Jacobson view themselves as accountable for general NDUS security. This became apparent during the response to the breach incident it was unclear who had the decision-making authority and responsibility to act post-breach. Miller, because of his knowledge and expertise, ultimately took a leadership role under Rick Andersons direction. However, this does not harmonize with his role as a dedicated UND security officer.

Recommendation

CTS should have a consolidated security group that serves all institutions. One designated security chief should be accountable for the entire CTS security function and should have the necessary authority to carry out the work of that position. Given the responsibility involved, this position should be as close as possible to, or optimally within, the CTS cabinet.

PERSONNEL ISSUES

Adapting the organizational structure to better serve the functions of CTS is crucial to minimizing future risk. However, the current structure exists, in part, to buffer and circumvent longstanding employee performance problems. Even the best organizational structure will not succeed when individuals in key positions lack the motivation or skills needed to perform their work.

Many of the individuals interviewed care very deeply about the mission and vision of CTS. Moreover, most CTS employees are highly skilled and are eager to put those skills to work for the organization. Restructuring and clarification of expectation will do much to improve employee performance. Unfortunately, there are a few individuals in the organization who are experiencing significant performance issues. These issues have been inappropriately addressed, or completely unaddressed, by CTS. These issues must be resolved or attempts to reorganize will be futile.


16

NDUS-14-MANA-02 Personnel Issues

Dick Jacobson

As mentioned above, Dick Jacobsons separation from the rest of the security group appears to result from his colleagues lack of faith in his skills and performance. For example, when his boss, Kloberdanz, was asked why he was separated from the rest of the security personnel, she stated it was because she could work with him. She acknowledged that he was difficult to work with and that others were unwilling to take him on as a report. Other members of CTS staff echoed these sentiments. When we asked CTS staff members how Jacobson contributed to the work of CTS, they did not have a clear idea, but all agreed that he was responsible for security policy.

This does not reflect the content of Jacobsons current job description. According to that document, Jacobson appears to be key security personnel, if not ultimately responsible for all NDUS security. His position administers, coordinates, and maintains information system security policy, programs, processes and solutions for the NDUS. He is responsible for security and privacy issues within the electronic environments of the NDSU and assists the institutions with their security and privacy issues. While policy is a main component of his position, he is also tasked with identifying security issues/needs within the IT infrastructure and with recommending applications or policies/procedures to remediate those issues. The position is also responsible for providing technical guidance, consultation, training, planning and incident response coordination to NDUS institutional IT staff, institutional ITSOs, and administrators. The position description will not be fully restated here. That said, the responsibilities as outlined by the position demonstrate comprehensive, system-wide, sophisticated security responsibilities. Both Jacobson and Kloberdanz signed the position description on October 2, 2012, indicating it reflects an accurate and complete description of the duties and responsibilities assigned to the position.

Jacobson has not been performing those duties. For example, he was not directly involved with the breach response. Moreover, NDUS had no incident response plan, which led to confusion and delay after the breach event. When asked why he had not taken on more security responsibility, Jacobson indicated was not involved with security operations, and instead worked primarily with security policy. This is also puzzling given the overwhelming lack of security policy in CTS. When asked what particular policies Jacobson works with, he cited NDUS Procedure 1901.2. This procedure was last updated November 2005.

Jacobson acknowledged that he does not spend much time on security, instead, taking on other duties as assigned. However, it remains unclear as to what these duties are. It is also unclear whether Jacobson understands that he was not acting as an IT Security Officer and was not performing the job as outlined in his position description. When asked about current security best practices, Jacobson struggled. He acknowledges that he has not attended training or conferences recently. When asked why, Jacobson cited medical issues that prevent him from traveling. Jacobson, however, has not pursued any of the numerous online training options.

Overall, while Kloberdanz should have managed. Jacobsons performance more effectively, his is a high-level, well-compensated security position. Jacobson, by virtue of his title and position description, had the inherent, independent obligation to develop and maintain appropriate security measures for the NDUS. He failed to do so. Moreover, even though it appears he was aware of that failure, he did not solicit any assistance or additional resources so he could better perform his job. These failures directly led to the security breach and to complications in responding to that breach.


17

It is therefore difficult to imagine what function Jacobson could perform post-reorganization. Jacobson does not have the sophisticated knowledge necessary to perform the duties listed in his job description. To be effective, Jacobson would have to receive a significant amount of training, which would be costly in both time and money. Meanwhile, the holes in the NDUS security program would remain unresolved. The greater problem is Jacobsons overall demeanor and failure to take responsibility when discussing these issues. While Jacobson was willing to participate in the interview, his attitude was often dismissive and somewhat glib about serious security concerns. For example, at the time of the breach, Jacobson had unique knowledge of the types of information on the server. However, post-breach, Jacobson failed to reveal this important information to colleagues working on the breach response. This failure led to a delay in notifying affected individuals. In our interview, Jacobsons reasons for withholding this information are unclear he stated that he believed the team they would discover the nature of the data after Brad Miller performed a technical analysis of the server contents. This statement is, at best, reflects bad decision-making and, at worst, is not credible. Based on his comments and demeanor, it appears more likely that Jacobson is insulted that he does not have more clout within the organization and chose this breach event to withhold information as a form of protest. Nonetheless, whether this oversight was intentional or simply negligent, it is a significant performance failure.

Recommendation

The duties of the IT Security Officer are vital to CTS. It does not appear that Jacobson has the knowledge, skills, or motivation to successfully perform these duties. Pursuant to effective merit system principles, Jacobson should be offered an opportunity to defend his actions and to propose a plan for improvement. If Jacobson is unable to persuade CTS that his performance will improve, the employment relationship should be terminated for misconduct. While demotion can sometimes be an option in these instances, it does not appear to be a good alternative given Jacobsons failure to take responsibility for his involvement in CTSs security failures.

Bill Walker

Bill Walker serves as a Senior Systems Administrator at NDUS. His role in the events occurring prior to the breach is troubling and suggests he is ill-equipped to be in a leadership position at CTS.

Walker supervises Erik Johnson, who had significant concerns about the security prior to the breach. Johnson brought his security concerns to Walker. According to Walker, the problems were well-known and staff members tried to fix [the issues] several times [when the server was housed] at UND. Walker acknowledged having management-level conversations about the security concerns with other CTS leaders. However, no action was ultimately taken to solve the problem. When asked why, Walker was vague, citing a lack of resources. He takes no ownership over the decisions made by this group, commenting many times that while he raised the concerns, the leadership team decided not to address the issue. He does not take responsibility for the decisions made by the leadership team. He was not able to articulate who ultimately had decision-making authority, but he feels that it was not him. He admitted that he had lingering concerns, but he did not escalate these issues further or document his concerns in any way. Further, our interviewed revealed Walker to be unaware of any applicable security policies. Given Walkers position within the organization, this non-action qualifies as negligent.

Walkers demeanor during the interview does not inspire confidence that he will provide necessary leadership in the future. Walker does not appear to understand the level of responsibility that his position requires.


18

Troublingly, Walker indicated he was surprised more of the servers arent being hacked.

Walker knew there were security issues involving the server. He was in a leadership position in the organization, and despite this authority, he failed to take actions necessary to mitigate the risks. Given his inaction, Walkers reports have received the message that nothing will be done when concerns are escalated to management.

Recommendation

Walkers failure to act is inexcusable and directly led to the delay in breach detection. More importantly, Walker does not take responsibility for his role in the breach. Walkers performance creates significant risk for CTS. Pursuant to effective merit system principles, Walker should be offered an opportunity to defend his actions and to propose a plan for improvement. If Walker is unable to persuade CTS that his performance will improve, the employment relationship should be terminated for misconduct.

Marv Hanson

Like Bill Walker, Marv Hanson was involved in leadership discussions about the vulnerabilities and chose to do nothing. The concerns about Walker outlined above apply equally to Hanson. During our investigation, however, additional troubling information was revealed about Hansons conduct as a supervisor and as part of CTS Leadership.

In 2009, reported to Hanson through a team lead. When interviewing we asked about the general workplace climate with regard to escalating issues of concern. indicated that escalating issues could be a risky move at CTS. He indicated Hanson had formally disciplined him because

included a senior staff member on an email exchange. After the interview, the investigation team obtained a copy of the disciplinary documentation from file. The warning letter is ambiguous and inarticulate; however, it appears to support account of the situation.

also reported being in a supervisory position when he was in Hansons group. He indicated he was moved out of that supervisory position at Hansons direction. When asked about Peterson, Hansons demeanor suggested a strong animosity. Hanson indicated was not a competent supervisor and, therefore, his supervisory responsibilities were removed from him through a restructuring of the organization. During the questioning process, Hanson vacillated between describing these events as

duties being removed or as a restructuring. Hanson was generally evasive when discussing this topic. For example, Hanson indicated there were numerous complaints about work, but that he never formally disciplined because his conduct did not rise to that level. When asked to elaborate about performance problems, Hanson merely commented that he delegated too much work to members of his staff and spent work time on non-work related activities. Hanson was unable to articulate any other relevant reasons. It is generally unclear why Hanson has such a strong dislike for

despite being given numerous opportunities to explain his concerns.

Hanson indicated that performance problems were discussed during annual evaluations and that they were addressed in the written evaluations. The investigation team later examined

performance reviews and there was no mention of delegation issues or trouble staying on-task. Either Hanson failed to appropriately manage performance or the performance problems did not actually exist.

Hanson indicated he made the decision to combine two departments in order to remove supervisory duties. The team asked why Hanson would completely reorganize two departments to resolve


19

performance problems that, in his words, did not rise to the level of formal discipline. Hanson did not have an answer.

Hanson also admitted making derogatory comments about performance to colleagues Bonnie Jundt and Gail Sullivan, neither of whom are in chain of command. Hanson also indicated he told current supervisor, Bill Walker, that should not be in a supervisory role.

Hansons treatment of is very troubling. Hanson admitted that he participated in supervisory training during his time at UND, and therefore has had exposure to sound management principles. His decision to penalize for escalating an issue contributed to an overall culture of intimidation that dissuades employees from reporting important issues to senior management. An environment has been created where concerns, such as concerns for the security of the server, are stifled due to a very reasonable fear of retaliation. Hansons conduct created significant risk for CTS.

Overall, the interview with Hanson was difficult. On several occasions, Hansons statements were internally inconsistent. His statements were also later found to conflict with documentation. Hansons statements were not credible, and therefore he is deemed not to have cooperated with this workplace investigation.

Recommendation

Given these concerns about Hansons judgment and demeanor, it is difficult, if not impossible, to recommend solutions that would resolve matters and bring Hansons conduct into compliance. While training or coaching are generally good solutions, they are successful only when an employee acknowledges subpar behavior and actively attempts to improve. Hansons failure to cooperate in this investigation, or acknowledge responsibility for errors, indicates that his conduct will not be improved by training or coaching. Moreover, if Hanson continues in his current position, there is a strong likelihood that the organization will be perceived as endorsing this type of intimidating conduct. Pursuant to effective merit system principles, Hanson should be offered an opportunity to defend his actions and to propose a plan for improvement. Unfortunately, however, based on the information known to the investigation team at this time, the recommended solution is to terminate the employment relationship for misconduct.


A-1

APPENDIX A: ACRONYMS AND/OR DEFINITIONS

CIO Chief Information Officer CIS Center for Internet Security ConnectND North Dakotas implementation of Oracle/Peoplesoft systems CTS Core Technology Services ELS Extended Life Cycle EOL End of Life ES Enterprise Servers FIPS PUB Federal Information Processing Standards Publication FTP File Transfer Protocol GIAC Global Information Assurance Certification GSNA GIAC Systems and Network Auditor IA Information Assurance ISA Interconnection Security Agreement ITD Information Technology Department MOU/A Memorandum of Understanding/Agreement MS-ISAC Multi-State Information Sharing and Analysis Center N.D.C.C. North Dakota Century Code NDUS North Dakota University Systems NIST National Institute of Standards and Technology PII Personally Identifiable Information RHEL Red Hat Enterprise Linux SBHE State Board of Higher Education SCP Secure Copy SFTP Secure Shell File Transfer Protocol SIRT Security Incident Response Team SNOW NDUS internal work or incident tracking system?

NDUS CTS system for secure file transfer SP Special Publication SSH Secure Shell SSN Social Security Number SSP System Security Plan TCP Transmission Control Protocol


B-1

APPENDIX B: NDUS CTS ORGANIZATIONAL CHARTS


B-2


B-3


B-4


C-1

APPENDIX C: INTERVIEW CONDUCTED WITH MICK PYTIK 5/9/2014 Assistant CIO Mick Pytlik we spoke with Mick Pytlik for a general overview of the

organization (what his role is) o Campus Security Officers Group. o Said People under Rick Anderson are responsible for security o Dick is separate from security because of the merger. He take as more systems focus. o Brad Miller has a more systems focus o Group was convened to upgrade This included 3-4 people from the data center,

Bill Walker, Kevin Spivy, Dick, Kathy and Annette Dick or Bill Walker would know about security Measures at that point


D-1

APPENDIX D: INTERVIEW CONDUCTED WITH MARK DIERS

5/12/2014 Mark Diers o Mark was responsible for setting up the server originally. He has had no role with the

server since before the virtualization o Noted that Bill walker was involved in the virtualization discussion. o No involvement in the breach response.


E-1

APPENDIX E: INTERVIEW CONDUCTED WITH CRAIG CERKOWNIAK

5/12/2014 Craig Cerkowniak o Like Mark, Craig has had nothing to do with the server since before the

virtualization. o He heard there was a project to reevaluate the server use, and indicated that Dick Jacobson

and Brad Miller would have been involved in that.


F-1

APPENDIX F: INTERVIEW CONDUCTED WITH BRAD MILLER

5/13/2014 Brad Miller o Everyone interviewed agreed that Brads role was the UND Security Lead and that he was

institution-focused. He very much identifies with UND as his institution. o Brad Miller was heavily involved in the breach response o He has a good grasp on security measures o When asked about Dick Jacobson, Mr. Miller indicated that Mr. Jacobsons primary focus

was security on a policy level.


G-1

APPENDIX G: INTERVIEW CONDUCTED WITH ERIK JOHNSON

5/13/2014 Erik Johnson o Was very nervous. He appeared concerned that he was the subject of the inquiry. o Said he had a very good working relationship with his boss, Bill Walker. o Said he expressed security concerns to Bill on several occasions. He trusted that Bill would

escalate his concerns to senior staff. He indicated he believed Bill did this. However, when he and Bill regrouped, Bill told him that it had been decided that those security concerns would not be addressed.

o Erik did not know who made the final decision not to address these issues, however, he was confident that Bill properly communicated his concerns to decision makers and that there were other projects that they decided took precedence for resources.


H-1

APPENDIX H: INTERVIEW CONDUCTED WITH KATHY MATTSON

5/14/2014 Kathy Mattson o Kathy was pleasant and cooperative, though she seemed unsure as to why we wanted to

talk with her. o Her job title is Connect ND Security Specialist implying that she has some security

program design or implementation authority. This is not the case she primarily handles password change requests

o She indicated that there is no policy re: user account verification and generally knows the voice of the person who is calling in. While very professional and diligent, it does not seem that Ms. Mattson has an expertise in information security and that her function is clerical in nature. It also seemed somewhat odd that she reported to Mick, whose responsibility is administrative rather than technical. It may make more sense, and may provide better oversight for security issues, if this position reports to a security expert


I-1

APPENDIX I: INTERVIEW CONDUCTED WITH RICK ANDERSON

5/14/2014 Rick Anderson o Helpful and professional o Acknowledged that there are not clear delegations of authority within the organization o Indicated that Dick Jacobson was mainly concerned with security policy rather than

operations


J-1

APPENDIX J: INTERVIEW CONDUCTED WITH JANIE ADAM 5/14/2014 Janie Adam

o Very cooperative and forthcoming o Indicates very low turnover in the department she manages o Works for Madhavi very upset about some of the changes that Madhavi is making

She is very annoyed that she is being asked to perform 6-month informal reviews with her subordinates. Later discussion with Madhavi revealed that this technique is intended as a touch-base so that there will be no surprises on the formal annual evaluation. Madhavi indicated this was to provide an opportunity to deal with problems before they are exacerbated. This is good HR technique on Madhavis part. It is unclear why Ms. Adam is resistant to this, other than the extra work involved. However, this appears to be excellent performance management.

The organization is considering moving from a 4/10 schedule to a 5/8 schedule. This is to provide coverage during the business day. While at first it appeared Ms. Adam was advocating on behalf of her staff, it became clear that she was mostly concerned about her own desire to continue working a 4/10 schedule. Generally, flexible scheduling is optimal when employees are meeting expectations and the office is appropriately staffed; however, if a determination has been made that flexible scheduling is not possible given the size and structure of Ms. Adams team, a traditional workday is warranted.

o Ms. Adams management style seems somewhat tyrannical. She admitted monitoring her employees and their work habits very closely, including looking over their shoulders in order to determine whether they are viewing non-work related websites. Ms. Adams polices even innocuous de minimis conduct like listening to headphones or checking a news website while at work. She indicates that these expectations are difficult to enforce because leadership (i.e. Madhavi) does not support these controls. This level of micromanagement is excessive. It also has a tendency to shift focus away from concerns including actual productivity and work quality.

o Ms. Adam appears very committed to her work; however, her approach to management is unyielding. CTS may consider talking with or surveying Ms. Adams staff to determine what, if any, effect this approach has had on morale within the division. Ms. Adams performance may benefit from management training/coaching.


K-1

APPENDIX K: INTERVIEW CONDUCTED WITH BILL WALKER

5/14/2014 Bill Walker o According to Erik, he brought his security concerns to Bill Walker, who Erik felt

appropriately escalated those concerns. Therefore, our discussions with Bill Walker centered on his communications with that escalation.

o According to Mr. Walker, Erik indeed told him about his concerns with the server. The problems were well-known and staff members tried to fix [the issues] several times [when the server was housed] at UND.

o Mr. Walker could not recall exactly who was present for these management-level conversations. However, he specifically mentioned Marv Hanson.

o During these conversations, security concerns about were discussed. However, no action was ultimately taken to solve the problem. When asked why this was the case, Mr. Walker was vague, citing a lack of resources. Mr. Walker took no ownership over the decisions made by this group, commenting many times that while he raised the concerns, some unspecific they decided not to address the issue. He was not able to articulate who ultimately had decision-making authority, but he felt that it was not him. He did not choose to escalate these issues further or to document his concerns in any way.

o Mr. Walker was unaware of any applicable security policies. He was also unaware of any documentation reflecting these management-level conversations or why these decisions were made. Given Mr. Walkers position within the organization, this non-action qualifies as gross negligence.

o Mr. Walker indicated he was surprised more of the servers arent being hacked.

In summary, Mr. Walker knew there were security issues involving the server. He was within a leadership position in the organization, and despite this authority, he failed to take actions necessary to mitigate the risks.


L-1

APPENDIX L: INTERVIEW CONDUCTED WITH ROBERT PETERSON

5/14/2014 Robert Peterson o Mr. Peterson appeared nervous but candid. o We discussed the general workplace climate with regard to escalating issues of concern.

Mr. Peterson indicated that it is a risky move at CTS. He indicated that he had once been formally disciplined because he included his boss supervisor on an email exchange. At the time, Mr. Peterson was in Marv Hansons chain of command. Mr. Peterson did not view his actions as having warranted discipline but was anxious about escalating issues since that experience.

o Mr. Peterson also reported being in a supervisory position when he was in Mr. Hansons group. He was moved out of that supervisory position. It was not clear from Mr. Petersons statements as to whether this move was part of a disciplinary process. However, he felt it was based on Mr. Hansons ill will toward him. When asked, Mr. Peterson did not seem to know why Mr. Hanson dislikes him.

o Mr. Peterson no longer reports to Mr. Hanson. Mr. Peterson has recently been put back into a supervisory position. According to Mr. Peterson, Mr. Hanson has made it known in the workplace that Mr. Peterson should not have supervisory duties. Mr. Peterson reports things going well in his new position.

o When discussing this incident, Mr. Peterson appeared very uneasy and fearful. o After the interview, the team obtained a copy of the disciplinary documentation from Mr.

Petersons file. The warning letter is ambiguous and inarticulate; however, it appears to support Mr. Petersons account of the situation. Mr. Peterson was formally disciplined for insubordination.

o According to the underlying documentation, the facts are as follows: Mr. Peterson wrote an email regarding what appears to be a routine work-related issue, and addressed that email to more people than Mr. Hanson thought appropriate. According to Mr. Hanson, Mr. Peterson failed to understand simple office protocol of going through [his] supervisor. This criticism is confusing - according to the attached emails, Mr. Peterson did, in fact, also address the email to his direct supervisor. Nonetheless, Mr. Hanson states, the insubordination is due to the working and recipients of the email, not due to the fact that he was questioning something. Mr. Peterson attached a letter to the disciplinary paperwork indicating that he appropriately went through his supervisor.


M-1

APPENDIX M: INTERVIEW CONDUCTED WITH MADHAVI MARASINGHE

5/14/2014 Madhavi Marasinghe o One of the accounts compromised belonged to an employee in Ms. Marasinghes division.

That individual is a foreign national who occasionally travels to his home country. Ms. Marasinghe indicated CTS computers do not leave the country, so this individual should not have brought his computer with him.

o We followed up on some of Janie Adams concerns about 6-month evaluations and moving to a 5/8 workweek. Ms. Marasinghe explained why these decisions were made. Ms. Marasinghes explanations demonstrated a sophisticated understanding of performance management principles.


N-1

APPENDIX N: INTERVIEW CONDUCTED WITH ROSI KLOBERDANZ

5/14/2014 Rosi Kloberdanz o Despite the rocky start, Ms. Kloberdanz appeared cooperative when in the actual interview. o Assistant CIO Kloberdanz supervises IT Security Officer Dick Jacobson. Ms. Kloberdanz

focus is External Relations so it was unclear why Mr. Jacobson reported to her. When asked, Ms. Kloberdanz explained that she and Mr. Jacobson both worked at NDSU together and had a preexisting working relationship. She stated that she could handle Mr. Jacobson, who had a reputation as being difficult to supervise.

o Ms. Kloberdanz was unfamiliar with general IT security concepts, and admitted that she does not have specialized security knowledge. When asked how she could evaluate Mr. Jacobsons performance, she indicated that she had been in the IT field for a long time.

o Ms. Kloberdanz indicated she believed that the CTS security function should be centralized.

o Ms. Kloberdanz indicated Mr. Jacobson has monthly meetings with institutional security officers. She indicated that the institutions contract for forensic security services.

o When asked to explain what her and Mr. Jacobsons roles were in the breach response, she indicated I dont know. She appeared to have little oversight, control, or understanding of Mr. Jacobsons involvement in the breach response. She indicated that she felt he should be involved but seemed to leave it up to him to either be involved or not be involved as he saw fit.

o At the time of the breach, she believed Mr. Jacobson had accurate information about what data was being stored on that server. She did not inform anyone in the breach response group that Mr. Jacobson had this information. Again, Mr. Jacobsons involvement appeared to be left to his own discretion.

o Ms. Kloberdanz has not evaluated Mr. Jacobsons performance since December 2007, when they were both housed at NDUS. The existing evaluations appear based completely on feedback from internal and external contacts. Action items, such as establishing a NDSU security website, reoccurred from evaluation to evaluation apparently without progress.

o Overall, Ms. Kloberdanz was a fairly hands-off supervisor. Ms. Kloberdanz acknowledged that she was likely not active enough in managing Mr. Jacobsons performance. Given Ms. Kloberdanz professional expertise, she was in no position to evaluate the quality of Mr. Jacobsons security work. That said, she could have enlisted expert assistance from ND ITD or other third-party experts to evaluate Mr. Jacobson and his program. Instead, she has chosen not to evaluate Mr. Jacobson annually, as required by SBHE policy 604.3, for six years. Ms. Kloberdanz performance as Mr. Jacobsons supervisor does not meet NDUS expectations. In the interview, Ms. Kloberdanz took ownership of her failures and appeared contrite. Ms. Kloberdanz has three additional direct reports, and her supervision of them was outside the scope of this investigation. That said, we recommend Ms. Kloberdanz performance as a supervisor be further examined


O-1

APPENDIX O: INTERVIEW CONDUCTED WITH DICK JACOBSON AND JACOBSON POSITION DESCRIPTION

5/14/2014 Dick Jacobson o Mr. Jacobson indicated he was not directly involved with the breach response. He

indicated he had specialized knowledge of the type of information that existed on the server at the time of the breach. He acknowledged that he did not share this information with those on the breach response team, and instead waited for that information to be revealed by alternative means.

o When asked why Mr. Jacobson was not more involved with the breach response, he revealed that he was not involved with security operations, and instead worked primarily with security policy.

o When asked what particular policies Mr. Jacobson works with, he cited NDUS Procedure 1901.2. This procedure was last updated November 2005.

o According to Mr. Jacobsons position description, his position administers, coordinates, and maintains information system security policy, programs, processes and solutions for the NDUS. He is responsible for security and privacy issues within the electronic environments of the NDSU and assists the institutions with their security and privacy issues. While policy is a main component of his position, he is also tasked with identifying security issues/needs within the IT infrastructure and recommend applications or policies/procedures to remediate those issues. The position is also responsible for providing technical guidance, consultation, training, planning and incident response coordination to NDUS institutional IT staff, institutional ITSOs, and administrators. The position description will not be fully restated here. That said, the responsibilities as outlined by the position demonstrate comprehensive, system-wide, sophisticated security responsibilities. Both Mr. Jacobson and Ms. Kloberdanz signed the position description on October 2, 2012, indicating that it reflects an accurate and complete description of the duties and responsibilities assigned to the position.

o Based on our interview with Mr. Jacobson, he was not performing the job duties as described in his position description. For example, NDUS had no incident response plan, which led to confusion and delay after the breach event. While Ms. Kloberdanz should have managed Mr. Jacobsons performance more effectively, his is a high-level, well-compensated security position. Mr. Jacobson, by virtue of his title and position description, had the inherent obligation to develop and maintain appropriate security measures for the NDUS.

o In the interview, Mr. Jacobson did not demonstrate knowledge of industry best practices regarding information security. When asked, he reported no recent training on current security issues.

o Mr. Jacobsons performance failures made a significant contribution to the breach event and delayed response.


P-1

APPENDIX P: INTERVIEW CONDUCTED WITH MARV HANSON

5/30/2014 Marv Hanson o While not on the original list of individuals to interview, Mr. Hansons name came up in

several other interviews. Rick Anderson and Bill Walker both listed him as being involved in resource allocation discussions, including being involved in the decision not to resolve concerns about server security. Robert Peterson also mentioned that Mr. Hanson inappropriately disciplined him when he attempted to escalate an issue. Therefore, we felt it was important to get Mr. Hansons input on these issues.

o Indicated he could never get programmers to take time out of their agenda to address server issues. He indicated, regarding the server, that he never had any idea

really what was out there. He stated that it never came up in the meetings prior to the virtualization that the server was being used for longer term storage.

o Mr. Hanson indicated he participated in the UND supervisory training program. o When asked about Robert Peterson, Mr. Hansons demeanor suggested a strong animosity.

Mr. Hanson indicated Mr. Peterson was not a competent supervisor and, therefore, his supervisory responsibilities were removed from him through a restructuring of the organization. During the questioning process, Mr. Hanson vacillated between describing these events as Mr. Petersons duties being removed or as a restructuring. Mr. Hanson was generally evasive when discussing this topic.

o Mr. Hanson indicated there were numerous complaints about Mr. Petersons work, but that he never formally disciplined Mr. Peterson because it his conduct did not rise to that level. When asked what his criteria were for triggering formal discipline, Mr. Hanson indicated he did not really have any.

o When asked to elaborate about Mr. Petersons performance problems, Mr. Hanson merely commented that he delegated too much work to members of his staff and spent work time on non-work related activities. Mr. Hanson was unable to articulate any other relevant reasons. He indicated he and Mr. Peterson had no relationship outside of the office. It wa

redacted ndus special report

Documents

restricted information

itd security section

north dakota law

north dakota century

itd management

ndus institutions

ndus employees

audit findings