DANISH NATIONAL AUDIT OFFICE ONCE AGAIN CRITICISES LACK OF PROTECTION OF RESEARCH DATA AT AU AND OTHER UNIVERSITIES
In 2019, the Danish National Audit Office criticised five Danish universities for their protection of research data against unknown IT equipment. Almost seven years later, several points of criticism remain unaddressed, according to a new memorandum. One of the criticisms is that none of the five universities have fully blocked their networks against the use of unknown IT equipment.
Unknown IT equipment
Unknown IT equipment is equipment that isn’t managed and controlled by the central IT department, which therefore has no knowledge of or control over the security of the equipment. Unknown IT equipment may, for example, be equipment brought in by the researchers themselves, or research and laboratory equipment purchased by the university using research funds.
Source: The Danish National Audit Office
Aarhus University and four other major Danish universities do not adequately protect research data against unknown IT equipment. This is stated in a new memorandum from the Danish National Audit Office, following up on a report on universities' protection of research data from 2019.
"Although the universities have implemented various initiatives, the Danish National Audit Office finds that none of the five universities has sufficiently reduced the risk. In light of the high threat posed by cyber spying and cybercrime against Danish universities, the Danish National Audit Office finds it unsatisfactory that universities haven’t ensured that research data is sufficiently protected against the risks associated with allowing unknown IT equipment. The main issue is that none of the five universities have completely blocked their network against the use of unknown IT equipment," according to the conclusion from the Danish National Audit Office.
"Universities are 1-5 years behind schedule."
The process began in 2018, when the Danish National Audit Office initiated an investigation into how universities protect research data. The universities involved were Aarhus University (AU), the University of Copenhagen (KU), Aalborg University (AAU), the University of Southern Denmark (SDU) and the Technical University of Denmark (DTU). Here, the audit pointed out a number of security breaches in relation to unknown IT equipment. There were follow-ups in 2022 and 2023, where the universities had achieved the security requirements for three or four out of six risk factors. The Danish National Audit Office has now followed up on the last three factors.
This concerns whether universities allow researchers to bring their own equipment, whether they block their network against unknown hardware or IT equipment, and whether they allow researchers to have local administrator rights on their computers.
On this last point, AU has now met the requirements, as AU has removed permanent local administrator rights and introduced a tool that allows researchers to be granted temporary local administrator access on both Windows PCs and Mac computers, according to the Danish National Audit Office.
For AU, the criticism therefore concerns the other two points. Apart from SDU, the universities still allow researchers to use their own equipment, and the compensatory measures do not fully reduce the risk involved, as noted by the Danish National Audit Office in 2023.
In 2023, AU had blocked its network against unknown hardware or IT equipment, but according to the Danish National Audit Office, the block could be bypassed. Universities are continuously exposed to the risks associated with unknown hardware/IT equipment, according to the Danish National Audit Office in its new memorandum.
“The Danish National Audit Office notes that the five universities are in the process of implementing various initiatives aimed at blocking their networks against unknown hardware/IT equipment, or ensuring that the block cannot be circumvented. However, we note that universities are 1-5 years behind schedule," it states.
The Danish National Audit Office notes in its conclusion that it will continue to monitor developments and keep the Public Accounts Committee informed.
AU IT “A comprehensive task”
The Deputy Director of AU IT, Peter Bruun Nielsen, explains in a written comment that AU has improved in several areas, but is currently in the process of completing the final measures, which he describes as a "comprehensive task."
"Over the past years, we have implemented many measures to improve IT security, and have completed a long list of tasks. These include the removal of local administrator rights, enhanced protection of our central management of access and services for users and systems (Active Directory), monitoring our network, increased security on users' PCs, smartphones and tablets, as well as a wide range of other measures under the initiative "Plan for improving cybersecurity at AU."
“There are still unresolved issues, as described by the Danish National Audit Office. Achieving the goal is a comprehensive task when dealing with a complex organisation that has a large digital contact surface and a wide range of diverse activities. However, it is naturally something we are working on together with the faculties and the Central Information Security Committee," says Peter Bruun Nielsen.
This text was machine translated and post-edited by Lisa Enevoldsen.