The Business Controls Caddy

Permalink Cowboy(s) Out: Oklahoma State and Stolen Software




I am sitting here in a place called the Carroll Street Cafe, which sits in the heart of Cabbagetown, a factory mill town built in the 19th Century (1885 to be exact) by the owners of the Fulton Bag & Cotton Mill. It was commonplace back then for mill owners to provide "shotgun housing" for employees and their families. Officially, it was part of a mutual trust built between management and labour. The reality is that it was a way for management to keep labour under their domain and control. This was the ultimate business control for management.

Compare that to the debacle taking place at Oklahoma State University (OSU). As reported by Ed Brill on his personal blog late last week, OSU CIO Gary Wiggins "resigned" after two of his staff members that he brought with him from Texas Tech were also forced to resign because they had stolen software from Texas Tech and deployed it on OSU Servers. This is the same staff, hand picked and brought from Texas Tech by OSU President David Schmidly when he assumed his new position.

 
This follows on the heals of a number of heated discussions surrounding the unilateral decision by Schmidly to have a mature, stable Notes/Domino network of ~35,000 users ripped out and replaced with Microsoft Exchange/Outlook, and his hand-picked staff set that in motion. As an IBM Business Partner, I have to say I carry a bias in this decision. However, as an Business Controls professional, this whole sequence galls me as a taxpayer to see public money wasted (in the federal sector, it is referred to as "fraud, waste and abuse") and thrown away because of the decision of one person. Dr. Schmidly.  While this is a common occurrence in the private sector, it is less problematic because they are using their own money and are not accountable to taxpayers.

The recent resignations (and accompanying controversial severance payments) point out glaring weaknesses, or the total absence, of strong internal controls at Oklahoma State University, including but not limited to:

- Inadequate separation of duties
- Purchase of software that was not evaluated to determine if it filled a critical business need
- The ability of two key employees to steal software from another source and deploy it enterprise-wide without any documentation waivers or licenses
- The liability faced by OSU to now have to pay Texas Tech for software that duplicated out-of-the box functionality in Notes/Domino, without competition.
- The award of a 35,000 seat contract for e-mail to Microsoft without providing for adequate competition.

There is also the small but important matter of open records for government organizations. One of the terminated employees had created an open-source  discussion forum in support of the migration, except that he conveniently deleted any postings that were critical of the decision. It was not until I spoke to an external affairs official at OSU and confirmed that these postings were in fact matters of public record that they were restored to the forum.

Of course, this does not let Texas Tech off the hook. As reported in the University Daily:

"A June 25 report from OSU's General Counsel's Office said two employees ''more likely than not'' gained unauthorized access to Texas Tech computers to
copy programming code used for OSU's online events calendar."

Texas Tech failed to either disable logical access controls for the individuals when they left the employment of Texas Tech, lacked an adequate firewall to
protect their network (a common problem for public universities who are forced to balance between "free speech/academic freedom"  and security), lacked  
an effective intrusion detection system, did not have adequate security on their file servers, and/or failed to have these employees sign non-disclosure
agreements when they left for OSU. Of course, it is possible they left with code in hand or it was provided to them by a friend/colleague that remained at Texas
Tech (this is a business control weakness better left for discussion another day)

Now in fairness to the two terminated employees, I would argue that a publicly-funded institution has no right to apply intellectual property protections to
software and other items developed and paid for with public monies. I am likely to lose this argument depending on who I am talking with. (a side note: the
definitive guide for data rights in federal contracts used to run over 1,000 pages!).

I will now argue that all actions taken by this hand-picked team and all approvals signed by Dr. Schmidly should be investigated further by OSU and that
Texas Tech should launch their own internal review of their internal control structure.

Your turn...



free html hit counter