LPA FAQ

The Legislative Division of Post Audit (LPA) is the non-partisan audit arm of the Kansas Legislature. Their mission is to inform policy makers by providing accurate, unbiased information through their audit reports.

LPA reports to the Legislative Post Audit Committee (LPAC), a bipartisan joint committee of the Kansas Legislature. It includes a total of 10 members.  The LPAC committee selects the topics for LPA audits and directs the final distribution of those reports.

  • What do they audit?
  • What is ITEC?
  • What was the LPA process?

The LPA conducts various audits including performance audits, IT Security audits, and IT project monitoring.  They also contract with external CPA firms to conduct financial audits.

Their IT Security audit evaluated the state of information technology security at PSU.

Their audit work is designed to determine how well the university adheres to the various ITEC standards or best practices across the following seven IT areas:

  1. Security Awareness Training
  2. Account Security
  3. Boundary Protection
  4. Vulnerability Remediation
  5. Physical Security
  6. Data Protection
  7. Emergent Issues

Kansas Information Technology Executive council (ITEC) is responsible for adopting: information technology resource policies, procedures, and project management methodologies for all state agencies; an information technology architecture, including telecommunications systems, networks and equipment that covers all state agencies; standards for data management for all state agencies; and a strategic information technology management plan for the state.

ITEC policy 

  • A team of auditors will spend a few days either on campus or remotely reviewing our policies and procedures; talking to other departments about specific IT security topics; reviewing employee lists; reviewing our hiring processes; and evaluating our IT security practices.

  • Once the audit is complete, we will get a report of things we do well and areas we need to improve.

  • The LPA cycle is every three years.

What can I do to help?

  • Complete the Security Training
  • Protect the information you have access to
  • Protect your information
  • Keep your machine updated
  • Make Smart IT Purchases
  • REQUIRED IT Security Training
    • If not completed by the deadline:
      • Your account will be Administratively Locked
    • Administratively locked means:
      • Locked out of your email, computer, and all of your PSU accounts (i.e. accounts that use your unified password to access like Canvas, GUS, Oracle, etc.)
      • You will have to change your password
    • Training is required for all faculty, staff, student employees, auxiliary employees and users with a VPN account
  • Never email sensitive data
    • Sensitive data should never be emailed
    • If a secure means to share sensitive information is not available, then OneDrive and SharePoint are great options to share sensitive information
  • OneDrive Storage
    • OneDrive is a great resource to store and back up your data
  • Use approved Shredding bins
    • All sensitive documentation needs to be disposed of in a proper manner
    • Sensitive information must be disposed of immediately once it is no longer needed
    • “Shred boxes” whose contents are to be placed in the shredding bins at a later date are NOT acceptable
    • “Shred boxes” could allow anyone with access to the area access to sensitive information, which could be considered a data breach
  • Clean Desks
    • Sensitive data should never be left out on a desk in plain view, when not in use.
    • It should always be locked away or disposed of when no longer needed
  • Secure Areas
    • Our offices and office areas are considered secure areas
    • No one without proper ID should be allowed in our work spaces
  • Lock your Computer
    • When you leave your desk, lock your computer so someone can’t access information when you’re gone
  • USB usage
    • Sensitive information should never be stored on a USB drive or any other form or portable media.
  • Phishing emails
    • Know how to spot the phishing email red flags
    • NEVER respond to or click a link in an email and provide your PSU credentials.
    • How to spot a phishing email 
  • Creating strong passwords
    • Passwords should never be shared
    • Your password should not be anything that is common about you (i.e. pet’s name, child’s name, significant dates, etc…)
    • Password policy
  • Do not use your PSU email for personal business
    • There are plenty of free email services available
    • Limiting your PSU email to just PSU business, cuts down on the amount of SPAM received at PSU
  • Do not use your PSU password on any other sites
    • If you have used your PSU password on an external site and if that site gets compromised, your PSU account is compromised
    • Never reuse your PSU password
  • Keep your operating system, browser, and software up to-date
  • Restart your computer weekly
    • By restarting your computer, you ensure that the updates are applied properly
  • Contact ITS before making an IT purchase
    • There are security and compatibility issues that need to be considered before new software is installed
 For question contact Amanda Williams, IT Security Officer, akwilliams@pittstate.edu