by Dr. Mark H. Shapiro
"It is important to remember that technology breeds crime, it always has...it always will. There will always be people willing to use technology in a negative self-serving way.."... ...Frank W. Abagnale.
Commentary of the Day - March 25, 2003: Charlie, Perhaps It's Time to Go.
If there is one person besides George Bush who is rejoicing over the start of the war in Iraq, it must California State University Chancellor Charles "Charlie" Reed. Because the news coverage of the past week or so has focused almost exclusively on the international scene, Chancellor Reed has been able to escape close scrutiny from the press in the wake of one of the most devastating audits of a public program to have been released by the office of the California State Auditor in recent memory.
At the request of the Joint Legislative Audit Committee of the California State Legislature, the Bureau of State Audits recently released the results of its audit of the California State University's "Common Management System" also known as "CMS". For those of you who are not familiar with CMS, it is a giant project that aims to "integrate all of the campus enterprise computing functions into one seamless system of data management. It ... envisioned that all the (23) campuses (in the CSU system) would use a common set of software tools to manage payroll, human resources (faculty and staff hiring, benefits, etc.), business functions (purchasing, accounting, etc.), and student services (admissions, grades, enrollment, financial aid, etc.)." [The quotation is from our January 22, 2000 commentary that was written when CMS was in its infancy.]
In this earlier commentary, which has turned out to be prescient, one of the problems that we foresaw was in the area of data privacy and data security......it essential that much of the information that is collected by these systems has to be kept readily available for decades. This is particularly true in the area of student records and personnel records. Universities ... are held to very stringent data privacy requirements. Thus, the security of the data collected by these systems is a major issue.Among the many criticisms levied by the State Auditor is the lack of data privacy and security in the set of PeopleSoft® applications that were chosen to implement CMS. According to the audit report "the (California State University system) has not fully addressed its information security needs for CMS. The lack of security around a search feature in the the PeopleSoft® software apparently allows employees access to the confidential information of other employees and students (emphasis added) beyond what is needed to do their jobs." Initially, the software was modified by Chancellor's Office personnel to restrict the viewing of confidential information. However, once campuses began to implement the student administration functions of the software, the restriction on the search feature was lifted, since certain staff and faculty had to have access to confidential student records. Unfortunately, because of flaws in the software it is now possible for student services personnel to view the confidential records of employees, and for human resources personnel to view the confidential records of students.
The Chancellor's Office responded to the concerns raised by the State Auditor by implementing a system that requires employees with access to CMS to sign a confidentiality agreement. However, with relatively large numbers of employees having access to sensitive information about all of the staff and students at a campus, the potential for mischief (read that identity theft) is enormous. It is not at all clear that the relatively weak privacy provisions implemented by the Chancellor's Office will meet the stringent requirements for privacy of student records contained in the federal Family Educational Rights and Privacy Act.
The Auditor's report also revealed that the CMS software has serious security as well as privacy flaws. Initial releases of the software lacked the most basic password management features. There was no requirement for minimum password length or composition, no requirement that passwords be changed frequently, no provision to block access after five failed login attempts, and no provision to prevent the reuse of previously used passwords. These are all common sense measures that help to reduce the possibility that outsiders will hack into the computers running the software. The Chancellor's Office has indicated that future releases of the software will include better password protection; but, surely this should have been one of the criteria for selecting software in the first place.
The Auditor's report faults the CMS project in many other areas, not the least of which is the fact that the project is costing far more than the original projections. By the time the CMS is fully implemented on all 23 campuses and at the Chancellor's Office, the costs are estimated to be in the neighborhood of $662 million, about $200 million more than originally anticipated.
Although the CSU claimed that implementation of CMS would result in cost savings and efficiencies compared to individual campuses installing their own updated systems, the State Auditor estimates that CMS actually will be substantially more costly, and that it will not provide the kind of uniform reporting facilities and functionality that originally was envisioned.
The Auditor also slammed the Chancellor's Office for serious flaws in the method by which the sole source vendor (PeopleSoft®) was chosen, and for provisions of the contract with PeopleSoft® that essentially relieved the vendor of any risk in the deal. Software as complex as the CMS doesn't work "out of the box". Many modifications have to be implemented in order for the software to meet the needs of the purchaser. In most cases both the vendor and the purchaser share the risk that the software can be modified to meet the purchaser's requirements. However, the CSU has accepted all the risk and all the responsibility for making the CMS software work.
Ethical issues also were raised by the Auditor, who found that one of the key players in the CMS project had received consulting income from PeopleSoft® prior to the decision to purchase the CMS software from this vendor, and that the husband of another key individual associated with the project purchased a large number of shares of stock in a hardware vendor (hardware that would run CMS software) the day before a large contract was signed with the vendor. Although the Chancellor's Office claims that there was no criminal wrongdoing in these actions, the Auditor -- nevertheless -- thinks that CSU procedures to ensure that no conflicts of interest exist in situations like this were quite weak.
There were several other flaws and weaknesses in the CMS that were covered in the Auditor's report that we have not mentioned in order to keep this commentary relatively brief.
Even though the State Auditor's report is quite detailed and thorough in its examination of CMS as it developed, and as it exists now, it missed a central point. Namely, it did not discuss the weakness of the basic strategy that was employed by the Chancellor's Office in selecting software for the CMS. From the beginning the selection procedure focused on finding a fully integrated software system to handle three relatively distinct functions (finance issues, personnel functions, and student-related issues). The idea behind this was that it would then be easy for the Chancellor's Office to obtain timely reports on the status of its management operations in a common format across the system.
The only problem was that this criterion severely limited the number of potential vendors. In fact only two companies -- PeopleSoft® and SCT -- were in a position to supply this "all in one" software. Had the the Chancellor's Office instead opted to install separate software systems for each of the three key functions, many more vendors would have been available, costs would have been lower, and the functionality of the software most likely would have been superior to the "all in one" system. While it might be argued that the reporting functions would be more difficult if three separate systems had been chosen, it turns out that the reporting functions of the "all in one" system are so flawed that it would not have made any difference.
The Chancellor's response to the audit was surprising. Instead of mounting a vigorous defense of the various processes that went into the selection and development of CMS software, the Chancellor basically agreed with almost all of the recommendations for improvement in processes included in the Auditor's report and promised to implement them in future projects. He indicated that the CSU expected to be able to make CMS work. Indeed, it probably will work after a fashion, but not as expected and at much higher cost than predicted.
CMS has turned out to be a project with few winners and many losers. The software vendor and the many consultants who have been hired to make the software work clearly have been winners. However, the average taxpayer and the 400,000+ students in the system have been losers. The individual campuses have been taxed to pay for the increased costs at the Chancellor's Office to implement and maintain the system, and they also have been saddled with high costs to maintain the on campus implementation of the system. As the State Auditor rightly notes, these excessive costs have taken money away from the primary educational mission of the campuses at a time when campus budgets are under great pressure.
The sad result is that CSU has ended up with a costly enterprise management system that is riddled with flaws. Meanwhile, the CSU lags far behind other universities in its support for instructional software and technology.
Teaching and learning have never been Chancellor Reed's strong suites. His claim to fame always has been his supposed skills as a manager and organizer. However, his management of the CMS development has left much to be desired. Perhaps it is time for the Legislature and the Board of Trustees to check his "sell by" date. He well may have passed it.
© 2003 Dr. Mark H. Shapiro - All rights reserved.