Featured Stories

Other Pamplin Media Group sites

Local Weather

Partly Cloudy

34°F

Portland

Partly Cloudy

Humidity: 82%

Wind: 0 mph

  • 1 Mar 2015

    Mostly Sunny 59°F 39°F

  • 2 Mar 2015

    Sunny 58°F 33°F


Leak of Kitzhaber's emails, state audit intertwined

SALEM — The leak of former Gov. John Kitzhaber’s emails occurred at a time when state auditors were reviewing security controls at the state data center where the emails are stored.

The routine audit, which is ongoing, was already underway when the leak occurred and it is unrelated to the criminal investigation into the release. Oregon Department of Administrative Services Director Michael Jordan asked the Oregon State Police to initiate that inquiry on Feb. 18. OSP has its own information technology forensics experts to investigate the leak, according to Department of Administrative Services spokesman Matt Shelby.

The state Audits Division is part of the Oregon secretary of state’s office, and agency spokesman Tony Green said Friday that the agency conducts routine audits of the data center, usually once every two years.

“Our audit was in the field long before anyone raised this issue,” Green said. “It’s possible that something in the audit might be relevant to what happened, but there’s no connection in terms of what started the audit, what the auditors went in looking at.”

Still, the audit report could address data control issues that have come to light in the last month as state employees dealt with the leak and a request by a Kitzhaber administration staffer to delete emails from the governor’s personal email account stored on state computer servers.

Data center managers did not comply with the Kitzhaber staffer’s request to delete the archived emails. A spokeswoman for Kitzhaber said the administration never intended to delete all of the emails, and planned to preserve any that dealt with state business. The emails were subsequently leaked to the Willamette Week newspaper.

The security audit began in December and should be completed in early summer.

‘Long-standing weaknesses

Since the State Data Center was created in 2005, the state Audits Division has conducted four specific audits and an overall audit on security that covered all state computer programs. The most recent audit in 2012 did not appear to identify any problems related to the recent issues.

In the March 2010 audit, auditors concluded: “We found that a majority of State Data Center security issues were long-standing weaknesses that could be successfully mitigated without new or overly complex technical solutions.”

In the March 2012 follow-up to the earlier audit, the audit generally gave the center good marks, except for incomplete or not untested recovery programs used after major crashes or similar events, and improper handling of some media tapes.

Green said if auditors find any evidence of criminal activities at the data center, they would turn it over to law enforcement as they have done in such situations with previous audits.

“At this point, it’s way too early to even guess as to what that may be,” Green said. “Just because someone leaked records doesn’t mean there are security problems.”

Peter Wong and Hillary Borrud are reporters with the Pamplin Media Group/EO Media Group Capital Bureau in Salem.

Add a comment