Menu
Log in


INTERNATIONAL FOUNDATION FOR
CULTURAL PROPERTY PROTECTION

Log in

Cyber Security Audit Raises Its Own Security Issues As Zoo Museum District Makes Push

December 19, 2017 6:35 PM | Anonymous

Reposted from St. Louis Post-Dispatch

A cybersecurity audit of five major St. Louis cultural institutions announced last year is facing delays due to, well, security concerns.

The board of the Metropolitan Zoological Park and Museum District approved moving forward with the plan in August 2016. It would test the vulnerability of each member institution — the Missouri Botanical Garden, the St. Louis Zoo, the Missouri History Museum, the St. Louis Art Museum and the St. Louis Science Center — to cyberattacks by would-be hackers.

Private and public institutions globally are increasingly focused on the threat of cyberattacks, but testing their defenses presents its own security issues. Missouri Botanical Garden spokeswoman Katie O’Sullivan said information about deficiencies in an institution’s security systems “is highly confidential and could subject the Garden to hacking of our systems if generally distributed.”

The audit would evaluate the institutions’ information technology systems, the software already in place and current safety policies. But doing so would require a consultant to access information and systems that the institutions say could make them vulnerable if not handled properly.

“We’re happy to help and support this idea, but these are complex organizations,” St. Louis Science Center President and CEO Bert Vescolani said. “We just want to make sure we’re protecting everyone’s privacy in the appropriate way and doing all due diligence to get everything done that needs to get done.”

That includes protecting information on donors that the institutions wouldn’t want leaked, as well as information on the strengths and vulnerabilities of each of their cybersecurity systems. These and other issues have led to roughly a year of talks with consultant BDO USA, the five institutions and the ZMD Board, which divides $70 million in St. Louis city and county property tax money among the five institutions annually.

A final contract hasn’t been hammered out, but Zoo Museum District board chairman Thomas Campbell said it could be done before the end of December. On-site visits by the consultant would be made in the first months of 2018 and reports might be finished by midyear, Campbell said.

Some of the terms requested by the member institutions include limiting who has access to the results of each audit and terminating the consultant’s contract immediately once the work is finished. Representatives say these changes would cut the risk of leaks.

“We requested that the deliverables only be supplied to us so we can ensure they remain confidential,” Missouri History Museum spokeswoman Leigh Walters said. “Information related to our cybersecurity could be misused. If they present the information in a ZMD meeting, we asked that it go into closed session.”

O’Sullivan and Walters said Zoo Museum District staff informed the Botanical Garden and the History Museum that their requested changes were acceptable.

“We are awaiting a revised copy of the agreement from the ZMD which we plan to sign,” O’Sullivan said.

Most of the institutions already do their own cybersecurity assessments at least once a year, those interviewed said. Zoo spokesman Billy Brennan said the organization has cyber consultants testing their systems “on a regular basis.”

Brennan said the zoo is concerned about whether the ZMD audit unnecessarily duplicates services the zoo now gets from its consultants , but did not elaborate.

“We’re currently working with the ZMD to negotiate this agreement and since that’s where it’s currently at, it would be premature to talk about any details at this time,” Brennan said.

The St. Louis Art Museum would only provide one sentence in response to questions about its concerns with the cybersecurity audit: “The Museum regularly monitors its systems and is continually working to ensure the security of its data.”

Campbell said he expects the final contract to allay the institutions’ concerns. He said even the Zoo Museum District board will only see some of the findings by the consultant, while detailed reports on each member will be distributed solely to those institutions.

“We’ll have some information, it’ll be limited,” Campbell said. “But again, the interest is making sure these organizations are in no way inadvertently compromised.”

See Original Post

  
 

1305 Krameria, Unit H-129, Denver, CO  80220  Local: 303.322.9667
Copyright © 1999 International Foundation for Cultural Property Protection.  All Rights Reserved