KAMPALA. President Museveni has ordered Makerere University to respond to the Visitation Committee report findings about the financial ills, suspected ghost staffing and use of outdated ICT system that has facilitated examination fraud and forgery students marks.
The university yesterday announced it had appointed a taskforce to study the findings and recommendations of the report and advise the University Council on the right action to take.
Vice Chancellor Prof Barnabas Nawangwe said the 11-member committee would expeditiously study the report and communicate the university position to President Museveni through the Ministry of Education.
“I have appointed a Committee to draft the university’s response to the findings and recommendations of the Visitation Committee, which handed its report to President and Visitor to Makerere University on December 29, 2017. The Committee will carefully study the recommendations and guide the University Council and management accordingly. It is important that issues concerning Africa’s most prestigious university are handled with utmost seriousness,” Prof Nawangwe told the press.
He said the university will submit its official response to the Minister of Education and Sports, Ms Janet Museveni, before the end of February.
The committee is headed by the Deputy Vice Chancellor for Finance and Administration, Prof William Bazeyo.
He will be assisted by Mr Charles Barugahare, Dr Eria Hisali, Prof John David Kabasa and representatives of various staff and students associations.
Prof Nawangwe also revealed that the university’s forthcoming graduation will be held from January 15th to 19th at the main campus in Kampala.
The Visitation Committee was appointed by President Museveni in November 2016 to study the cause of persistent strikes and fi-nancial woes at Makerere University and propose remedies. It was chaired by Dr Abel Rwendeire, now deceased.
The Committee presented its report to the President last week with a bundle of recommendations to address the diverse ills dis-covered during its investigation.
The Committee said the “obsolete IT system” at the university had made the system vulnerable and unscrupulous officials took advantage to alter examination marks and commit fraud.
“The University lacked a functioning system and continued to rely on obsolete IT Infrastructure and makeshift fragmented systems which predisposed self-seeking staff to take advantage to abuse the system resulting into alteration of academic and financial rec-ords,” the Committee states in its report.
It noted that university officials who have administrative rights left the loading of examination marks to unauthorised personnel es-pecially registrars, administrative assistants and part-time staff, thus compromising the integrity of the process.
The Committee called for streamlining of procedures for the Results Management Systems clearly articulating each one’s roles and responsibilities.
It further states that Production Systems require regular security testing and validation of the security controls against threats in-cluding, but not limited to, intrusion and penetration by hackers, status of user accounts especially the interactive accounts, and dis-aster recovery.
Makerere University has been in a storm for years over cases of forged students’ marks, exam leakages and other associated fraud.
In March last year, the university withheld academic transcripts of more than 14,000 students over forged marks, saying they would only release the certificates after clearance and authentication of the marks.
In September the university appointed a task force headed by Dr Damalie Naggitta-Musoke, former dean of School of Law, to un-dertake a comprehensive audit of all examination marks.
Further in its report, the Visitation Committee observed that several positions in the Directorate of ICT were either not filled or filled with staff on six months’ temporary contracts for periods in excess of 7 years including positions of managers.
It was also noted that ICT staff in Colleges (Web Administrators and Systems Administrators) were not structurally linked to the main Directorate structure, thus creating gaps in line of authority and reporting.
The Committee asked the university to streamline procedures in the Results Management Systems clearly articulating roles and responsibilities of each actor in the process chain.
The Committee says it received complaints of change of students’ academic grades and irregular refunds to students.
The Committee observed that all systems used at Makerere University apart from the payments system from Stanbic Bank use basic “single factor authentication architecture” which is an outdated IT model. It says some server rooms/data centres had biometric authentication systems and CCTV system for surveillance.
“The use of single factor authentication for users with rights to modify results data is very risky and should be mitigated with appro-priate two factor authentication technology as it is now a standard practice in reputable organisations. There is also need to imple-ment Access Control lists for all end-user devices to ensure that university ICT resources are consumed by authorised users,” the Committee advises.
Audit and Accountability
The Committee says there was no evidence that Makerere University regularly audits its IT systems. “Periodic audits and logging of the information systems needs to be implemented to validate that the security mechanisms present during system validation test-ing are still installed and operating correctly. Audits are used to detect breaches in security services through examination of system logs. Logging is necessary for anomalies detection as well as forensic analysis where applicable,” the Committee states.
It was noted that several systems in use lack the basic competences and their maintenance is entirely dependent on individuals, creating a high risk of loss of institutional information assets.
The Committee said: “There is also lack of clear incident response procedures in case of a critical system failure or shutdown. The shutdown of the Results Management System though necessary resulted into protracted denial of service to legitimate consumers of academic documentation. This indicated lack of proper incident response planning.”