In his first interview since he was fired for negligence in the aftermath of network security breaches, an Ohio University administrator charged that the university is ducking responsibility by making him the scapegoat.
Tom Reid, former director of the now-dissolved Computer Network Services, said the university had no reason to fire him, as he was not in charge of the servers that were breached. He said he plans to appeal his firing.
Reid's dismissal on Friday was prompted by a university-commissioned network security report by Moran Technology Consulting that chastised his leadership.
Reid, who has challenged the report's conclusion, called it illogical and charged that it contains many factual errors.
It reflects a total lack of understanding
he said in a phone interview.
To single me out as being responsible for the recent data thefts is simply not supported by the facts he wrote in a press release.
According to the Moran report, people have commented that the strong personalities within CNS management caused quieter but better informed voices to be ignored
and that people said they were afraid to voice their opinions for fear of derision by these managers such as Reid.
That is a fair complaint, Reid said. But because all the notes supporting that claim have been destroyed, Reid said he couldn't respond to the accusation, which lacks any documented examples.
Give me some examples so I can respond
he added.
Last month, news reports revealed that Moran had destroyed investigation notes, which might be in violation of a contract with the university and Ohio's Open Records Laws. The university has taken no action against Moran, Reid said.
Indicating his support of the Moran report, Bill Sams, associate provost for information technology and chief information officer, wrote in termination letters to Reid and Todd Acheson, former manager of Internet and Systems who was also terminated, that it has become clear from my analysis that you clearly should have foreseen the risks and consequences of IT security breaches. This lack of attention reasonably led to the IT data breaches.
Reid said that Sams gave him a glowing employee review in March. Reid wondered why Sams did so if Sams felt Reid did not pay adequate attention to network security.
Reid's employee review said he exceeded or met expectations in seven categories, including performance management and development and teamwork.
Tom has a high level of organizational social consciousness. He continually looks for areas that could benefit from change and champions innovative projects
Sams wrote in the review.
I now understand how much I wasn't aware of
Sams said in a phone interview. He added that his evaluation of Reid covered things he knew at the time.
I think that Tom did the best he could after the breaches, Sams said Monday, adding, I've had reports from people trained in incident recovery procedures that said we could have done better.
Sams said he questioned Reid's leadership ability because he wasn't accepting any responsibility.
Reid said the servers that were breached were not under his jurisdiction.
Sams, who confirmed that Reid was not directly responsible for the servers, said, Tom was responsible for network and all the activity. G? To say he is not responsible for intrusions that could have prevented
I just don't understand.
The two largest breaches occurred on the alumni server and at Hudson Health Center's server, both administered by Duane Starkey, Reid said.
Starkey, who was put on administrative leave in the immediate aftermath of the discovery of the breaches but has since returned to work, refused to comment. He has worked for the university for 26 years and earned $94,860 last year.
I don't think anyone should be fired. What we got is an institutional problem
Reid said.
On July 11, Reid presented a defense to the university that included documents addressing the security problem before the network breaches. Reid, who earned $107,310 last year, has worked for the university for 22 years.
It's actually his own documentation that led me to this conclusion. He was clearly aware of the issues
Sams said.
Sams said he received no proposals to improve network security from Reid since Sams took office in September 2004.
But Reid said that he did submit proposals.
That's just absurd
the fact that Bill can't remember the proposals Reid said he submitted.
Reid provided documentation, including a power point presentation, to Moran Technology Consulting in which he outlined the security status at the university. In March, which was before the security breaches, the company was helping the university develop a new student information system. This had been an ongoing project, Reid said.He also provided documentation in which he detailed CNS budget shortfalls. The Moran report criticized Reid for not spending an annual average $1.38 million surplus on increasing data security.
Reid, however, has said that money is part of a capital accrual account the university plans to use to replace a telephone switch that is more than 20 years old.
The idea that we had all this money and didn't spend it is ridiculous
