Meeting Information
AUDIT COMMITTEE
(Open Session)
Friday, January 19, 2001
9:00 — 9:15 a.m.
Board
Room, The Rotunda
Committee Members:
Elizabeth A. Twohy, Chair
Timothy B. Robertson |
James C. Wheat, III |
Benjamin P.A. Warthen |
John P. Ackerly, III, Ex Officio |
AGENDA
- INFORMATION REPORT (Ms. Deily)
- Auditor
of Public Accounts (APA) Audit and Management Letter (Ms. Deily
to introduce Mr. Walter Kucharski; Mr. Kucharski to report)
- University and Health System Reponse to the APA Audit and Management Letter (Ms. Deily to introduce Messrs. Steve Kimata and Larry Fitzgerald; Messrs. Kimata and Fitzgerald to report)
AGENDA ITEM: Information Report
BACKGROUND: Ms. Deily will introduce Mr. Walter Kucharski who will report on the Auditor of Public Accounts and Management letter. The University and the Health System will respond to the Audit and Management letter.
ACTION REQUIRED: None
INTERNAL CONTROL FINDINGS AND RECOMMENDATIONS
Medical Center
Recommendation: Strengthen security over critical information systems and network.
The Health Systems Computing Services, (HSCS), has undertaken a significant effort to enhance its security over the Medical Center’s information systems. As custodian over data resources that are vital to the Medical Center’s operations, HSCS must implement and maintain strong security controls that adequately safeguard the Medical Center’s information resources and, as importantly, protect the privacy of its patients.
During the year, the HSCS addressed many of the specific concerns in our last report. Network communications now have to pass through a firewall server and application before accessing the general ledger accounting system. Replacement computers and operating systems housing the accounting system improve security by encrypting stored passwords. Additionally, HSCS installed an add-on security program, which strengthens password controls over the Peoplesoft applications. HSCS continues to investigate the further use of encryption technology to improve data security.
To increase security within the entire information system environment, Medical Center management developed a comprehensive security strategy. The plan has a two-phase implementation. First, the Medical Center management contracted a data security consulting firm to perform phase one, a Risk Analysis and Vulnerability Assessment. The consultant completed their work in May 2000. This assessment addressed several vulnerabilities in the Medical Center’s network security system, including a lack of centralized security management, insufficient network controls, inadequate data security policies, and improper configurations of hardware. Medical Center management is beginning phase two by acquiring the services of another data security firm to assist in resolving the noted deficiencies and developing a comprehensive information security program. Medical Center management should continue to expedite corrective actions on the most significant vulnerabilities and continue to proceed with development of a comprehensive information security program.
INTERNAL CONTROL FINDINGS AND RECOMMENDATIONS, continued
Medical Center
Response: Management concurs.
Immediately upon receiving the Risk Analysis and Vulnerability Assessment, HSCS addressed certain vulnerabilities related to the configuration of network devices. Vendor selection for the balance of the remediation work is underway, with the expectation that the contract will be awarded in February 2001. The remediation phase will include designing solutions using a combination of our selected vendor’s expertise and our own. The second step will involve equipment purchase either through the vendor contract or existing contracts. The third piece will provide the deployment of the equipment.
Since the technology in this area is evolving rapidly, identifying appropriate solutions will be an ongoing process. We have made significant progress, and certainly will achieve more on an ongoing basis, with enhanced security features by July 2001.
Recommendation: Develop formal change control procedures over its Peoplesoft and Oracle applications.
The Medical Center does not have formal documented change control procedures managing changes and upgrades to its Peoplesoft and Oracle applications. Even though there are no formal procedures, the database administrator ensures that user management authorizes changes and usually obtains user approval before placing modified programs into production.
The Medical Center should document formal change-control procedures for its Peoplesoft and Oracle programs. The procedures should include documented authorization from user management and Health Systems Computing Services, (HSCS) management, control of each change request and its status, review and approval by HSCS management, and testing and approval by user management before adding the changes to production software.
INTERNAL CONTROL FINDINGS AND RECOMMENDATIONS, continued
Medical Center
Without formal policies, inappropriate changes of the Peoplesoft and Oracle applications could occur and go undetected. Further, HSCS or user management may not have approved changes, which
could result in excessive customization changes required with each upgrade of the applications. The Medical Center should develop formal written change control procedures over its Peoplesoft and Oracle applications.
Response: Management concurs.
HSCS is in the process of evaluating and revising its internal procedures governing all systems development activity, including strengthening change control processes as described above. In addition, HSCS is in the process of organizing a support group for the Peoplesoft suite of applications, which will be directly responsible for implementing and adhering to the change control processes. Further, we are investigating automated solutions that will help to satisfy this finding. At a minimum, a manual policy and procedure will be in place on, or before, July, 2001.
Recommendation: Strengthen Controls Over Timely Deletion of Systems Access
The Medical Center failed to promptly terminate former employees’ system/network access. The Security Administrator does not receive timely information regarding terminations from departments. The Medical Center should develop and implement a uniform procedure for notifying the Security Administrator of all user transfers or terminations to help ensure the Medical Center’s system access security.
Response: Management concurs.
The successful implementation of the Peoplesoft Human Resource application in December, 2000, will provide the Security Administrator an automated query of identifying Medical Center transfers and terminations on a daily basis. In addition, the Security Administrator will work closely with the appropriate Health System Administrators to strengthen notification policies and procedures.
Mr. Rector, I move that the Audit Committee of the Board of Visitors of the University of Virginia go into Executive session for the purpose of discussing and considering with General Counsel reports and Recommendations of the University Auditor related to the recently completed performance evaluations of certain University departments and programs, where performance of employees and proprietary business related data of the Medical Center will be discussed, as permitted by Section 2.1-344 (A) (1), and (7) of the Code of Virginia.
Audit Committee
Executive Session
9:15 — 9:45 a.m.
Board Room, The Rotunda
AGENDA
Reports and Recommendations of the University
Auditor
Related to the Recently Completed Performance Evaluations of Certain
University Departments and Programs, as permitted by Section 2.1-344
(A) (1), and (7) of the Code of Virginia
MORE
MEETING INFORMATION
PAST MEETINGS
PUBLIC
MINUTES
BOARD OF VISITORS OF THE UNIVERSITY OF VIRGINIA
Maintained by sgh4c@virginia.edu
Last Modified: Thursday, 02-Jul-2009 08:12:16 EDT
© 2000 by the Rector and Visitors of the University of Virginia