|
AUDIT
COMMITTEE
(Open
Session)
Friday,
January 19, 2001
9:00
— 9:15 a.m.
Board
Room, The Rotunda
Committee
Members:
Elizabeth
A. Twohy, Chair
|
Timothy B. Robertson
|
James C. Wheat, III
|
|
Benjamin P.A. Warthen
|
John P. Ackerly, III, Ex Officio
|
AGENDA
- INFORMATION
REPORT (Ms. Deily)
- Auditor
of Public Accounts (APA) Audit and Management Letter (Ms. Deily
to introduce Mr. Walter Kucharski; Mr. Kucharski to report)
- University
and Health System Reponse to the APA Audit
and Management Letter (Ms. Deily to introduce
Messrs. Steve Kimata and Larry Fitzgerald; Messrs. Kimata and
Fitzgerald to report)
AGENDA
ITEM: Information Report
BACKGROUND: Ms.
Deily will introduce Mr. Walter Kucharski who will report on the
Auditor of Public Accounts and Management letter. The University
and the Health System will respond to the Audit and Management letter.
ACTION
REQUIRED: None
INTERNAL
CONTROL FINDINGS AND RECOMMENDATIONS
Medical
Center
Recommendation:
Strengthen security over critical information systems and network.
The
Health Systems Computing Services, (HSCS), has undertaken a significant
effort to enhance its security over the Medical Center’s information
systems. As custodian over data resources that are vital to the
Medical Center’s operations, HSCS must implement and maintain
strong security controls that adequately safeguard the Medical Center’s
information resources and, as importantly, protect the privacy of
its patients.
During
the year, the HSCS addressed many of the specific concerns in our
last report. Network communications now have to pass through a firewall
server and application before accessing the general ledger accounting
system. Replacement computers and operating systems housing the
accounting system improve security by encrypting stored passwords.
Additionally, HSCS installed an add-on security program, which strengthens
password controls over the Peoplesoft applications. HSCS continues
to investigate the further use of encryption technology to improve
data security.
To
increase security within the entire information system environment,
Medical Center management developed a comprehensive security strategy.
The plan has a two-phase implementation. First, the Medical Center
management contracted a data security consulting firm to perform
phase one, a Risk Analysis and Vulnerability Assessment. The consultant
completed their work in May 2000. This assessment addressed several
vulnerabilities in the Medical Center’s network security system,
including a lack of centralized security management, insufficient
network controls, inadequate data security policies, and improper
configurations of hardware. Medical Center management is beginning
phase two by acquiring the services of another data security firm
to assist in resolving the noted deficiencies and developing a comprehensive
information security program. Medical Center management should continue
to expedite corrective actions on the most significant vulnerabilities
and continue to proceed with development of a comprehensive information
security program.
INTERNAL
CONTROL FINDINGS AND RECOMMENDATIONS, continued
Medical
Center
Response:
Management concurs.
Immediately
upon receiving the Risk Analysis and Vulnerability Assessment, HSCS
addressed certain vulnerabilities related to the configuration of
network devices. Vendor selection for the balance of the remediation
work is underway, with the expectation that the contract will be
awarded in February 2001. The remediation phase will include designing
solutions using a combination of our selected vendor’s expertise
and our own. The second step will involve equipment purchase either
through the vendor contract or existing contracts. The third piece
will provide the deployment of the equipment.
Since
the technology in this area is evolving rapidly, identifying appropriate
solutions will be an ongoing process. We have made significant progress,
and certainly will achieve more on an ongoing basis, with enhanced
security features by July 2001.
Recommendation:
Develop formal change control procedures over its Peoplesoft and
Oracle applications.
The
Medical Center does not have formal documented change control procedures
managing changes and upgrades to its Peoplesoft and Oracle applications.
Even though there are no formal procedures, the database administrator
ensures that user management authorizes changes and usually obtains
user approval before placing modified programs into production.
The
Medical Center should document formal change-control procedures
for its Peoplesoft and Oracle programs. The procedures should include
documented authorization from user management and Health Systems
Computing Services, (HSCS) management, control of each change request
and its status, review and approval by HSCS management, and testing
and approval by user management before adding the changes to production
software.
INTERNAL
CONTROL FINDINGS AND RECOMMENDATIONS, continued
Medical
Center
Without
formal policies, inappropriate changes of the Peoplesoft and Oracle
applications could occur and go undetected. Further, HSCS or user
management may not have approved changes, which
could
result in excessive customization changes required with each upgrade
of the applications. The Medical Center should develop formal written
change control procedures over its Peoplesoft and Oracle applications.
Response:
Management concurs.
HSCS
is in the process of evaluating and revising its internal procedures
governing all systems development activity, including strengthening
change control processes as described above. In addition, HSCS is
in the process of organizing a support group for the Peoplesoft
suite of applications, which will be directly responsible for implementing
and adhering to the change control processes. Further, we are investigating
automated solutions that will help to satisfy this finding. At a
minimum, a manual policy and procedure will be in place on, or before,
July, 2001.
Recommendation:
Strengthen Controls Over Timely Deletion of Systems Access
The
Medical Center failed to promptly terminate former employees’
system/network access. The Security Administrator does not receive
timely information regarding terminations from departments. The
Medical Center should develop and implement a uniform procedure
for notifying the Security Administrator of all user transfers or
terminations to help ensure the Medical Center’s system access
security.
Response:
Management concurs.
The
successful implementation of the Peoplesoft Human Resource application
in December, 2000, will provide the Security Administrator an automated
query of identifying Medical Center transfers and terminations on
a daily basis. In addition, the Security Administrator will work
closely with the appropriate Health System Administrators to strengthen
notification policies and procedures.
Mr.
Rector, I move that the Audit Committee of the Board of Visitors
of the University of Virginia go into Executive session for the
purpose of discussing and considering with General Counsel reports
and Recommendations of the University Auditor related to the recently
completed performance evaluations of certain University departments
and programs, where performance of employees and proprietary business
related data of the Medical Center will be discussed, as permitted
by Section 2.1-344 (A) (1), and (7) of the Code of Virginia.
Audit
Committee
Executive
Session
9:15
— 9:45 a.m.
Board
Room, The Rotunda
AGENDA
Reports
and Recommendations of the University
Auditor
Related to the Recently Completed Performance Evaluations of Certain
University Departments and Programs, as permitted by Section 2.1-344
(A) (1), and (7) of the Code of Virginia
MORE
MEETING INFORMATION
PAST MEETINGS
PUBLIC
MINUTES
|
