Skip to Content

Meeting Information

AUDIT COMMITTEE
OPEN SESSION

Friday, January 29, 1999
10:20 a.m. - 10:35 a.m.
East Oval Room, The Rotunda


Committee Members:

Elizabeth A. Twohy, Chair
Timothy B. Robertson
James C. Wheat, III
Benjamin P.A. Warthen
John P. Ackerly, III, Ex Officio


AGENDA

REPORT BY THE DIRECTOR OF AUDITS (Ms.Deily)

A. Auditor of Public Accounts (APA) Audit and Management Letter (Ms. Deily to introduce Mr. Kucharski; Mr. Walter Kucharski to report)

B. University and Medical Center Response to the APA Audit and Management Letter (Ms. Deily to introduce Messrs. Gillet and Hendrix; Messrs. Charles Gillet and Cole Hendrix to report)


AUDITOR OF PUBLIC ACCOUNTS - MANAGEMENT LETTER 1997-98 ISSUED NOVEMBER 1998


ACADEMIC DIVISION - INTERNAL CONTROL RECOMMENDATIONS


Recommendation: Prepare Disaster Recovery Plan and Backup Data

The Human Resources Department does not have an adequate disaster recovery plan for its systems. The current plan does not assess risk, analyze business impact or adequately detail procedures to follow. In addition, Human Resources has no documented procedures for backing up its programs and data. Internal Audit reported similar findings in 1994.

In the event of a disaster, the University could lose critical information and disrupt Human Resources functions for an extended period. Human Resources should develop a formal disaster recovery plan that assesses risks affecting its systems, identifies business impact in the event of the loss of computing, and includes detailed recovery procedures. The contingency plan should also identify a specific location for operations should present facilities be unavailable. Additionally, Human Resources should document procedures for backing up its programs and data. We understand that Human Resources has begun work to complete disaster recovery and backup data plans.

Management's Response:

The Department of Human Resources will complete a reassessment of its disaster recovery plan during the first quarter of 1999. The reassessment will review the business risks affecting its systems and data. Based on the results, the appropriate steps will be taken to implement the assessments recommendations.

The Department of Human Resources has developed written documented procedures for backing up its programs and data. These procedures involve the daily and weekly back up of programs and data, which is transported offsite to a secure location.

Responsible Area: Human Resources

Estimated Completion Date: March 1999


Recommendation: Improve Conditions at Bayly Art Museum

The Bayly Art Museum stores valuable works in its collection, but not on display, in conditions that may unnecessarily hasten their deterioration. While the Museum staff has attempted to mitigate potential losses by covering artwork with plastic and installing environmental monitoring devices, the storage areas for works not on display are generally not appropriate. On-site storage in the basement has pipes for the radiator heating system running along the ceiling of the artwork storage room creating the potential for loss should those pipes leak or rupture. Off-site storage in the Seig Warehouse is unsuitable due to a leaky roof and a lack of environmental controls. An independent architect cited these problems in the Conservation Assessment Survey Report in July 1995.

The University recently developed a plan for a new museum that would include adequate storage in a new museum building and in a new off-site building. However, the University should develop an immediate plan to properly safeguard all works not on display. This plan should include storing off-site in an appropriately secure location, the items not on display. The University could lose valuable artwork collections in event of a disaster or rapid deterioration due to improper environmental conditions.

Management's Response:

The University of Virginia recognizes the importance of maintaining and preserving its arts collections. The fine and performing arts have been identified by the President as institutional priorities. The Universitys plans include developing an "Arts Precinct" which will address both physical and programmatic needs for the arts. The capital proposals for the 2000 - 2002 biennium also reflect the need for high quality art storage space. Over the next six months the Bayly Museum will explore alternate storage space and investigate ways to correct conditions at existing locations. Favorable environmental conditions are in place for some of the University's significant pieces, such as those in the Kluge-Ruhe collection.

Responsible Area: Bayly Art Museum

Estimated Completion Date: To be determined.


MEDICAL CENTER DIVISION - INTERNAL CONTROL RECOMMENDATIONS


Recommendation: Improve Information Security Plan

The Medical Center's risk assessment does not identify the possible risks and vulnerabilities to critical applications and sensitive data. Medical Center Computing (MCC) had planned to perform a risk assessment and disaster recovery for the entire network and the client/server system by December 1997. Management decided to complete the planning for the Integrated Healthcare Management Information System before starting to update the Business Impact Analysis and Disaster Recovery Plan. This delay would allow the new assessment to include the new systems hardware and computing environment.

Since MCC is completing the planning for the new system, it should undertake the comprehensive risk assessment to identify possible risks and vulnerabilities to critical applications and sensitive data. This assessment should make recommendations for implementation of security safeguards to mitigate those risks. Management concurs and anticipates completing this plan by July 1999.

Management's Response: Concur

Responsible Area: Medical Center Computing

Estimated Completion Date: July 1999


Recommendation: Improve Access Controls

Medical Center Computing does not have any policies or procedures for changing access rules when employees are assigned different duties, employees terminate, or workstation addresses are changed or are no longer needed. While reviewing access to the Medical Center's systems, we found accounts for people no longer employed by the Medical Center and invalid workstation addresses with access. In addition, we found current employees with access they did not need for their changed job duties. The presence of unnecessary access points increases the likelihood of inappropriate transactions or access to sensitive data.

Medical Center Computing should develop a policy for Medical Center departments to follow when an employee terminates or receives reassignment to another department. Data Base Administrators should periodically review the workstation address listing and remove invalid addresses from the list. Implementation and enforcement of such policies would further secure the Medical Center's critical systems and sensitive data.

Management's Response: Concur

Medical Center Computing has drafted a policy addressing system access and terminations which will be forwarded through the Medical Policy Committee (MPC) for approval and adoption. This proposed manual process will be enhanced with automated controls/notification when a new human resources system is implemented in 1999.

Responsible Area: Medical Center Computing

Estimated Completion Dates: June 1999 and December 1999


Recommendation: Strengthen Security Over the PeopleSoft System

In our last audit, we identified two security weaknesses in the Medical Center's new financial systems. These weaknesses could lead to unauthorized use or alteration of the Medical Center's critical financial data. Our specific concerns follow:

PeopleSoft application password security does not limit the number of failed logon attempts, does not require users to periodically change passwords, and does not use a specific password for a user's initial logon.

The Medical Center has not installed data security firewalls to prevent network access by unauthorized users from outside networks including the Internet. Lack of firewalls make it easier for unauthorized external users to gain access to the financial databases and possibly alter or destroy financial data.

During this audit, we identified two additional security weaknesses. These weaknesses could result in making critical financial systems unavailable to users.

The UNIX server running the financial system allows users to telnet (communicate from remote locations) and establish sessions. The ability to telnet to this server, especially in the absence of a firewall, significantly increases the possibility of a "hacker" attack to the server. An attack could result in bringing the entire server down. The database administrator (DBA) should strictly limit telnet to only those individuals that actively require this access and should regularly review whether users continue to need telnet access.

Management's Response: Concur

New procedures have been implemented by Medical Center Computing to instruct personnel on the standard to change PeopleSoft passwords upon issuance and every 60 days thereafter. Since PeopleSoft does not provide automated password management, MCC will acquire and install a third party solution approach this fiscal year.

Medical Center Computing has established a committee with representation from MCC, HSF and ITC to develop a firewall strategy consistent with the requirements of the three organizations. MCC has developed an RFP to outsource the development and installation of "firewall" technologies, a project funded for this fiscal year. An appropriately configured firewall should be in place by the end of the current fiscal year.

Access to the DEC Alpha is limited to 15 predetermined IP addresses, stored in the server in a protected file. These addresses allow the capability to provide remote access to the server for routine and emergency support. The use of these addresses is monitored by the DBA. C2 level security is installed on the DEC Alpha. Additional auditing for logins, logouts, and password changes will be activated by the end of the first quarter, 1999.

Responsible Area: Medical Center Computing

Estimated Completion Dates: March 1999 and June 1999