- AGENDA
- REPORT
BY THE DIRECTOR OF AUDITS (Ms.Deily)
-
A. Auditor of Public Accounts (APA) Audit and Management
Letter (Ms. Deily to introduce Mr. Kucharski; Mr. Walter
Kucharski to report)
-
B. University and Medical Center Response to the APA Audit
and Management Letter (Ms. Deily to introduce Messrs. Gillet
and Hendrix; Messrs. Charles Gillet and Cole Hendrix to
report)
- AUDITOR
OF PUBLIC ACCOUNTS - MANAGEMENT LETTER 1997-98 ISSUED NOVEMBER
1998
ACADEMIC
DIVISION - INTERNAL CONTROL RECOMMENDATIONS
Recommendation: Prepare Disaster Recovery Plan
and Backup Data
The Human Resources Department does not have an adequate disaster
recovery plan for its systems. The current plan does not assess
risk, analyze business impact or adequately detail procedures
to follow. In addition, Human Resources has no documented
procedures for backing up its programs and data. Internal
Audit reported similar findings in 1994.
In the event of a disaster, the University could lose critical
information and disrupt Human Resources functions for an extended
period. Human Resources should develop a formal disaster recovery
plan that assesses risks affecting its systems, identifies
business impact in the event of the loss of computing, and
includes detailed recovery procedures. The contingency plan
should also identify a specific location for operations should
present facilities be unavailable. Additionally, Human Resources
should document procedures for backing up its programs and
data. We understand that Human Resources has begun work to
complete disaster recovery and backup data plans.
Management's
Response:
The Department of Human Resources will complete a reassessment
of its disaster recovery plan during the first quarter of
1999. The reassessment will review the business risks affecting
its systems and data. Based on the results, the appropriate
steps will be taken to implement the assessments recommendations.
The Department of Human Resources has developed written documented
procedures for backing up its programs and data. These procedures
involve the daily and weekly back up of programs and data,
which is transported offsite to a secure location.
Responsible
Area: Human Resources
Estimated
Completion Date: March 1999
Recommendation:
Improve Conditions at Bayly Art Museum
The Bayly Art Museum stores valuable works in its collection,
but not on display, in conditions that may unnecessarily hasten
their deterioration. While the Museum staff has attempted
to mitigate potential losses by covering artwork with plastic
and installing environmental monitoring devices, the storage
areas for works not on display are generally not appropriate.
On-site storage in the basement has pipes for the radiator
heating system running along the ceiling of the artwork storage
room creating the potential for loss should those pipes leak
or rupture. Off-site storage in the Seig Warehouse is unsuitable
due to a leaky roof and a lack of environmental controls.
An independent architect cited these problems in the Conservation
Assessment Survey Report in July 1995.
The University recently developed a plan for a new museum
that would include adequate storage in a new museum building
and in a new off-site building. However, the University should
develop an immediate plan to properly safeguard all works
not on display. This plan should include storing off-site
in an appropriately secure location, the items not on display.
The University could lose valuable artwork collections in
event of a disaster or rapid deterioration due to improper
environmental conditions.
Management's
Response:
The University of Virginia recognizes the importance of maintaining
and preserving its arts collections. The fine and performing
arts have been identified by the President as institutional
priorities. The Universitys plans include developing an "Arts
Precinct" which will address both physical and programmatic
needs for the arts. The capital proposals for the 2000 - 2002
biennium also reflect the need for high quality art storage
space. Over the next six months the Bayly Museum will explore
alternate storage space and investigate ways to correct conditions
at existing locations. Favorable environmental conditions
are in place for some of the University's significant pieces,
such as those in the Kluge-Ruhe collection.
Responsible
Area: Bayly Art Museum
Estimated
Completion Date: To be determined.
MEDICAL CENTER DIVISION - INTERNAL CONTROL RECOMMENDATIONS
Recommendation: Improve Information Security Plan
The Medical Center's risk assessment does not identify the
possible risks and vulnerabilities to critical applications
and sensitive data. Medical Center Computing (MCC) had planned
to perform a risk assessment and disaster recovery for the
entire network and the client/server system by December 1997.
Management decided to complete the planning for the Integrated
Healthcare Management Information System before starting to
update the Business Impact Analysis and Disaster Recovery
Plan. This delay would allow the new assessment to include
the new systems hardware and computing environment.
Since MCC is completing the planning for the new system, it
should undertake the comprehensive risk assessment to identify
possible risks and vulnerabilities to critical applications
and sensitive data. This assessment should make recommendations
for implementation of security safeguards to mitigate those
risks. Management concurs and anticipates completing this
plan by July 1999.
Management's
Response: Concur
Responsible
Area: Medical Center Computing
Estimated
Completion Date: July 1999
Recommendation:
Improve Access Controls
Medical Center Computing does not have any policies or procedures
for changing access rules when employees are assigned different
duties, employees terminate, or workstation addresses are
changed or are no longer needed. While reviewing access to
the Medical Center's systems, we found accounts for people
no longer employed by the Medical Center and invalid workstation
addresses with access. In addition, we found current employees
with access they did not need for their changed job duties.
The presence of unnecessary access points increases the likelihood
of inappropriate transactions or access to sensitive data.
Medical Center Computing should develop a policy for Medical
Center departments to follow when an employee terminates or
receives reassignment to another department. Data Base Administrators
should periodically review the workstation address listing
and remove invalid addresses from the list. Implementation
and enforcement of such policies would further secure the
Medical Center's critical systems and sensitive data.
Management's
Response: Concur
Medical Center Computing has drafted a policy addressing system
access and terminations which will be forwarded through the
Medical Policy Committee (MPC) for approval and adoption.
This proposed manual process will be enhanced with automated
controls/notification when a new human resources system is
implemented in 1999.
Responsible
Area: Medical Center Computing
Estimated
Completion Dates: June 1999 and December 1999
Recommendation:
Strengthen Security Over the PeopleSoft System
In our last audit, we identified two security weaknesses in
the Medical Center's new financial systems. These weaknesses
could lead to unauthorized use or alteration of the Medical
Center's critical financial data. Our specific concerns follow:
PeopleSoft application password security does not limit the
number of failed logon attempts, does not require users to
periodically change passwords, and does not use a specific
password for a user's initial logon.
The Medical Center has not installed data security firewalls
to prevent network access by unauthorized users from outside
networks including the Internet. Lack of firewalls make it
easier for unauthorized external users to gain access to the
financial databases and possibly alter or destroy financial
data.
During this audit, we identified two additional security weaknesses.
These weaknesses could result in making critical financial
systems unavailable to users.
The UNIX server running the financial system allows users
to telnet (communicate from remote locations) and establish
sessions. The ability to telnet to this server, especially
in the absence of a firewall, significantly increases the
possibility of a "hacker" attack to the server. An attack
could result in bringing the entire server down. The database
administrator (DBA) should strictly limit telnet to only those
individuals that actively require this access and should regularly
review whether users continue to need telnet access.
Management's
Response: Concur
New procedures have been implemented by Medical Center Computing
to instruct personnel on the standard to change PeopleSoft
passwords upon issuance and every 60 days thereafter. Since
PeopleSoft does not provide automated password management,
MCC will acquire and install a third party solution approach
this fiscal year.
Medical Center Computing has established a committee with
representation from MCC, HSF and ITC to develop a firewall
strategy consistent with the requirements of the three organizations.
MCC has developed an RFP to outsource the development and
installation of "firewall" technologies, a project funded
for this fiscal year. An appropriately configured firewall
should be in place by the end of the current fiscal year.
Access to the DEC Alpha is limited to 15 predetermined IP
addresses, stored in the server in a protected file. These
addresses allow the capability to provide remote access to
the server for routine and emergency support. The use of these
addresses is monitored by the DBA. C2 level security is installed
on the DEC Alpha. Additional auditing for logins, logouts,
and password changes will be activated by the end of the first
quarter, 1999.
Responsible
Area: Medical Center Computing
Estimated
Completion Dates: March 1999 and June 1999
