Audit of the Middlesex Community College
May 31, 2022 · Middlesex Community College · Read the full official report on mass.gov ↗
source
“MCC did not ensure that its users who had access to the finance and/or financial aid modules in Banner completed cybersecurity awareness training.”
Read the plain-English breakdown
This is a state performance audit of Middlesex Community College covering March 1, 2020 through June 30, 2021.
“I am pleased to provide this performance audit of Middlesex Community College.”
The audit checked whether the college followed rules for federal COVID relief funding and whether it met certain internal control and cybersecurity requirements.
“The purpose of our audit was to determine whether MCC administered the CARES Act, CRRSAA, and ARP Act funding it received in accordance with the criteria established by US DOE and MDHE, as well as its own student award criteria.”
If people with access to sensitive finance and financial aid systems do not complete cybersecurity training, the college faces more risk of cyberattacks, financial harm, and damage to its reputation.
“Without educating all system users on their responsibility of protecting the security of information assets, MCC is exposed to a higher risk of cybersecurity attacks and financial and/or reputation losses.”
For students, families, taxpayers, and employees, the report gives some assurance that pandemic relief funds were reviewed, while also pointing out a security weakness that could affect sensitive information.
“In fiscal year 2021, 11,936 students were enrolled at MCC.”
The main problem found was not about misspent COVID relief money; it was that 15 of 35 sampled system users did not complete required cybersecurity training.
“Fifteen of the 35 sampled users did not complete cybersecurity awareness training as required: 13 were assigned the training but did not complete it, and 2 were not assigned the training.”
The auditor recommended that the college set clearer cybersecurity training rules and monitor whether users actually finish the training.
“MCC should implement monitoring controls to ensure that users complete the cybersecurity awareness training modules assigned to them.”
This matters because MCC received and spent millions in federal pandemic-related education funding, and the audit found the funding areas reviewed were compliant while cybersecurity training needed improvement.
“Below is a summary of MCC’s financial activity related to federal COVID-19 funding during the audit period.”
Banner is the college’s main administrative database system, including records tied to accounting, student files, registration, billing, and financial aid.
“Banner is the database system for MCC’s administrative activities, accounting, and student files.”
What the Auditor checked
- Complied Did MCC administer the student portion of funding under its student award criteria and Section 18004(a)(1) of the Coronavirus Aid, Relief, and Economic Security (CARES) Act in accordance with Sections C, D, and E of the United States Department of Education’s (US DOE’s) Higher Education Emergency Relief Fund (HEERF) Frequently Asked Questions (FAQ) Rollup Document?
- Complied Did MCC administer the institutional portion of CARES 18004(a)(1) funding in accordance with Section F of US DOE’s Higher Education Emergency Relief Fund (HEERF) Frequently Asked Questions (FAQ) Rollup Document?
- Complied Did MCC administer the student portion of funding under its student award criteria and Section 314(a)(1) of the Coronavirus Response and Relief Supplemental Appropriations Act (CRRSAA) in accordance with US DOE’s Higher Education Emergency Relief Fund (HEERF) II Public and Private Nonprofit Institution (a)(1) Programs ([Catalog of Federal Domestic Assistance, or CFDA] 84.425E and 84.425F) Frequently Asked Questions?
- Complied Did MCC administer the institutional portion of funding under Section 314(a)(1) of the CRRSAA in accordance with US DOE’s Higher Education Emergency Relief Fund (HEERF) II Public and Private Nonprofit Institution (a)(1) Programs (CFDA 84.425E and 84.425F) Frequently Asked Questions and Higher Education Emergency Relief Fund (HEERF I, II, and III) Lost Revenue Frequently Asked Questions?
- Complied Did MCC administer the institutional portion of funding under Section 2003(a)(1) of the American Rescue Plan (ARP) Act in accordance with US DOE’s Higher Education Emergency Relief Fund III Frequently Asked Questions and Higher Education Emergency Relief Fund (HEERF I, II, and III) Lost Revenue Frequently Asked Questions?
- Complied Did MCC administer the student portion of Governor’s Emergency Education Relief (GEER) funding in accordance with its student award criteria and US DOE’s Frequently Asked Questions about the Governor’s Emergency Education Relief Fund (GEER Fund)?
- Complied Did MCC administer the institutional portion of GEER funding in accordance with US DOE’s Frequently Asked Questions about the Governor’s Emergency Education Relief Fund (GEER Fund) and the Massachusetts Department of Higher Education’s (MDHE’s) interdepartmental service agreement?
- Did not comply Did MCC ensure that its users who had access to the finance and/or financial aid modules in Banner completed cybersecurity awareness training in accordance with Section 6.2.4 of the Executive Office of Technology Services and Security’s (EOTSS’s) Information Security Risk Management Standard IS.010?
What the Auditor found
Why it matters: Without cybersecurity awareness training for all system users, the college had a higher risk of cybersecurity attacks and financial or reputational losses.
Standard: Section 6.2.4 of the Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010 requires all personnel to complete annual security awareness training. ( Section 6.2.4 of the Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010 )
2 recommendations
- MCC should implement policies and procedures that clearly define the contents and administration of its cybersecurity awareness training program.agency: agreed
- MCC should implement monitoring controls to ensure that users complete the cybersecurity awareness training modules assigned to them.agency: agreed
Agency response & Auditor reply
Agency: "Middlesex Community College agrees with the Auditor’s Report Findings, and the implementation of policies, procedures, and monitoring controls to ensure users complete cybersecurity awareness training, that are outlined by MCC in the following response to the Draft Audit Report."
Auditor: "Based on its response, MCC is taking steps to address this issue."
More audits of this entity
Other Office of the State Auditor reports on Middlesex Community College .
- Middlesex Community College's Use Of American Recovery And Reinvestment Act FundsCollege / University · January 31, 2011