Audit of the University of Massachusetts Boston (December 26, 2024)
December 26, 2024 · University of Massachusetts Boston · Read the full official report on mass.gov ↗
source
“UMass Boston’s website is not fully accessible for all Massachusetts residents and users.”
Read the plain-English breakdown
This is a state performance audit of UMass Boston covering July 1, 2022 through August 31, 2023.
“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of the University of Massachusetts (UMass) Boston for the period July 1, 2022 through August 31, 2023.”
Auditors checked whether UMass Boston’s website and Blackboard met accessibility standards and whether employees completed required cybersecurity awareness training.
“The purpose of this performance audit was to determine whether UMass Boston’s website and its learning management system (LMS), Blackboard, adhered to the accessibility standards established by the Web Content Accessibility Guidelines (WCAG) 2.0 and 2.1, respectively, for user accessibility, keyboard accessibility, navigation accessibility, language, error identification, and color accessibility.”
Accessibility problems can block students and residents from getting important online information and services; weak training compliance can raise cybersecurity risk.
“Broken or faulty hyperlinks limit users from having equitable access to critical information and key online services offered by UMass Boston.”
If you are a student, employee, applicant, parent, or resident using UMass Boston online services, the audit is about whether you can access information reliably and whether the university is protecting its systems.
“WCAG ensures that all users, regardless of ability, can access the content and functions of UMass Boston’s website and LMS.”
The audit found three main problems: website accessibility issues, Blackboard accessibility issues, and incomplete cybersecurity training.
“UMass Boston did not always ensure that its employees completed cybersecurity awareness training.”
The Auditor recommends that UMass Boston keep checking its webpages, work with its learning system vendor on accessibility, and enforce cybersecurity training requirements.
“UMass Boston should revise its policy to implement a mechanism that requires employees to complete cybersecurity awareness training at hire and at least annually thereafter; UMass Boston should consider cutting off user access if an employee does not complete their training by a stated deadline.”
This matters because UMass Boston is a public university serving thousands of students and employees, and its online systems are central to learning, services, and security.
“As of fall 2023, UMass Boston had a total enrollment of 15,671 students (12,234 undergraduate and 3,437 graduate students), and approximately 2,579 employees (1,816 full-time and 763 part-time employees).”
WCAG means web accessibility rules meant to help people with disabilities use websites and online tools.
“In 1999, the World Wide Web Consortium (W3C), an international organization overseeing internet standards, released WCAG 1.0.”
What the Auditor checked
- Did not comply Did UMass Boston’s website and its learning management system (LMS), Blackboard, adhere to Web Content Accessibility Guidelines (WCAG) 2.0 and 2.1, respectively, for user accessibility, keyboard accessibility, navigation accessibility, language, error identification, and color accessibility?
- Did not comply Did UMass Boston ensure that its employees completed cybersecurity awareness training in accordance with its “Information Security and Awareness Policy”?
What the Auditor found
Why it matters: Broken or faulty hyperlinks can prevent equitable access to critical information and services and may direct users to outdated, incorrect, or nonexistent pages.
Standard: Web Accessibility Initiative’s WCAG 2.0, Success Criteria 2.4.5 ( Web Accessibility Initiative’s WCAG 2.0, Success Criteria 2.4.5 )
1 recommendation
- UMass Boston should continually review its webpages to ensure that all hyperlinks lead to related information and provide equitable access to critical information and services offered online by UMass Boston.agency: already implemented
Agency response & Auditor reply
Agency: "Also, the campus has fixed all hyperlink issues identified in the audit."
Auditor: "Based on its response, UMass Boston is taking measures to address our concerns regarding this matter."
Why it matters: Accessibility problems could limit equitable access, prevent navigation, reduce readability, impair use on mobile devices, block keyboard users, reduce screen reader comprehension, and prevent users from identifying errors.
Standard: Web Accessibility Initiative’s WCAG 2.1 ( Web Accessibility Initiative’s WCAG 2.1, Success Criterion 1.3.4 Orientation; Web Accessibility Initiative’s WCAG 2.1, Success Criterion 2.1.1 Keyboard; Web Accessibility Initiative’s WCAG 2.1, Success Criterion 3.3.1 Error Identification )
2 recommendations
- UMass management should review the accessibility statements and reports of its LMS vendor to determine instances of WCAG noncompliance.agency: agreed
- UMass management should work with its LMS vendor to ensure that any potential instances of WCAG noncompliance are resolved.agency: agreed
Agency response & Auditor reply
Agency: "It will continue to review Canvas’ accessibility statements and reports to determine if it meets accessibility requirements since the vendor is responsible for maintaining their LMS’ accessibility."
Auditor: "Based on our audit results, and even with a new vendor for this service (Canvas), we recommend that UMass Boston implement our recommendation in order to be in compliance with WCAG."
Why it matters: Without required cybersecurity awareness training, UMass Boston has a higher-than-acceptable risk of cybersecurity attacks that may cause financial or reputational losses.
Standard: UMass Boston’s “Information Security Training and Awareness Policy” ( UMass Boston’s “Information Security Training and Awareness Policy” )
1 recommendation
- UMass Boston should revise its policy to implement a mechanism that requires employees to complete cybersecurity awareness training at hire and at least annually thereafter; UMass Boston should consider cutting off user access if an employee does not complete their training by a stated deadline.agency: already implemented
Agency response & Auditor reply
Agency: "UMass Boston has updated its Security Education Training and Awareness policy that reflects the new cybersecurity awareness training requirements."
Auditor: "Therefore, we reiterate our recommendation for UMass Boston to implement a mechanism that requires employees to complete cybersecurity awareness training at hire and at least annually thereafter."
More audits of this entity
Other Office of the State Auditor reports on University of Massachusetts Boston .
-
Audit of the University of Massachusetts BostonCollege / University · January 19, 2021