IT-Related Controls at the University of Massachusetts Amherst
April 30, 2012 · University of Massachusetts Amherst · Read the full official report (PDF) ↗
source
“Based on our examination, we have concluded that adequate controls were in place over UMA’s mission-critical SPIRE application to provide reasonable assurance that business objectives would be met.”
Read the plain-English breakdown
This is a 2012 Massachusetts State Auditor report on information technology controls at UMass Amherst for July 1, 2009 through May 31, 2011.
“In accordance with Chapter 11, Section 12, of the Massachusetts General Laws, the Office of the State Auditor performed an information technology (IT) audit at UMA that covered the period July 1, 2009 through May 31, 2011.”
The auditor reviewed how UMass Amherst governed its IT, protected its critical SPIRE system, and handled related physical, environmental, security, and continuity controls.
“The audit scope included an examination of the IT governance at UMA and an evaluation of internal and general controls over the mission-critical SPIRE application system, including physical and environmental controls that directly affect UMA’s computing operations (excluding human resources and financial applications, which are hosted and operated by the UMass President’s Office in Shrewsbury).”
Weak IT oversight can lead to bad decisions, wasted money, failed systems, poor performance tracking, and legal or regulatory problems.
“Weak IT governance can result in IT strategic and tactical plans not aligning with UMA’s business requirements and business plans and can also lead to poor management decisions; inadequate cost determinations; uncontrolled expenditures; failed or subpar systems; lack of performance measurement; and noncompliance with laws, regulations, or contractual obligations.”
If you are a student, employee, applicant, or otherwise connected to the campus, SPIRE holds and supports important personal, academic, billing, registration, and campus-service information.
“SPIRE supports numerous administrative functions, including student course registration, academic records, advising, admissions, financial aid, student billing, admissions prospect communications, and federal reporting on foreign students and scholars.”
The main problem was not that everything was broken; it was that campus-wide IT management, planning, and recovery processes needed to be more formal, coordinated, and documented.
“However, as reported in the Audit Results section of this report, as of May 31, 2011, UMA needed to make improvements in the areas of IT governance, IT strategic planning, and business continuity and disaster recovery planning.”
The report recommended stronger IT governance, a formal IT strategic planning process, and detailed disaster recovery and business continuity plans, with testing and clear responsibilities.
“UMA should strengthen its disaster recovery and business continuity planning process by:”
“IT governance” means the way leaders make, monitor, and enforce decisions about technology so it supports the university’s goals and manages risk.
“IT governance is how management formally decides to employ IT in supervising, monitoring, and directing an organization and is vital to overall enterprise governance.”
What the Auditor checked
- Partially Gain and record an understanding of IT governance, IT strategic planning, IT policies and procedures, and disaster recovery and business continuity planning over UMA’s computer environment, and determine whether such activities were managed effectively.
- Complied Determine whether adequate physical security controls were in place to provide reasonable assurance that access to the data center would be limited to authorized personnel only.
- Complied Determine whether sufficient environmental protection was provided to the data center to prevent or detect damage or loss of IT-related equipment and media.
What the Auditor found
Why it matters: Weak IT governance increases the risk of data breaches, poor IT decisions, uncontrolled expenditures, failed systems, and noncompliance.
Standard: IT governance should include executive leadership, organizational structures, processes, and control frameworks to ensure IT sustains organizational strategies and objectives. ( Chapter 11, Section 12, of the Massachusetts General Laws )
2 recommendations
- Implement sound IT governance practices and structures to inform, direct, manage, and monitor activities toward the achievement of UMA’s business objectives.
- Establish a general monitoring framework and approach for all data centers and application owners.
Why it matters: The absence of a comprehensive IT strategic plan increases the risk that major systems and IT initiatives will not meet management or user expectations and may exceed time or budget estimates.
Standard: IT strategic planning should align IT activities with the organization’s business strategy and operational requirements. ( Control Objectives for Information and Related Technology (CobiT 4.1) )
2 recommendations
- Adopt a generally accepted IT strategic planning process in which IT plans are developed in alignment with organizational business strategy.
- Develop an IT strategic plan that defines how IT goals will contribute to UMA’s strategic objectives, costs, and risks.
Agency response & Auditor reply
Agency: "The campus has been developing a strategic plan over the past few years."
Why it matters: UMA may be unable to recover mission-critical and essential business activities in an acceptable and timely manner after a disaster or major system outage.
Standard: Business continuity planning should include coordinated plans, procedures, and technical measures to recover mission-critical and essential IT systems and operations. ( International Standards Organization’s ISO/IEC 27002 on IT Security Management )
3 recommendations
- Develop and maintain recovery strategies to regain mission-critical and essential processing within acceptable time periods.
- Document a comprehensive disaster recovery plan with recovery strategies for various disaster scenarios.
- Annually test the alternate processing site and document and evaluate disaster recovery test results.
Agency response & Auditor reply
Agency: "The campus is currently in the process of hiring additional staff within our Emergency Management department to support the ongoing development and refinement of campus Disaster Recovery (DR) and Business Continuity (BC) programs."
More audits of this entity
Other Office of the State Auditor reports on University of Massachusetts Amherst .
-
Audit of the University of Massachusetts AmherstCollege / University · October 29, 2018 -
Audit of the University of Massachusetts Amherst (December 30, 2024)College / University · December 30, 2024