Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

University of Massachusetts - Dartmouth

February 22, 2012 · Read the full official report (PDF) ↗

Published February 22, 2012 Audit covers July 1, 2009 – February 28, 2011 Under Suzanne M. Bump · 2011–2023

In plain English
UMass Dartmouth fixed 2 of 5 earlier IT-related problems, but still had serious weaknesses in tracking computer equipment, controlling physical keys, and planning for disasters.
source
“Based on our review we have concluded that, as of the period ended February 28, 2011, UMD had resolved two of our five prior audit issues.”
Read the plain-English breakdown
What is this?

This is a follow-up audit of UMass Dartmouth by the Massachusetts State Auditor, covering selected technology controls from July 1, 2009 through February 28, 2011.

“The scope of our audit consisted of an evaluation of the status of the issues disclosed in our prior audit report, No. 2008-0210-4T, issued May 14, 2009, regarding inventory controls over computer equipment, compliance with Chapter 647 reporting requirements, management of keys for physical security, user account management for UMD’s network and PeopleSoft application system, and business continuity and disaster recovery planning for application systems housed at UMD.”
Why was it audited?

Auditors checked whether UMass Dartmouth had fixed problems found in a prior audit, especially around IT equipment, security access, user accounts, and emergency recovery planning.

“The primary objective of our audit was to determine whether corrective action had been taken with respect to the prior audit issues.”
Why it matters

The unresolved issues could make it harder for the university to protect public assets, prevent unauthorized access, and recover important technology services after a disaster.

“Without a comprehensive, formal, and tested recovery strategy, UMD would be hindered in regaining processing capabilities for automated applications, e-mail, network, and Internet-based services should a disaster occur.”
What's in it for me?

For an ordinary taxpayer, student, parent, or employee, this report is about whether a public university is protecting equipment bought with public funds and keeping systems and personal information secure.

“UMD received state-appropriated funds totaling $47 million in fiscal year 2010 and $48 million in fiscal year 2011.”
The bottom line

The university made progress on reporting stolen equipment and cleaning up user accounts, but it still could not reliably account for many computers, keys, or disaster-recovery plans.

“Specifically, although UMD had adequately addressed the prior audit issues relating to compliance with Chapter 647 of the Acts of 1989 and user account management controls, the prior audit issues relating to inventory controls over computer equipment, management of keys for physical security, and disaster recovery and continuity planning remained unresolved.”
What happens next

The auditor recommended that UMass Dartmouth tighten inventory controls, reconcile records, recover keys from unauthorized holders, and create and test a formal disaster recovery and business continuity plan.

“The plan should then be tested, updated on a periodic basis to conform to changes in technology, and communicated to staff.”
Why it's significant

The findings are significant because auditors found missing or poorly tracked equipment, former employees still listed as keyholders, and no formal tested plan for restoring key technology services after a disaster.

“Our random sample of 60 out of the total population of authorized keyholders indicated that 45 individuals were no longer employed by UMD, but still possessed keys that could potentially allow access to UMD facilities, including computer labs and areas housing personal information.”
Jargon, unpacked

“Disaster recovery and business continuity” means having a written, tested plan so important computer systems and services can come back quickly after a major disruption.

“The objective of business continuity planning is to help ensure timely recovery of mission-critical and essential functions should a disaster cause significant disruption to computer operations.”

2 figure(s) pending source verification - not shown

What the Auditor checked

What the Auditor found

UMD did not maintain accurate and complete inventory controls over computer equipment.
asset/inventory controlrecordkeeping/documentationinternal controls

Why it matters: UMD could not adequately account for IT resources, evaluate equipment allocation, identify missing equipment, or meet IT configuration management objectives.

Standard: Chapter 647 of the Acts of 1989; Office of the State Comptroller requirements; generally accepted industry standards and sound management practices. ( Chapter 647 of the Acts of 1989; 802 Code of Massachusetts Regulations )

2 recommendations
  • Strengthen inventory controls to ensure the integrity of the system of record for computer equipment.agency: agreed
  • Conduct a reconciliation of IT resources to ensure accurate, complete, and valid inventory records.agency: agreed
Agency response & Auditor reply
Agency: "The University agrees with the need to improve controls by expansion of responsibility to other core departments (Facilities, Computer and Information Technology Services, Procurement and Property Control) over the inventory process for computer equipment."
Auditor: "We believe that controls to ensure adequate accounting of computer equipment will be strengthened by updating the inventory record when changes in status or location occur and then routinely, or on a cyclical basis, reconciling the physical inventory to the system of record."
UMD did not adequately manage and reconcile physical access keys.
public safetydata privacyrecordkeeping/documentationinternal controls

Why it matters: Unauthorized individuals could potentially access UMD facilities, including computer labs and areas housing personal information.

Standard: Generally accepted computer industry practices for physical security controls. ( Generally accepted computer industry practices )

2 recommendations
  • Develop, document, and implement policies and procedures for managing the distribution and return of all physical access keys.agency: agreed
  • Immediately reconcile the authorized keyholder system of record to a current employee roster and try to retrieve keys from former employees.agency: agreed
Agency response & Auditor reply
Agency: "The University agrees with the need to improve key management and plans to formalize written policies and procedures and strengthen controls for the distribution and return of physical access keys."
Auditor: "We reiterate our concerns regarding the risks associated with unauthorized individuals having access keys to UMD facilities and recommend that that UMD management perform an immediate reconciliation of the system of record of authorized key holders to a current employee roster."
UMD did not have a formal disaster recovery and business continuity plan.
cybersecurityinternal controlsdata privacy

Why it matters: UMD might be unable to restore automated applications, e-mail, network, and Internet services within an acceptable period after a disaster.

Standard: Fair Information Practices Act, Chapter 66A of the General Laws; generally accepted business practices and industry standards. ( Fair Information Practices Act, Chapter 66A of the General Laws )

3 recommendations
  • Establish procedures to evaluate criticality and assess business continuity planning for all network systems and applications.
  • Develop a written business continuity plan for UMD-housed systems and essential functions.
  • Work with the UMass Central Office to develop an integrated business continuity strategy.
Agency response & Auditor reply
Agency: "UMass Dartmouth recognizes the need to develop a formal DR/BC plan for IT."
Auditor: "A comprehensive and well-documented business continuity and contingency strategy is essential to ensure timely recovery of mission-critical and essential business functions and systems."

Prior findings revisited

Still a problem
"Specifically, although UMD had adequately addressed the prior audit issues relating to compliance with Chapter 647 of the Acts of 1989 and user account management controls, the prior audit issues relating to inventory controls over computer equipment, management of keys for physical security, and disaster recovery and continuity planning remained unresolved."
Fixed
"Our follow-up review determined that UMD had implemented new policies and procedures to report all missing and stolen equipment to the Office of the State Auditor in accordance with Chapter 647."
Fixed
"Our follow-up audit revealed that, with respect to user account management, controls had been strengthened regarding the deactivation of user accounts no longer needed for the PeopleSoft application system."

More audits of this entity

Other Office of the State Auditor reports on University of Massachusetts - Dartmouth , including the prior audits referenced above.

See this entity's page with all 3 audits →