Audit finds IT deficiency at CSCU

Information security policies used in a system that collects records at the Connecticut State Colleges and Universities (CSCU) system office were at least two years out of date according to an audit conducted by the Auditors of Public Accounts.

The audit was conducted in November 2023 and reviewed CSCU’s system office’s internal controls over the Banner Information System, which collects data related to financial records, human resources, and student information, and found it was using information security policies that were at least two years out of date. It also looked at the office’s compliance with policies and procedures, as well as the efficiency of certain management practices.

The audit revealed one finding about an internal control deficiency, as well as an instance of noncompliance with policies. It found that CSCU’s information security policy was at least two years out of date.

CSCU’s information security policy requires that policies and procedures be reviewed annually. CSCU’s information security policy relies on a publication from the National Institute of Standards and Technology, which was last revised in September 2020. The information security policies the audit reviewed did not include that revision.

The finding was rated a moderate risk. Other categories the audit reviewed, including maintenance, personnel, and security, were rated low risk and the audit’s review of practices in these areas did not generate any findings.

“Missing or outdated policies increase the risk of inadequate or incomplete procedures (electronic or human), and undermine efforts to ensure appropriate confidentiality, integrity, and availability of data.” the audit report noted.

According to the audit, the finding, which has not been previously reported, was caused by changes in personnel and “shifting management priorities.”

Auditors recommend CSCU’s system office strengthen its internal controls to ensure its policies are current. The office agreed with the finding and said it is “currently reviewing some of the identified documents, with others planned for review early next year.”

The post Audit finds IT deficiency at CSCU appeared first on Connecticut Inside Investigator .