Audit of the University of Massachusetts Boston Overview of Audited Entity

The University of Massachusetts (UMass) Boston is a member of the Massachusetts public higher education system, which consists of 15 community colleges, nine state universities, and five UMass campuses. In 1964, UMass Boston became one of the five public institutions of higher learning in the UMass system, in accordance with Chapter 75 of the General Laws. UMass is led by a president who oversees the UMass system and by a chancellor at each UMass campus. It is also governed by a board of trustees composed of 22 members, with 17 members who are appointed by the Governor for five-year terms and 5 UMass students who are elected by the student body for one-year terms. The board shapes general policies that govern all five UMass campuses. As the administrative head of the campus, the chancellor of UMass Boston reports to the president and is supported by several vice chancellors, a provost, and a director of athletics.

As of fall 2023, UMass Boston had a total enrollment of 15,671 students (12,234 undergraduate and 3,437 graduate students), and approximately 2,579 employees (1,816 full-time and 763 part-time employees). According to Section 7 of Chapter 75 of the General Laws, “The [UMass system] trustees shall prepare and submit a detailed budget in such form and manner as the governor, secretary and general court may direct.” UMass Boston had $506,185,000 total revenues and $491,457,000 total expenses for fiscal year 2023 and incurred revenues of $486,208,000 and expenses of $481,706,000 for fiscal year 2022. UMass Boston had state appropriations of $158,380,000 and $184,083,000 for fiscal years 2022 and 2023, respectively.

Americans with Disabilities Act

In 1990, the Americans with Disabilities Act (ADA), a comprehensive civil rights law prohibiting discrimination based on disability, came into effect. Title II of the ADA covers state-funded programs such as universities, community colleges, and career and technical education programs, including all activities of state and local governments, regardless of whether these entities receive federal financial assistance. (See 42 US Code § 12131B65.) More recently, the Justice Department filed a proposed consent decree to resolve allegations that Miami University in Oxford, Ohio, violated the ADA by using inaccessible classroom technologies and other technologies. As part of the consent decree, Miami University had to ensure that its web content and learning management systems (LMS)² conform with Web Content Accessibility Guidelines (WCAG) 2.0 AA standards. Additionally, the university was required to meet with every student who has a disability in order to develop an accessibility plan and procure web technology or software that best met various accessibility standards.

WCAG

In 1999, the World Wide Web Consortium (W3C), an international organization overseeing internet standards, released WCAG 1.0. These guidelines aimed to offer directions on enhancing the accessibility of web content for people with disabilities. In 2008, W3C published WCAG 2.0. In 2018, W3C published WCAG 2.1, which was built on WCAG 2.0 to improve web accessibility on mobile devices and to further improve web accessibility for people with visual impairments and cognitive disabilities.

Progression of Internet Accessibility Standards

Progression of Internet Accessibility Standards

How People with Disabilities Use the Web

According to W3C, people with disabilities use assistive technologies and adaptive strategies specific to their needs to navigate web content. Examples of assistive technologies include screen readers, which read webpages aloud for people who cannot read text; screen magnifiers for individuals with low vision; and voice recognition software for people who cannot (or do not) use a keyboard or mouse. Adaptive strategies refer to techniques that people with disabilities employ to enhance their web interaction.³ These strategies might involve increasing text size, adjusting mouse speed, or enabling captions. To make web content accessible to people with disabilities, developers must ensure that various components of web development and interaction work together. This includes text, images, and structural code; users’ browsers and media players; and various assistive technologies.

UMass Boston made efforts to create and maintain an accessible website in the following ways: In 2020, UMass Boston hired new staff members to address internet accessibility and marketing concerns; a new website was launched in July 2023 as a result of this effort. In accordance with the ADA, the UMass Boston website (www.umb.edu) is designed to comply with the WCAG 2.0 AA guidelines. To achieve compliance with WCAG 2.0, the university transitioned to a new content management system. Additionally, UMass Boston’s Web Services Team uses third-party software (called SiteImprove) to run weekly scans of UMass Boston’s website to identify accessibility issues.

Common Accessibility Features of a Website^*

*      This webpage was modified to fit in our report

According to UMass, Blackboard Learn Original is the third-party vendor LMS chosen by the university to help instructors provide effective and engaging learning in the classroom. The LMS allows instructors to conduct their courses either partly or entirely online and allows students to take tests, submit homework assignments, watch lecture videos, keep track of their grades, engage in student discussions, and take other actions. Blackboard’s website indicates that its products are generally designed and developed in alignment with WCAG 2.1 Level AA success criteria.  

In spring 2023, UMass Boston announced that it had selected a new LMS called Canvas. We did not have an opportunity to test Canvas because it was not fully implemented by the university during the audit period. The university made this transition to address accessibility concerns, increase inclusivity for mobile users, and further integrate the learning and teaching experience.

Starting in 2008, in reaction to significant data losses faced by organizations in the US defense sector, the Center for Internet Security (CIS) introduced best practice guidelines for computer security known as CIS Controls. There are 18 controls; they are a set of prioritized cybersecurity actions that organizations can implement to protect against the most common cyber threats. CIS Control 14 (Security Awareness and Skills Training) focuses on the importance of developing and sustaining a security awareness program aimed at shaping employee behavior to be more security minded and adequately trained, thereby minimizing cybersecurity risks to the organization.

In the 2010s, the transition to cloud computing led to an increased focus on cloud security. At the same time, the rise of increased cyber threats highlighted the necessity for cooperative strategies to combat emerging digital challenges. As a result of various data breaches and other cyberattacks, there was an effort to invest in cybersecurity measures to protect sensitive information across organizations. The absence of cybersecurity awareness training poses one of the highest risks an organization can face, as untrained employees are often the weakest link in an organization’s security defenses. Recognizing this, organizations have prioritized investments in cybersecurity awareness training to educate their workforce about potential cyber threats, such as phishing scams and malware.

In 2010, the UMass board of trustees passed a new Information Security Policy (Doc. T10-089), which commits the university to adopt controls modeled on ISO 27002.4 This includes controls requiring employees to receive cybersecurity awareness training. According to the university’s President’s Office, in the intervening years, the university adopted CIS Controls, which require the university’s campuses to maintain a cybersecurity awareness training program across its entire workforce.

In June 2020, UMass Boston adopted an initial version of the “Information Security Training and Awareness Policy.” The policy states,

It is the responsibility and policy of the University of Massachusetts Boston to conduct an on-going information security awareness and training program for all faculty, staff, students, vendors, and contractors. . . . All users shall complete security awareness training and training on information security policies upon hire and subsequently at least annually.

UMass Boston conducts awareness campaigns and periodic phishing simulations (monthly or every other month) for staff members, faculty members, and students, as part of its efforts to enhance compliance and cybersecurity readiness. During the audit period, there were no procedures or enforcement mechanisms in place to ensure that employees completed cybersecurity training. UMass Boston employees expressed to the Office of the State Auditor that the percentage of individuals who completed cybersecurity awareness training was slightly above 10%. UMass Boston provides cybersecurity awareness training through a web-based, third-party platform, which tracks and records all activities and documentation (e.g., assignment status, automatic reminders, and completion status) regarding cybersecurity awareness training for each workforce member.