Mount Wachusett Community College - Other Matters

Mount Wachusett Community College (MWCC) is missing certain information system general controls over its finance and administration system.

We identified the following issues in our testing of MWCC’s information system general controls:

1. MWCC’s Enterprise-Wide Risk Management and Internal Control Manual has not been updated since June 30, 2020.
2. MWCC does not have a formalized identification and authentication policy that outlines password complexity requirements.
3. MWCC does not conduct supervisory reviews of user access rights.
4. Three out of 15 users randomly selected for user rights access testing did not have user rights approvals that matched their access rights (some employees were assigned roles for which they were not approved and/or were approved for roles but not given access to them).
5. MWCC does not regularly review or analyze information system audit records.

If MWCC does not update and receive approval each year for its Enterprise-Wide Risk Management and Internal Control Manual, it may be exposed to an increased risk of cyberattacks and financial and/or reputational losses. If MWCC does not have a formalized identification and authentication policy that outlines password complexity requirements, or does not conduct reviews of user access rights, this may cause an elevated risk of exposure to unauthorized access to its systems. If MWCC employees have unauthorized access privileges, along with MWCC not reviewing system audit logs, this may cause an elevated risk of security breaches or fraud.

Section 6.4.5.1 of the Executive Office of Technology Services and Security’s Organization of Information Security Standard IS.001 states, “A review of information security policies, procedures and standards will be performed by the Document Owner . . . at least once every year.”

The Executive Office of Technology Services and Security’s Access Management Standard IS.003 states,

6.1.5.3       User access requests will be recorded (paper or tool-based), include a business justification for access, and be approved by the requestor’s supervisor and the appropriate Information Owner or authorized delegate. . . .

6.1.10.2     A review of user access must be conducted, at a minimum, semiannually, and all unauthorized accounts and access must be removed. . . .

6.4.1  Passwords will be configured securely using complexity and expiration requirements, as follows:

6.4.1.1       User passwords must be a minimum of twelve (12) characters and contain three (3) of the following four (4) characteristics:

6.4.1.1.1.   Special characters (e.g., ‘, %, $, #)

6.4.1.1.2.   Numerical characters (e.g., 1, 2, 3)

6.4.1.1.3.   Alphabetic characters (e.g., a, b, c)

6.4.1.1.4.   Combination of uppercase and lowercase letters. . . .

Section 6.1.5 of the Executive Office of Technology Services and Security’s Logging and Event Monitoring Standard IS.011 states, “Commonwealth Agencies and Offices must ensure that Information Owner activities are logged and monitored.”

During an interview, MWCC’s vice president of finance stated that an update of the Enterprise-Wide Risk Management and Internal Control Manual was drafted in 2020; however, the plan was never approved.

During an interview, MWCC’s information technology director stated that the information technology department reviews only newly hired or terminated employees’ access rights and that the previous database administrator did not complete audit log reviews.

1. MWCC should ensure that its Enterprise-Wide Risk Management Internal Control Manual is updated and approved annually.
2. MWCC should ensure that its Enterprise-Wide Risk Management Internal Control Manual has a formalized identification and authentication policy that outlines password complexity requirements.
3. MWCC should conduct and document user access reviews at least twice a year.
4. MWCC should ensure that it reviews the system’s audit log on a regular basis.