Other Matters: Berkshire Community College Needs To Strengthen Its Information Technology General Controls.

During our review of Colleague’s information technology general controls, we identified a number of issues that warrant attention from Berkshire Community College (BCC). These issues concerned incomplete or missing Access Request Forms;⁷ user access rights that were inconsistent with employees’ job functions; a lack of evidence of background checks for system users; continued system access for terminated employees; and a lack of password complexity, user lockouts after unsuccessful login attempts, and session lockouts for inactivity.

We identified 31 BCC employees with user access to Colleague in the Administration and Finance Division and Student Financial Services Office, 25 of whom were active throughout the audit period and 6 of whom were terminated during the audit period.

We requested the Access Request Forms for 5 of the 25 active users to determine whether employees’ access rights were properly authorized. In our review, we found that 2 users were missing an Access Request Form, 1 user’s Access Request Form did not contain the required supervisor’s signature authorizing the access, and 1 user’s access did not correspond to their Access Request Form.

Not having adequate access controls could compromise the security and integrity of sensitive BCC data.

Section 6.1 of the Executive Office of Technology Services and Security’s (EOTSS’s) Access Management Standard IS.003 states,

6.1.4.3  User access requests shall be recorded (paper or tool-based) and approved by the requestor’s supervisor. . . .

6.1.5.1  Access Authorization: The Information Owner or Information Custodian shall verify that the type of access requested is required for the user’s role and responsibilities.

BCC should ensure that Access Request Forms include the appropriate supervisor’s approval and should periodically review user access to ensure that user permission rights correspond to the system access level appropriate to each employee’s position.

We requested evidence of criminal background checks for 5 of the 25 active users to determine whether BCC performed such checks for all system users. In our review, we found that none of the 5 active users selected had criminal background checks performed.

Not performing criminal background checks could give individuals with criminal records access to personally identifiable information or other restricted system data.

The National Institute of Standards and Technology recommends background checks for all personnel before they are given access to an agency’s systems.

BCC should perform criminal background checks on all personnel before giving them access to its computer systems.

We requested evidence of promptly terminated access privileges for two of the six users who left BCC during the audit period and found that one user account was not deactivated upon termination or after 90 days of inactivity.

Not immediately deactivating terminated employees’ access rights increases the risk of unauthorized access to student and employee information. BCC should ensure that all terminated employees’ access rights are removed immediately and that all accounts are deactivated after 90 days of inactivity.

Section 6.1.7.2.1 of EOTSS’s Access Management Standard IS.003 states, “Login accounts inactive for 90 days must be disabled.”

We requested BCC’s policies on password complexity and on the number of failed login attempts and duration of user inactivity that would trigger an automated lockout of the system. BCC told us that it did not have policies for password complexity, user lockout after failed login attempts, or user lockout after inactivity.

A lack of adequate access controls, or having inappropriate permissions, could compromise the security and integrity of sensitive BCC data.

Section 6 of EOTSS’s Access Management Standard IS.003 provides the following guidance:

Commonwealth agencies and offices shall document and implement proper user identification and authentication processes, including . . .

6.2.8     Access attempts shall be limited by locking [user access] after no more than five (5) failed login attempts. . . .

6.3.3     Workstations left unattended for extended periods of time must be locked or logged off. . . .

6.4  Password Management

Commonwealth Executive Offices and Agencies must ensure that systems and processes to manage the enforcement of password controls for access to the network, operating systems, databases or applications shall be interactive and require strong passwords.

6.4.1           Passwords shall be configured securely using complexity and expiration requirements, as follows:

6.4.1.1  User passwords must be a minimum of twelve (12) characters and contain three (3) of the following four (4) characteristics:

6.4.1.1.1.    Special characters (e.g., ’ , %, $, #)

6.4.1.1.2.    Numerical characters (e.g., 1, 2, 3)

6.4.1.1.3.    Alphabetic characters (e.g., a, b, c)

6.4.1.1.4.    Combination of uppercase and lowercase letters

BCC should implement procedures that require password configuration that complies with EOTSS’s Access Management Standard IS.003, lock users out after failed login attempts, and lock the system or log users out after a period of inactivity.

Additionally, BCC should update its internal control plan (ICP) to incorporate a section on information system controls to reduce the risk of information technology general control issues.

• The College is instituting a policy and putting procedures in place to review documentation during onboarding and off boarding (and any changes in position) to ensure that personnel permissions correspond with system access requirements for the position. By April 2023, Colleague will be re-implemented with new roles, responsibilities, and personas that will correspond with security level access. These roles, responsibilities, and personas will be tied to positions by Human Resources and cross checked by IT (Information Technologies). Quarterly, these assignments will be reviewed for accuracy. . . .
• This September (2022), the College will require that new hires complete a [Criminal Offender Record Information, or CORI] form. We are exploring our ability to implement CORI with current employees, which may be complicated by existing collective bargaining agreements. . . .
• On July 5, 2022, passwords on College technology accounts require reset at 90 days. If they are not reset by the user the account becomes inactive. . . .
• On July 6th, the College instituted . . . a screen lock after 15 minutes of inactivity. . . .
• BCC will update its internal control plan by incorporating an information system control section that will be developed through the BCC Strategic Plan.

Based on its response, BCC is taking measures to address our concerns on this matter. BCC should also update the relevant section of its ICP to incorporate user lockout after no more than five failed login attempts.