Quinsigamond Community College - Finding 2

While conducting the data reliability assessment as part of our audit objectives, we noted the following issues:

• There were 14 individuals who completed cybersecurity awareness training who were not listed on the human resources list.
• Nicknames (e.g., Bill vs. William or S. vs. Stephen) were used instead of full names in the campus-wide administrative database.
• Some first-name and last-name records were blank or spelled incorrectly.
• There were 28 employees who were missing employee identification numbers on the cybersecurity awareness training list.
• For 4 out of the 25 employees who were terminated, QCC did not terminate their user access.
• For 37 out of the 272 employees who had access to QCC’s campus-wide administrative database and financial system, QCC did not retain authorizations relative to user access to QCC’s financial software.
• QCC did not retain an audit log history for more than 24 hours.

Deficiencies in information system general controls can lead to potential operational issues, which could negatively impact QCC’s reputation, information system security, and/or financial stability.

The US Government Accountability Office’s Assessing Data Reliability states, “Completeness refers to the extent to which relevant data records and fields are present and sufficiently populated. Accuracy refers to the extent that recorded data reflect the actual underlying information.” While QCC is not required to follow this policy, we believe it to be a best practice.

Section 6.1 of the EOTSS’s Access Management Policy IS.003, effective October 15, 2018, stated,

6.1.5.3.      User access requests will be recorded (paper or tool-based), include a business justification for access, and be approved by the requestor’s supervisor and the appropriate Information Owner or authorized delegate. . . .

6.1.8.    Revoke access privileges: Upon a transfer, termination or other significant change to a user’s employment status or role, the user’s previous supervisor is responsible to inform security administration personnel, so they may take appropriate action.

Section 6.1.7.4. of EOTSS’s Logging and Event Monitoring Standard IS.011, effective October 15, 2018, stated, “Retain audit trails for the required retention periods per business, legal or regulatory need. Audit log history must be retained for at least one (1) year, with a minimum of three (3) months immediately available for analysis.”

QCC did not have a policy in place to monitor the accuracy of data, the removal of terminated employees from the data systems, or record retention.

1. QCC should revisit and enhance its information systems general controls surrounding the campus-wide administrative database and financial system, as well as human resources records.
2. QCC should establish a policy to monitor the accuracy of data, the removal of terminated employees from the data systems, and record retention.

The College seeks to utilize sound and reasonable practices to ensure information systems general controls, database integrity, and accuracy of data contained within databases. The standards for doing so are not those mandated by EOTSS. (Please see Response No. 1 above). The college aspires to follow reasonable and sound industry practices. We strive to adhere to our internal policies and procedures, ensuring compliance with CIS Controls, [the Family Educational Rights and Privacy Act], and in some cases [the Health Insurance Portability and Accountability Act]. During the audit period the College was challenged by the COVID-19 pandemic and its after-effect. As the College and society move toward normal operations, the College is committed to ensuring that its information systems, databases, and employee information and records are secure and accurate.

To continue that effort, [Human Resources (HR)] and [Information Technology] have been collaborating to ensure all users records in our Active Directory system are up-to-date as it pertains to the fields (name, employee ID, etc) and active status. New processes will help ensure user accounts are promptly removed for offboarded employees. Our Cybersecurity training platform, KnowBe4, is getting daily employee account updates from our Active Directory data to ensure the list of active employees is accurate. For Jenzabar CX, QCC has implemented an annual employee review with [the Human Resources Compensation Management System] (state payroll) data to ensure that the employee list matches between the two systems.

During the audit period, there were issues identified regarding cybersecurity training and data integrity at QCC. Fourteen individuals who completed cybersecurity training were not listed on the human resources employee list. These individuals are either Board of Trustee members or emeritus employees who hold a QCC email account but are not actively employed by the college. As they have an active QCC email account, they are required to complete the training.

Additionally, nicknames (e.g., Bill vs. William, or S. vs. Stephen) were used instead of full names in the campus-wide administrative database. Our current policies permit the use of a ‘lived’ name for user accounts and email addresses, with Jenzabar CX and HR records ensuring both names are accurately tracked. Legal name is used when necessary for official documents and signatures. For thirty-seven out of the 272 employees who had access to QCC’s campus-wide administrative database and financial system, QCC did not retain authorizations relative to user access to QCC’s financial software. In the early days of Jenzabar CX, the account creation process leveraged email for tracking. We now have an established process that requires system access authorization from designated individuals, with all requests documented in our ticketing system. Additionally, we will be ensuring back-ups of our KnowBe4 system data to ensure proper retention of those training records.

Lastly, it was noted QCC did not retain an audit log history for more than 24 hours. We found that the CX system does not maintain audit logs for user activity for an acceptable length of time. We will be researching the ability to retain this logging in our current system for up to one year. We are migrating to the new J1 platform in 2026, which will provide much better logging of user activity.

QCC is dedicated to safeguarding the data entrusted to us. The College believes our commitment meets with the spirit of [the Office of the State Auditor’s] concerns in addressing the identified issues. We will enhance procedures to secure information systems and ensure the accuracy of employee information by December 31, 2025. These measures will be implemented within reasonable and effective parameters, methods, and practices, along with necessary training, to maintain secure information systems and accurate employee records.

QCC states in its response that “fourteen individuals who completed cybersecurity training were not listed on the human resources employee list. These individuals are either Board of Trustee members or emeritus employees who hold a QCC email account but are not actively employed by the college.” To be clear, we noted during our audit that 2 out of the 14 individuals were active employees (one adjunct professor and one staff member).

Overall, based on its response, QCC appears to be taking measures to address our concerns regarding this matter. We reiterate our recommendation that QCC should follow EOTSS policies as a best practice. As part of our post-audit review process, we will follow up on this matter in approximately six months.