University of Massachusetts Amherst - Other Matters 3

During our audit, we determined that UMass Amherst does not keep a full and complete inventory of the number of webpages and web addresses on the umass.edu website. As part of our audit procedures, we selected a random sample of 20 webpages from UMass Amherst’s website and attempted to trace the uniform resource locators (URLs) and page titles to the site map we received to ensure that there was a complete and accurate population of URLs on the site map. We were unable to trace 13 webpages from UMass Amherst’s website to the site map provided by UMass Amherst management. We asked UMass Amherst management about this and were told that, due to the decentralized administration of UMass Amherst’s website, UMass Amherst management was unable to provide a site map that listed all the URLs on the UMass Amherst website.

If UMass Amherst does not have a complete inventory of webpages for its umass.edu website, then it exposes itself to an increased risk of being unable to track or manage the webpages under the umass.edu domain. This can cause users to be provided with out-of-date and inaccessible information. It is significantly more difficult for UMass Amherst to maintain webpages that are not actively tracked by university personnel.

The National Institute of Standards and Technology SP 800-53 Revision 5¹⁹ states,  

CM-8 SYSTEM COMPONENT INVENTORY  

Control:

1. Develop and document an inventory of system components that:
   1. Accurately reflects the system;
   2. Includes all components within the system;
   3. Does not include duplicate accounting of components or components assigned to any other system;
   4.  Is at the level of granularity deemed necessary for tracking and reporting; and
   5. Includes the following information to achieve system component accountability: [Assignment: organization-defined information deemed necessary to achieve effective system component accountability]; and
2. Review and update the system component inventory [Assignment: organization-defined frequency].

While UMass reports that it is moving toward a more centralized model so that the umass.edu website can be more uniform, it currently operates a largely decentralized website with each department responsible for maintaining its own website and content. In addition, there is a lack of proactive management oversight and governance. Specifically, UMass Amherst did not implement a process to appropriately oversee this decentralized model or ensure departmental accountability for the inventory of accessible websites.

UMass Amherst management should complete an inventory of its umass.edu website and adopt procedures to ensure that it maintains a full list of webpages, while continuing its effort to centralize the administration of the website.

The University will take this recommendation under consideration. It is important to note that during the audit scope period the University proactively managed the oversight and governance of its website and will continue to do so.

As noted above, we determined during our audit that UMass Amherst does not keep a full and complete inventory of the number of webpages and web addresses on the umass.edu website. If UMass Amherst does not have a complete inventory of webpages for its umass.edu website, then it exposes itself to an increased risk of being unable to track or manage the webpages under the umass.edu domain. This can cause users to be provided with out-of-date and inaccessible information. Given these reasons, we encourage UMass to implement our recommendation in this area.