UCSB Audit and Advisory Services Internal Audit Report Student Information System (SIS) Modernization Project Limited Scope Progress Review

Transcription

1 Internal Audit Reprt Student Infrmatin System (SIS) Mdernizatin Prject Limited Scpe Prgress Review July 1, 2014 Perfrmed by: Antni Manas-Melendez, Senir Auditr Apprved by: Rbert Tarsia, Directr Reprt N

2 This page intentinally left blank.

3 University f Califrnia, Santa Barbara BERKELEY DAVIS IRVINE LOS ANGELES MERCED RIVERSIDE SAN DIEGO SAN FRANCISCO SANTA BARBARA SANTA CRUZ July 1, 2014 AUDIT AND ADVISORY SERVICES SANTA BARBARA, CALIFORNIA Tel: (805) Fax: (805) T: Bill McTague Executive Directr f Resurce Planning, IT, and Sustainability Student Affairs Lubmir Bjilv Executive Directr & CTO, Student Infrmatin Systems & Technlgy Re: Student Infrmatin Systems (SIS) Mdernizatin Prject Limited Scpe Prgress Review Audit Reprt N As part f the annual audit services plan, Audit and Advisry Services has cmpleted a limited scpe prgress review f the University f Califrnia, Santa Barbara (UCSB) Student Infrmatin System (SIS) Mdernizatin Prject. Enclsed is the reprt detailing the results f ur review. The purpse f this audit included a review f selected areas relevant t the prject frm February 2013 t February 2014, as well as fllw-up f related issues frm a fiscal year audit f infrmatin security. Our bjectives included determining if the prject s rganizatinal structure and cmmunicatin effrts are in cmpliance with UC Plicy BFB IS-10, Systems Develpment Standards, and whether the prject is in cmpliance with selected prvisins f University f Califrnia (UC) Plicy BFB IS-3, Electrnic Infrmatin Security. We als assessed the prgress f management crrective actins taken t address previus audit findings frm the fiscal year audit f infrmatin security. The results f ur wrk disclsed n significant weaknesses in cmpliance with relevant UC plicies. We did identify pprtunities t imprve the perceived accuracy f prject cst reprting, and t enhance versight and gvernance f the prject by frmalizing a steering cmmittee charter, bradening steering cmmittee membership, and imprving cmmunicatin with campus stakehlders. Our review als fund that there has been significant prgress n the issues identified in ur previus audit f infrmatin security, althugh these prir recmmendatins have nly been partially addressed due t the cmplexity f the relevant actin plan and ther prject pririties. Detailed bservatins and management crrective actins are included in the fllwing sectins f the reprt. The management crrective actins prvided indicate that each audit bservatin was given thughtful cnsideratin and psitive measures have been taken r planned in rder t implement the management crrective actins. The cperatin and assistance prvided by Student Infrmatin Systems & Technlgy and ther persnnel during the review was sincerely appreciated. If yu have any questins, please feel free t cntact me.

4 Bill McTague Lubmir Bjilv July 1, 2014 Page 2 f 2 Respectfully submitted, Rbert Tarsia Directr Audit and Advisry Services Enclsure cc: Chancellr Henry Yang Vice Chancellr fr Student Affairs Michael D. Yung Senir Assciate Vice Chancellr Marc Fisher UCSB Audit Cmmittee Senir Vice President and Chief Cmpliance and Audit Officer Sheryl Vacca Student Infrmatin Systems & Technlgy James Kinneavy, Directr, Strategic Architecture & Platfrm Integratin Services Diana Antva, Directr, Data Services & Business Systems Supprt.

5 Audit Reprt N PURPOSE This audit was a limited scpe prgress review f the Student Infrmatin Systems (SIS) Mdernizatin Prject. The riginal purpse f this audit was t review the status f the refinement and ther tasks scheduled fr the perid after Phase 1 f the prject (SIS Cnversin). Due t delays in initiating ur audit, we revised ur purpse t include a review f selected areas relevant t the prject frm February 2013 t February 2014, as well as fllw-up f related issues frm a fiscal year audit f infrmatin security. This audit is part f the fiscal year audit services plan f University f Califrnia, Santa Barbara (UCSB) Audit and Advisry Services. SCOPE, OBJECTIVES AND METHODOLOGY The scpe f the review was limited t activities and infrmatin related t the SIS Mdernizatin Prject, frm the end f Phase 1 in February 2013, thrugh February 2014, alng with related issues frm a fiscal year audit f infrmatin security. Our audit bjectives included the fllwing: Perfrm a prject risk assessment t gain an understanding f the current state f the prject thrugh a review f existing prject dcumentatin and interviews with Student Infrmatin Systems and Technlgy (SIS&T) managers and technical persnnel. The purpse f this risk assessment was t identify and priritize key prject risk areas fr additinal analysis and audit effrts. Determine if the prject s rganizatinal structure and cmmunicatin effrts are in cmpliance with University f Califrnia (UC) Plicy BFB IS-10, Systems Develpment Standards (Plicy IS-10) and best practices. Determine if the prject is in cmpliance with selected prvisins f UC Plicy BFB IS-3, Electrnic Infrmatin Security (Plicy IS-3). Assess the prgress f management crrective actins taken t address previus audit findings frm a fiscal year audit f infrmatin security; these issues invlved user access cntrls and review f privileged user activity. T accmplish ur bjectives, ur detailed wrk included interviews, direct bservatins, review f dcumentatin, and ther steps: Review f UC plicies related t system develpment and security: BFB-IS-2, Inventry, Classificatin, and Release f University Electrnic Infrmatin (Plicy IS-2) BFB IS-3, Electrnic Infrmatin Security (Plicy IS-3) BFB IS-10, Systems Develpment Standards (Plicy IS-10) Review f prject dcumentatin available as f February 6, 2014, including the prject plan, cmmunicatin plan, prject status reprts, prcedures, guidelines, relevant cntracts, and varius ther plans, reprts, and dcuments prvided by SIS&T. 1

6 Interviews with SIS&T managers and technical persnnel invlved with the prject and participatin in a prject steering cmmittee meeting. Review f prject steering cmmittee cmpsitin and cmmunicatin effrts, and cmparisn with Plicy IS-10 requirements and best practices. A detailed review in tw areas selected based n ur risk assessment, backup prcesses and security patch management practices, fr cmpliance with Plicy IS-3. This audit was cnducted in cnfrmance with the Internatinal Standards fr the Prfessinal Practice f Internal Auditing. BACKGROUND Replacement f the legacy student registratin and admissins systems was planned fr a number f years. In early 2007, an SIS Strategic Planning grup was frmed t analyze the risks assciated with the aging student systems and suggest alternatives fr replacement. One f the primary drivers fr the prject was the need t migrate the systems due t the bslescence and planned replacement f the campus mainframe. In 2008, an initial decisin t replace SIS with a new, externally-purchased system was abandned after determining that it wuld be cst prhibitive t fully adapt/integrate the current SIS structure with the selected system platfrm. Management subsequently decided t cnvert the systems t a mdern platfrm, utilizing external vendrs and a divisin f technical persnnel. The first phase f the prject invlved the cnversin f 18 student infrmatin systems used by the Student Affairs Divisin, academic and ther campus administrative ffices, and current and prspective UCSB students. The verall prject is currently divided int three phases: Phase 1 - SIS Cnversin: This phase invlved the migratin f the existing cre mainframe-based (Natural/Adabas) Student Registratin and Recrds, Admissins, and Graduate Divisin systems t a Micrsft technlgy (.NET / SQL Server). The SIS Cnversin phase started in February 2011 and was cmpleted in February After the cnversin, the new applicatins were accessible thrugh a web interface. Phase 2 - SIS Stabilizatin: This phase was nt in the riginal prject plan, but was incrprated int the prject at the end f Phase 1. Due t the cyclical nature f UCSB business, this perid allwed the prject team t use the cnverted applicatins fr ne year while clsely mnitring system perfrmance, and t reslve any issues that arse. In additin, additinal services, infrastructure, security enhancements, and interfaces were implemented t make the system cmpletely functinal, and t imprve the server envirnment and deplyment prcess. The SIS Stabilizatin phase started in February 2013 and was cmpleted in February Table 1 utlines the main Phase 2 milestnes. 2

7 Table 1 Timetable fr Key Milestnes/Tasks February 2013 t February 2014 Milestne/Task Initial Prjected Start Date Initial Prjected End Date Actual Start Date Actual End Date Admissin System Stabilizatin 2/19/13 2/28/14 2/19/13 2/28/14 Registrar Systems Stabilizatin 2/19/13 11/28/14 2/19/13 2/28/14 Graduate Divisin Systems Stabilizatin 2/19/13 2/28/14 2/19/13 2/28/14 Financial Aid System Stabilizatin 2/19/13 2/28/14 2/19/13 2/28/14 Cmmn Cmpnents and Services 2/19/13 2/28/14 2/19/13 2/28/14 Infrastructure and Security Imprvements 2/19/13 2/28/14 2/19/13 2/28/14 Data Services 4/22/13 2/28/14 2/22/13 2/28/14 Security and External Data Integratin 12/18/13 2/28/14 12/18/13 2/28/14 Surce: Auditr Analysis f SIS Mdernizatin Prject Plans thrugh February Phase 3 - SIS Mdernizatin: This phase is fcused n develping and implementing services, cmpnents, and applicatin infrastructure that are critical fr the success f the prject. The SIS Mdernizatin phase started in February 2014 and will be cmpleted in February 2015, with additinal prject wrk required at least thrugh mid Phase 3 includes the fllwing prjects: Online Prtal/SSO Service-Oriented Applicatin Infrastructure Business Wrklad Autmatin Business Prcess Autmatin Deplyment Autmatin Architecture Imprvements Web Applicatin Infrastructure Imprvements Prject Csts Table 2 summarizes actual and prjected csts ver the life f the prject. As f January 2014, the ttal prject cst was estimated at $14.3 millin. The ttal estimated cst includes $6.9 millin in estimated internal csts, an estimate that has remained the same since the time f ur last review in fiscal year Accrding t SIS&T, the estimate was perfrmed at the beginning f the prject fr internal resurce planning purpses nly. SIS&T indicated t us that it is nt critical r cst-effective t fully track internal csts related t this prject, due t the cmplexity f the student infrmatin systems; thusands f interfaces and relatinships with ther applicatins, data repsitries, and prcesses; utilizatin f divisin-wide shared infrastructure, technical peratins supprt, technical resurces, and prfessinal expertise; and required changes and enhancements, sme f which 1 Internal csts include payrll and benefits f internal persnnel wrking n the prject. 3

8 have been dictated by changing internal and external requirements, including mandates frm UC Office f the President (UCOP). Steering Cmmittee The Prject Steering Cmmittee fr Phase 1 was respnsible fr the establishment, review, and apprval f the prject budget and mdificatins, and any significant changes in prject status and use f prject resurces. This cmmittee included 17 members frm different campus departments, nine f whm were Student Affairs persnnel. Fr Phase 3, the newly refrmulated Mdernizatin Steering Cmmittee is cmpsed f 11 members, 10 f whm are Student Affairs persnnel. Table 2 SIS Mdernizatin Prject Csts Cst Categry FYs Cumulative FY (Estimated) FY (Estimated) Planning $ 40,000 $ 30,000 $ 0 Infrastructure 414, , ,000 Licensing 133, , ,500 IT Service Vendrs 2,672,877 25,000 0 Additinal Staff/Backfills 1,590, , ,659 Travel/Training 76,387 25,000 15,000 Supplies/Materials 83,537 10,000 10,000 Cntingency (10-20%) 0 155, ,032 Subttal $ 5,011,135 $ 1,190,433 $ 1,182,191 Estimated SIS Mdernizatin Prject External Csts $ 7,383,759 Internal Csts $3,220,097 $ 1,927,500 $ 1,760,625 1 Ttal Internal (Admin/IT Staff) Csts $6,908,222 2 Prject Csts Ttal: $14,291,981 Surce: Auditr Analysis 1 This value is based n estimates at the beginning f the prject. 2 Fr purpses f cmparisn t prject csts reprted previusly, additinal SIS mdernizatin csts f $832,364 fr fiscal years and , incurred prir t the applicatin cnversin phase, were nt included in this ttal. Including these csts brings the prject csts ttal t $15,124,345. 4

9 SUMMARY OPINION The results f ur wrk disclsed n significant weaknesses in cmpliance with relevant UC plicies. We did identify pprtunities t imprve the perceived accuracy f prject cst reprting, and t enhance versight and gvernance f the prject by frmalizing a steering cmmittee charter, bradening steering cmmittee membership, and imprving cmmunicatin with campus stakehlders. Our review als fund that there has been significant prgress n the issues identified in ur previus audit f infrmatin security, althugh these prir recmmendatins have nly been partially addressed due t the cmplexity f the relevant actin plan and ther prject pririties. Audit bservatins and management crrective actins are detailed in the remainder f the audit reprt. 5

10 DETAILED OBSERVATIONS AND MANAGEMENT CORRECTIVE ACTIONS A. Validate Internal Cst Estimate As described in the Backgrund sectin f this reprt, the estimated ttal cst f this prject includes $6.9 millin in internal csts, an estimate that has remained the same fr several years. Accrding t SIS&T, the estimate was perfrmed at the beginning f the prject fr internal resurce planning purpses nly. SIS&T indicated t us that it is nt critical r cst-effective t fully track internal csts n an nging basis, because csts were carefully and fully defined befre the implementatin phase. Plicy IS-10 requires estimates fr the time needed fr administrative cmputing department staff n a prject, and sund prject management practices require nging mnitring f time and prject csts. Fr these reasns, and because the estimated internal csts are substantial, representing 48% f the ttal estimated prject cst f $14.3 millin, it wuld be prudent t validate the existing estimate. We understand that a current estimate f internal csts may actually be lwer than the existing figure. Regardless, the perceived accuracy f prject cst reprting wuld be enhanced by including a recently validated, updated estimate fr internal csts. Management Crrective Actins T ensure that ur prject cst reprting is seen as cmpletely accurate; Student Affairs will review ur estimate fr internal csts and update ur reprting, if needed. Audit and Advisry Services will fllw up n the status f this issue by September 30, B. Enhancing SIS Mdernizatin Prject Oversight and Gvernance 1. A Steering Cmmittee with Brader Representatin Our audit identified pprtunities t enhance versight and gvernance f the prject. Frmalizing a Charter It is ur understanding that a steering cmmittee charter has nt been frmally dcumented. Withut a frmally dcumented charter, the prject s steering cmmittee may be limited in its ability t prvide apprpriate guidance, directin, and versight. Ging frward, a frmalized charter wuld define the purpse, bjectives, and rles f the Prject Steering Cmmittee and its members, and wuld detail the required cmmitment and decisin-making respnsibilities f cmmittee members. Steering Cmmittee Size and Cmpsitin Fr large prjects, Plicy IS-10 recmmends having a high-level steering cmmittee cmpsed f senir-level management fr functinal ffices, the administrative cmputing department, and internal audit, if apprpriate. 6

11 As discussed in the Backgrund sectin, the Prject Steering Cmmittee fr Phase 1 and Phase 2 was cmpsed f 17 members frm different campus departments. Althugh nine f the cmmittee members were Student Affairs persnnel, the cmmittee included fairly brad representatin f central IT departments and ther stakehlders. Fr Phase 2 and Phase 3, the newly frmulated Mdernizatin Steering Cmmittee is cmpsed f 11 members, 10 f whm are Student Affairs persnnel. Central IT departments are nt represented, and nly ne member is frm anther stakehlder grup. Table 3 Steering Cmmittee Membership Phase 1 & 2 Phase 3 Student Affairs 9 10 Central IT Departments 3 0 Other Stakehlders 5 1 TOTAL Surce: Auditr Analysis T help ensure adequate visibility and supprt fr this critical campus prject, Student Affairs shuld cnsider brader representatin, including members frm central IT departments and ther stakehlder units. Management Crrective Actins The steering cmmittee had brad campus invlvement fr Phase I, and participatin naturally cntracted when the prject entered Phase II (bug fix and stabilizatin). Phase III is primarily abut creating infrastructure and architecture that will supprt future grwth f student infrmatin systems. As such, Phase III mstly des nt include student r facultyfacing capabilities and, therefre, the interest grup fr this is very narrw. Where apprpriate, we are including brader representatin. Fr example, the effrt t imprve isis screens will include a fcus grup with campus-level representatin. Audit and Advisry Services will fllw up n the status f this issue by September 30, Imprving Transparency and Cmmunicatin We fund that SIS&T has implemented prject cmmunicatin prcesses that are effective verall. We als fund, hwever, that cmmunicatin prcesses have recently been fcused largely n peratinal activities and internal cmmunicatin fr prject team members, and have nt included enugh timely infrmatin fr the campus cmmunity. Fr example, the prject status cannt currently be determined frm SIS&T's website, which was nt updated frm December 2012 t January

12 At the time f ur review, the website cntent included: The SIS&T Prtfli Prjects and SIS&T Accmplishments Reprt frm fiscal year An rganizatinal chart that des nt include the names f SIS&T persnnel, and dated steering cmmittee membership infrmatin frm Phase 1 f the prject. The SIS Mdernizatin Prject is a strategic prject fr the UCSB. As Phase 3 prgresses, there are pprtunities t imprve the effectiveness f cmmunicatins t ensure that the campus cmmunity is infrmed f prject gals and achievements. We recmmend that SIS&T imprve campus-wide cmmunicatin thrugh: Mre frequent cmmunicatins t the campus, pssibly as part f a mre rbust cmmunicatin plan. An updated website that includes current prject reprting, rganizatinal infrmatin, and steering cmmittee membership. Management Crrective Actins Fr Phase III, SIS&T will update the prject website quarterly with infrmatin n prject status, milestnes, and issues. We will cmmunicate accrdingly when there are any develpments r issues that culd have a brad campus impact; hwever, because f the narrw technical fcus f the prject at this pint, there is n need fr a frmal campus cmmunicatin plan. Audit and Advisry Services will fllw up n the status f this issue by September 30, C. UC Plicy IS-3 Cmpliance Requirements and Best Practices Our review fund full cmpliance with Plicy IS-3 requirements fr backup prcesses and patch management practices. The verall purpse f ur wrk was t cnfirm that prject activities incrprate the prper maintenance and data recvery measures and patch management practices, as required by Plicy IS-3. Table 4 summarizes ur findings. 1. Backup Prcess Plicy IS-3 requires that system administratin practices include rutine backup f applicatins and data. T evaluate cmpliance with this requirement, we determined whether: A backup plicy has been dcumented and includes retentin perid requirements. Backup cpies f essential data fr disaster recvery purpses are stred at an ffcampus site. Backups are encrypted befre they are sent ff campus. Recvery tests have been regularly perfrmed. There are sufficient resurces fr emergency planning and disaster recvery. Other related requirements are met. 8

13 We fund that the prject s backup prcesses meet relevant requirements, and shuld ensure that there are adequate prtectins fr data and its cnfidentiality. 2. Patch Management Practices Plicy IS-3 requires that systems persnnel timely update versins f the perating system and applicatin sftware fr which security patches are made available, in cnfrmance with change management prcesses and campus minimum standards. We evaluated whether: The firewall perating system is the newest versin, r the installed versin des nt have any critical vulnerabilities. Patch management prcedures have been dcumented. Patch management practices can identify if annunced security patches have been installed. Scans f vulnerabilities are perfrmed regularly. Table 4 UC Plicy IS-3 Cmpliance Area Backup Prcess Patch Management Practices Surce: Auditr Analysis Tested Backup Plicy Backup Stred at Off-campus Site Backups Encrypted Data Recvery Tests Patch Management Prcedure Security Patches in Servers Firewall Withut Vulnerabilities Scan f Vulnerabilities We fund that SIS&T uses Windws Sftware Update Server (WSUS) t manage Student Affairs server updates, and that the prcess is dcumented in a brief prcedure. N significant issues were bserved in the status f server updates. We als fund that the firewall did nt yet have the last perating system versin installed; hwever, n critical vulnerabilities have been identified related t the current perating system, and SIS&T plans t update the perating system when apprpriate. We als fund that patch management prcesses are reasnable, and can identify and update critical security patches in a timely manner. 9

14 D. Status f Issues Addressed in Previus Audits Our IS-3 Electrnic Infrmatin Security audit included tw recmmendatins related t user access reviews acrss registratin systems and activity lgs f system administratrs. Based n the result f ur review, we fund that actin plans are in place and there has been significant prgress n the issues addressed. Hwever, bth recmmendatins are nly partially addressed due t the cmplexity f the actin plan and ther prject pririties. Table 5 summarizes the status f the issues. Table 5 Status f Management Crrective Actins Finding Title Status Activities in Prgress Autmatin f Audit Lgs, Reprting and Wrkflw Review User Access Reviews Nt Perfrmed Partially Implemented Develping a Crss-Reference Between Campus Identity Manager and SIS Active Directry Lack f Administrative/ Privileged User Activity Lg Reviews Partially Implemented Implementatin f Audit Tl Centralizing Netwrk and Server Access Lgs Surce: Auditr Analysis 1. User Access Reviews Nt Perfrmed Our audit fund that supervisrs r ther emplyees with respnsibilities fr security did nt peridically review the system administratin wrk f persnnel with access t privileged accunts, as required by Plicy IS-3. Since that time, SIS&T has taken steps t address this issue, including: Cllecting and verifying user privileges n database servers. Updating inactive and disabled SIS Active Directry accunts. 2 Reviewing key administrative functins and adjusting user grups. Develping a basic framewrk fr cmmn rles and privileges. Evaluating prducts fr auditing and reprting privileges fr the SIS&T Active Directry, SIS server file systems, and SIS databases. Starting the autmatin f change identificatin in emplyee status r department assignment. Selectin f an auditing tl. 2 The SIS Active Directry is a central repsitry that cntains user IDs and user permissins fr identity management fr SIS applicatins. 10

15 The fllwing additinal activities in the actin plan are in prgress: Autmating auditing, reprting, and wrkflw. Develping an interface between the campus identity management system and the SIS Active Directry. 2. Lack f Administrative / Privileged User Activity Lg Reviews Our audit fund that lgs f administrative/privileged user activity were nt being perfrmed. These reviews are necessary t ensure that nly authrized individuals are granted access, and that activity is apprpriate. As required by Plicy IS- 3, user access reviews shuld be perfrmed n a regular basis thrugh the review f access lists that are generated by the relevant IT rganizatin. It is ur understanding that the prject team is addressing these issues at this time. Since the time f ur audit, SIS&T has evaluated several prducts t assist in this prcess, and has temprarily installed an evaluatin versin f ne f them t better understand the capabilities and management impact. SIS&T is als currently cnsidering an auditing tl t centralize the review f SIS netwrk and SIS server access lgs. Management Crrective Actins 1. User Access Reviews Nt Perfrmed Since the last fllw-up n this issue by Audit and Advisry Services, SIS&T has cntinued t make prgress n this issue. We have: Selected an Active Directry auditing tl, which will be implemented during the summer f Perfrmed an extensive review and cleanup f Active Directry accunts, including privileged access, during the year. An autmated reprt f emplyee separatins and ther departmental changes is under develpment, and will be cmpleted by the end f the summer f An autmated wrkflw fr emplyee de-prvisining is planned, but is n hld due t ther prject pririties. It is currently in ur prject backlg awaiting priritizatin. 2. Lack f Administrative / Privileged User Activity Lg Reviews The SIS&T team met n several ccasins in the late 2013, early 2014 t discuss appraches. Actin n this was deferred pending a selectin f an Active Directry auditing tl t determine what level f functinality might be available via the selected tl. It was determined that the selected tl des nt currently meet this need. Lg centralizatin is the first step t enable this type f auditing and is currently in the prject backlg queue awaiting priritizatin. Audit and Advisry Services will fllw up n the status f this issue by January 31,