Employee Access to the Student Information Management System At

Thomas P. DiNapoli OFFICE OF THE COMPTROLLER NEW YORK STATE COMPTROLLER

DIVISION OF STATE GOVERNMENT ACCOUNTABILITY

Audit Objective...... 2 CITY UNIVERSITY OF NEW Audit Results - Summary...... 2 YORK Background...... 3

Audit Findings and Recommendations...... 4

Analysis of SIMS User Listings ...... 4 EMPLOYEE ACCESS TO Recommendations...... 6 SIMS Password and User Access THE STUDENT Controls...... 6 Recommendations...... 8 INFORMATION CUNY Central Office Oversight ...... 8 Recommendations...... 9 MANAGEMENT SYSTEM AT

Audit Scope and Methodology...... 9 SELECTED CAMPUSES

Authority...... 10

Reporting Requirements...... 10

Contributors to the Report ...... 10 Report 2007-S-23

Appendix A - Auditee Response.. 11

AUDIT OBJECTIVE help ensure that campus officials are complying with the prescribed Policies and Our objective was to determine if CUNY’s limit SIMS access appropriately. controls over employee access to the Student Information Management System were The Policies prescribed a number of adequate at selected campuses. requirements that colleges must follow to secure their computerized resources. For AUDIT RESULTS - SUMMARY example, the Policies prohibit colleges from issuing generic user IDs and multiple IDs to The City University of New York (CUNY) is users. However, at the four selected colleges the largest municipal college system in the we found that 74 users had more than one United States. It serves more than 226,000 user ID, and there were 216 generic IDs. degree-credit students and 230,000 adult, continuing and professional education The Policies further require computerized students. For the 2007-08 fiscal year, user accounts to be deactivated timely CUNY’s operating budget exceeds $1.6 whenever someone’s employment with billion. The majority of CUNY campuses use CUNY ends. However, we noted that 60 the Student Information Management System former employees at four campuses we (SIMS) to track student information. SIMS is reviewed (Hunter, Baruch, City and Medgar a mainframe application which contains Evers) still had SIMS access after they left student personal information, account CUNY. The Policies also require users to balances, course selections, grades and loan change their passwords at least every 90 days. information. However, we interviewed 55 employees at three campuses (Hunter, Baruch, and City) CUNY officials have taken meaningful steps and found that 35 of them had never changed to enhance information technology (IT) their SIMS password. security in recent years. For example, CUNY established an IT Steering Committee, hired According to the Policies, users should only an Information Technology Security Officer access computerized information that is (ITSO) to oversee an Information Security necessary to perform their job functions. Team, and allocated $2 million to IT security However, we determined that 21 of the 55 initiatives. In addition, CUNY issued its employees we interviewed had the ability to formal Information Technology Security change grades, adjust student account Policies (Policies) in August 2006. balances, or add and remove stop codes, although these employees did not need such However, the colleges we visited did not fully capabilities. (Stop codes are used to deny comply with the Policies, and as a result, student registration for reasons such as past- there were significant weaknesses in the due account balances.) controls over SIMS access. Because of the weaknesses, unauthorized users could have Our audit report contains 13 access to SIMS; and some authorized users recommendations to help CUNY strengthen might have inappropriate access to certain SIMS access controls. In their response to types or levels of SIMS information. We our draft report, CUNY officials generally concluded that the ITSO and/or the concurred with our recommendations. They Information Security Team should make indicated the specific actions that they have periodic site visits to CUNY’s campuses to

Report 2007-S-23 Page 2 of 13

already taken and will be taking to implement officials issued the Policies (on August 30, them. 2006) to be promulgated immediately to all CUNY offices and campuses. The Policies This report, dated February 8, 2008, is included guidance on the use, creation, and available on our website at: severance of user IDs; standards pertaining to http://www.osc.state.ny.us. the formation and use of generic and duplicate Add or update your mailing list address by user IDs; and requirements for the contacting us at: (518) 474-3271 or maintenance of user passwords. Each Office of the State Comptroller College’s Vice President of Finance and Division of State Government Accountability Administration has primary responsibility for 110 State Street, 11th Floor compliance with the Policies, including the Albany, NY 12236 resolution of instances of non-compliance. The colleges are also required to conduct BACKGROUND internal reviews each semester to ensure that they are following the Policies, and college The City University of New York (CUNY) is officials must submit letters to the ITSO the largest municipal college system in the attesting to the performance of such reviews. United States. It consists of eleven senior However, CUNY Central Office still colleges, six community colleges, and several maintains a significant oversight role with other specialized and professional schools. regard to campus IT security. CUNY serves more than 226,000 degree- credit students and 230,000 adult, continuing The majority of CUNY campuses use SIMS and professional education students. to track student information. SIMS is a Governed by a 17-member Board of Trustees, mainframe application which contains student CUNY employs about 6,100 full-time faculty personal information, account balances, members. For the 2007-08 fiscal year, course selections, grades and loan CUNY’s operating budget totaled more than information. Within the next few years, $1.6 billion. CUNY officials plan to replace the 25-year old SIMS with a system that is expected to In recent years, CUNY has increased its have many security and other improvements. commitment to IT security. In October 2005, In the interim, issues related to hardware and CUNY officials hired an ITSO. backup are handled centrally by the CUNY Subsequently, they established a University Office of Computing and Information Information Security team. The ITSO works Services, while each college grants its users with each CUNY campus through the access to SIMS, including the type of access University IT Steering Committee, which is that each user should have. College registrars comprised of the Chief Information Officers are generally the SIMS data owners and and Vice Presidents of Finance and approve SIMS access requests. Administration for each college. The IT Steering Committee approved a To determine whether colleges were comprehensive IT Security Strategic Plan and complying with the new Policies and other has allocated more than $2 million for best practices, we judgmentally selected four projects addressing IT security issues. colleges for audit. We selected a sample of senior colleges with high and low student to The ITSO reviewed CUNY’s IT security SIMS user ratios. The colleges selected were policies. Based on this review, CUNY Hunter (836 SIMS user IDs), Baruch (505

Report 2007-S-23 Page 3 of 13

user IDs), City (1,039 user IDs) and Medgar summarized the SIMS user listings provided Evers (347 user IDs) colleges. We obtained by each of the four selected colleges by user the most current SIMS user listings from ID, and then we searched for those user these colleges during the period of May 22, names that had more than one SIMS ID. We 2007 to July 17, 2007. At City College, the found that 74 employees had more than one most current user listing had not been updated SIMS user account. These included 33 since January 2006. We analyzed and tested employees at Baruch College, 35 employees the user listings for each college and at City College, and 6 employees at Hunter conducted employee interviews at Hunter, College. Baruch and City College. We did not include community colleges or specialized and According to Baruch College officials, some professional schools in our review. Our audit users are only able to print to specific printers. period was from May 1, 2006 to August 16, Consequently, some of these users requested 2007. additional user IDs to facilitate printing on other printers. It should be noted that AUDIT FINDINGS AND Brooklyn College officials indicated they RECOMMENDATIONS receive many requests from their employees to obtain an additional ID when they need to Analysis of SIMS User Listings print to another printer. However, in these instances the IT personnel make a change to Effective access controls require that users’ the SIMS printer table for those users, thereby access to an entity’s computerized resources avoiding the need for multiple IDs. We be linked to specific individuals to prevent believe this solution should be shared with and detect unauthorized transactions. Also, CUNY IT managers at other campuses to access should only be granted to current minimize the need for multiple IDs for employees unless there is a valid and individual staff. documented reason to do otherwise, and access should be terminated promptly when Prior to the conclusion of our fieldwork, employees leave the organization. These officials from Hunter College advised us that controls are particularly important when the they eliminated all six of their duplicate user users are assigned a high level of access, such IDs we identified. They attributed several of as the ability to update student information these instances to employee transfers within within SIMS. However, we found that the campus. The transfers resulted in new colleges maintained duplicate and generic user IDs for the employees. However, the IDs, and non-CUNY employees and separated employees’ old user IDs, from their previous employees had access to SIMS. work locations, had not been canceled. Based on Hunter’s comments, we conclude that Duplicate and Generic User IDs CUNY should ensure that campuses have adequate procedures to cancel the old IDs of The Policies state, “Users of computerized employees that transfer from one work systems should have no more than one location to another within a campus or the individually assigned user ID, clearly overall CUNY system. identifiable to a user.” Further, the Policies state that generic named or group user IDs are Generic IDs are not assigned to a specific not permitted. To determine if employees individual and are typically used by multiple had more than one SIMS user ID, we users. To determine if the SIMS user lists

Report 2007-S-23 Page 4 of 13

contained generic IDs, we reviewed each of reasons including seasonal or temporary the four colleges’ user lists and identified employment; 22 users had resigned; 13 users those IDs not assigned to specific persons. retired; one user was formerly an adjunct We found 216 generic user IDs: 15 at Baruch professor; and two users were deceased. College; 12 at Medgar Evers College and 189 Furthermore, 17 of the 60 discontinued at City College. Baruch College personnel employees had accounts that granted them informed us that they will deactivate their high levels of SIMS access. Each of these generic IDs. City College officials told us former employees had Stop Code Update their generic IDs are actually “unassigned capability (used to deny student registration IDs.” Medgar Evers College officials have for reasons such as past-due fees), the ability taken no action and believe the ID’s are to adjust student SIMS account balances, necessary. However, the ITSO informed us and/or grade change update capability. that generic IDs of any sort are strictly prohibited. We also found another 22 employees who were on a leave of absence at the time of this When colleges allow duplicate and generic review, but still had active user IDs. At the accounts to be issued, accountability for the time of our audit fieldwork, CUNY had not actions of SIMS users is diminished. developed a policy to determine when officials should deactivate the user accounts Separated and Non Employee Access to for employees on leave. Although there may SIMS have been justifications for some of these employees, for others (particularly those on The Policies state, “Access to computerized extended or indefinite leaves) there could be systems must be severed prior to or upon the little or no justification for their continuing last date of employment.” We compared the SIMS access. CUNY officials responded that user listings of active SIMS accounts for each they will determine whether there are of the four colleges noted above, with the alternatives for modifying access privileges names of employees who were separated from for employees on extended leave who do not employment at each college, according to the require their normal levels of access. New York State payroll system. The payroll records used in our testing indicated those If individuals who are no longer active employees that were terminated, resigned, employees continue to retain access rights to retired, deceased or on leave between SIMS, they may inappropriately obtain September 2006 and June 2007. Our confidential data; and there is an increased objective was to determine whether these risk that they can use the system for improper former or inactive employees had their SIMS purposes. access privileges terminated. Best practices also dictate that all SIMS users We found that 60 former CUNY employees should be employees of the college, unless had active SIMS user accounts after their there is a valid reason otherwise (i.e. termination dates. These included 12 users consultants). According to the SIMS user from Hunter College, 28 users from City listings provided to us, Hunter, Baruch, City College, 18 users from Baruch College, and and Medgar Evers Colleges had a combined two users from Medgar Evers College. Of the total of 1,163 user IDs with the ability to 60 former employees who still have an active change grades, adjust student account SIMS user ID, 22 users were terminated for balances, or add or remove stop codes

Report 2007-S-23 Page 5 of 13

through SIMS. We compared 200 randomly employee, ensure that the employee’s old selected users who had at least one of these user ID is terminated. user privileges, from all four colleges, with the New York State payroll records for the 4. Ensure that only current CUNY periods noted above. Our objective was to employees have access to SIMS, unless determine whether these users were current there is a valid reason otherwise. CUNY employees. Adequately document the justification and approval of SIMS access granted to Of the 200 users selected for our sample, we individuals who are not CUNY could not find 10 individuals on the CUNY employees. payroll. These included two Baruch College users, seven City College users and one 5. Ensure that user listings are updated on a Medgar Evers College user. City College regular basis. officials indicated that three users not found had resigned or retired during 2005, and one To CUNY Central Office: employee resigned after June 2007. A City College IT official informed us that the user 6. Provide the technical guidance needed to listing had not been updated since January enable the campuses to change SIMS 2006. No explanations were offered for the printer tables, and thereby, help minimize remaining users. We referred this to CUNY the issuance of multiple user IDs to officials for follow up. individual employees.

If individuals who are no longer active 7. Ensure that colleges are aware of the need employees (or who were never employed by to address issues, such as the use of CUNY) have access rights to SIMS, they may multiple IDs and the disabling of accounts inappropriately obtain confidential data, and for terminated employees. there is an increased risk that they can use the system for improper purposes. 8. Develop and implement a policy for determining when colleges should disable Recommendations the accounts of employees who are on extended leave. To the Colleges: SIMS Password and User Access Controls 1. Comply with CUNY’s Policies, and remove all generic and duplicate SIMS User passwords are generally the first controls user IDs. that an entity uses to ensure that only authorized individuals have access to its 2. Ensure that user SIMS accounts are computerized systems and information. disabled timely, upon an employee’s Moreover, it is essential that employees separation or long term absence from receive the least level of access necessary to employment. perform their required job functions. However, we found that some SIMS users did 3. When an employee transfers from one not periodically change their password, and operating unit to another, resulting in the college officials granted access privileges to creation of a new user ID for that certain employees that were beyond the

Report 2007-S-23 Page 6 of 13

access levels required for these employees to of inappropriate access to automated do their jobs. information systems.

SIMS Password Controls SIMS User Access Privileges

Passwords are important access controls Colleges are responsible for ensuring that all intended to prevent unauthorized access to SIMS users have legitimate business reasons computer resources. CUNY’s Policies state, for accessing information. Therefore, the “All passwords must be changed at least Policies state “Access to non-public every 90 days. Accounts which have special University data must be limited to a strict access privileges must be changed at least need to know, consistent with the user’s job every 60 days.” However, we found responsibilities…” Since much of the weaknesses in SIMS password controls. The information in SIMS is confidential, there are SIMS system currently does not automatically different levels of access provided to people, require users to change their passwords depending on their job function. Requests for periodically. Consequently, some users rarely access to SIMS are generally sent to the (if ever) change their passwords. Although school registrars, who review the request and CUNY Central Office officials were aware of approve or disapprove them based on this this shortcoming within the SIMS system, criterion. Approved requests are sent to the compensating controls had not been IT department to set up the accounts. implemented. We conclude that CUNY officials should implement compensating We further interviewed the 55 SIMS users procedures, such as training employees to noted previously to ascertain the job functions change passwords as required and notifying of each employee, and how they use SIMS supervisors to require compliance with this during the course of their work. We then requirement. sought to determine whether the access privileges granted to them were necessary to Generally, SIMS users had been not informed perform their duties. The 55 employees have of the importance of changing their passwords the ability to change grades, adjust student (or otherwise trained/directed to do so). From account balances, or add and remove stop three colleges, we randomly selected 55 of the codes. However, 21 of these employees 1,054 SIMS users who had the ability to indicated their jobs did not require them to change grades, adjust student account have certain access privileges that had been balances, or add or remove stop codes established for them. The 21 employees through SIMS. These consisted of 25 users at included nine at Hunter College, ten at Hunter, 20 users at Baruch and 10 users at Baruch and two at City College. City Colleges. We interviewed each of these employees and inquired about SIMS At Hunter College, for example, a password changes. Thirty-six of these Coordinator of the Student Ambassador employees stated that they never received Program (involved with recruitment and computer security training or notifications by outreach) only uses SIMS for inquiry supervisors or IT personnel to change their purposes. Nevertheless, this employee had passwords. As a result, we found that 35 of stop code update privileges. At Baruch these 55 employees had never changed their College, a Transfer Evaluation Coordinator SIMS password. If users do not change their (who oversees students who transfer to passwords periodically, this increases the risk Baruch) uses SIMS screens only to help with

Report 2007-S-23 Page 7 of 13

transfer credits and student IDs. However, control and limit access rights, and it hinders this employee also had grade change update the ability to track user activity. ability. Also, a Secretary in the Bursar’s Office at City College uses SIMS only to find Recommendations students’ addresses, but nevertheless also has stop code update access. Baruch College To the Colleges: officials responded that four users requested (and were given) one-time access to certain 9. Formally notify all SIMS users of the functions. However, these access privileges need to change their passwords were not terminated when the employees in periodically and provide training as question no longer needed them. necessary to employees regarding this matter. Require supervisory personnel When individuals have access to SIMS, or to verify that employees have changed certain SIMS privileges, that are not needed passwords, consistent with prescribed to perform their job responsibilities, they may policies. have inappropriate access to confidential student information and may compromise 10. Ensure that all SIMS users are given student privacy. Moreover, there is an only the access privileges that are increased risk that improper changes could be required to perform their job functions. made to student records. 11. Comply with CUNY’s Information During our visit to City College, we also Technology and Security Policies noted that college officials had not restricting the re-using of user IDs. implemented the policy regarding the restriction of re-using user IDs. The Policy CUNY Central Office Oversight states that “user IDs must not be re-used or re- assigned to another individual at any time in CUNY colleges are required to submit the future.” Moreover, the NYS Office for attestation letters to the Central Office each Technology’s Best Practice Guideline G07- semester confirming compliance with the 001 states, “User IDs shall be unique. Policies’ requirement for periodic access Therefore, User IDs may not be re-used and reviews. At the time of our audit fieldwork, will be archived when the user is all 11 of CUNY’s senior colleges had deprovisioned.” City College officials submitted their letters for reviews purported indicated they re-use the same SIMS IDs to have been performed during the Fall 2006 because it is easier for the IT Department to term. We reviewed the letters for the four disable an account by changing the password colleges and found that: instead of deleting the account and adding a new account. City College Officials indicated • Baruch College, officials cited generic that they lack the resources within the IT and duplicate accounts as concerns. Department to constantly add and delete user accounts. However, during a visit to Brooklyn • City College officials stated that they College, officials indicated that it takes only do not re-use user IDs. However, this five minutes to disable access capabilities was contrary to our own site visit when deleting accounts, and no more than an findings, as noted previously. The hour to add a new user account. The re-use of ITSO informed us that printing issues user accounts makes it more difficult to

Report 2007-S-23 Page 8 of 13

are the result of the age of the SIMS prepared by campus staff to perform the system and should be resolved when required periodic access reviews. the new system is employed in the future. However, we noted, as Recommendations detailed previously in this report, that Brooklyn College solved this problem To CUNY Central Office: by making changes to SIMS printer tables, as necessary. Moreover, the 12. Direct the ITSO and/or the Information operational replacement of SIMS will Security Team to perform periodic site likely take several years to complete. visits to the campuses to verify Consequently, we believe that CUNY compliance with the Guidelines. Central Office officials should takes Document the results of the site visits steps to ensure that all campuses have and share them with campus officials, as the technical ability to change system appropriate. printer tables, as necessary, to obviate the need for employees with multiple 13. On a sample basis, examine the user IDs. files/documents prepared by campus IT staff to perform the required periodic As noted previously, CUNY officials have access reviews, as prescribed by the taken significant steps in recent years to Guidelines. improve IT security controls, including those over SIMS access. These steps include the AUDIT SCOPE AND METHODOLOGY formation of an IT Steering Committee and an Information Security Team, the appointment We conducted our performance audit in of the ITSO, and the issuance of the Policies. accordance with generally accepted However, our review indicated that all four government auditing standards. We audited colleges included in our audit (Hunter, CUNY’s SIMS access controls at four Baruch, City and Medgar Evers) did not selected colleges and the CUNY Central consistently comply with certain aspects of Office for the period May 1, 2006 to August the Policies. Furthermore, formal site visit 16, 2007. Our audit focused primarily on the reviews of campus IT security activities by access controls in place to secure the SIMS the ITSO and Information Security Team system. We reviewed policies and procedures; were limited. Consequently, based on the analyzed college user reports and compared results of our campus reviews and the them with payroll records and interviewed limitations in Central Office oversight, we SIMS users. We also met with information believe that there is increased risk of non- technology employees, bursars and registrars. compliance with the prescribed IT security standards at the campuses we did not visit. In addition to being the State Auditor, the Although campus officials have primary Comptroller performs certain other responsibility for compliance with the constitutionally and statutorily mandated Policies, we concluded that CUNY Central duties as the chief fiscal officer of New York Office officials need to strengthen their State. These include operating the State’s oversight of campus IT security programs. accounting system; preparing the State’s Such oversight could include site visits to financial statements; and approving State campuses and reviews of files/documents contracts, refunds, and other payments. In addition, the Comptroller appoints members

Report 2007-S-23 Page 9 of 13

to certain boards, commissions and public formal comments in preparing this report and authorities, some of whom have minority have included them as Appendix A. CUNY voting rights. These duties may be considered officials generally concurred with our management functions for purposes of recommendations, and they indicated the evaluating organizational independence under specific actions that they have already taken generally accepted government auditing and will be taking to implement them. standards. In our opinion, these functions do not affect our ability to conduct independent Within 90 days of the final release of this audits of program performance. report, as required by Section 170 of the Executive Law, the Chancellor of the City AUTHORITY University of New York shall report to the Governor, State Comptroller, and leaders of The audit was performed pursuant to the State the Legislature and the fiscal committees, Comptroller’s authority as set forth in Article advising what steps were taken to implement V, Section 1 of the State Constitution, and the recommendations contained herein, and Article II, section 8 of the State Finance Law. where recommendations were not implemented, the reasons therefor. REPORTING REQUIREMENTS CONTRIBUTORS TO THE REPORT We provided draft copies of this report to CUNY officials for their review and formal Major contributors to the report include Brian comment. We have considered CUNY’s Mason, Abe Fish, Keith Dickter, Nicole Van Hoesen, Shanna Mogan and Ron Pisani.