Finding FA 2022 003: Special Tests and Provision: Gramm Leach Bliley Act Student Information Security Perform Regular Backup Restoration Tests, Improve Server and Network Security, Perform Timely Access Revocation and System Access Review, Strengthen Password Controls ? Optimize Account Lockout Configuration in SAP Database, and Establish and Document Approval of IT Policies and Procedures Federal Program Information Assistance Listing Number: ALN 84.007, 84.033, 84.063, 84.264, 93.364 Federal Program Name: Student Financial Assistance Cluster Federal Agency: U.S. Department of Education Passed Through Entity: N/A Federal Award Number: Various Federal Award Year: July 1, 2021, to June 30, 2022 Compliance Requirement: Special Tests and Provisions ? Gramm Leach Bliley Act ? Student Information Security Criteria or Specific Requirement: Per GLB Act Safeguards Rule, Title 16 CFR Part 314, institutions are required to develop, implement, and maintain a comprehensive information security plan that is written and describes their program to protect sensitive information. In addition to developing their own safeguards, institutions covered by the Rule are responsible for taking steps to ensure that their affiliates and service providers safeguard sensitive information in their care. As part of its plan, the institution must: a) Designate an employee or employees to coordinate its information security program. b) Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of student information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromises of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, such a risk assessment should include consideration of risks in each relevant area of operations, including: ? Employee training and management; ? Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and ? Detecting, preventing and responding to attacks, intrusions, or other systems failures c) Design and implement information safeguards to control the risks you identify through risk assessment, and regularly test or otherwise monitor the effectiveness of the safeguards' key controls, systems, and procedures. d) Oversee service providers, by: ? Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the student information at issue; and ? Requiring your service providers by contact to implement and maintain such safeguards. e) Evaluate and adjust your information security program in light of the results of the testing and monitoring required by paragraph (c) of this section; any material changes to your operations or business arrangements; or any other circumstances that you know or have reason to know may have a material impact on your information security program. Also, per sections 501 and 505 (b)(2) of the GLB Act, institutions are required to comply with standards set forth for developing, implementing, and maintaining reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of student information. This part applies to all sensitive information in the institution?s possession, regardless of whether such information pertains to individuals with whom the institution has a student relationship or pertains to the students of other financial institutions that have provided such information to the institution. The objectives of section 501(b) of the Act, and of this part, are to: (1) Ensure the security and confidentiality of student information; (2) Protect against any anticipated threats or hazards to the security or integrity of such information; and (3) Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any student. Identified Conditions: A. Perform regular backup restoration tests The District performed a comprehensive Tabletop Disaster Recovery (DR) exercises for both SAP and SIS during the audit period. As part of the exercise, the DR Team simulated a scenario, fully supported with recovery considerations, steps, results, recovery challenges, and key recommendations to improve moving forward ? the exercise was also reviewed and approved by Vice Chancellor and Chief Information Officer. However, a key activity which is the actual backup restoration testing was not performed as part of the tabletop exercise or at any point during the audit period. B. Improve server and network security (Repeat Finding) Server and network security can be further improved. While the District has taken steps on securing systems, we noted the following: i. The latest SAP server vulnerability reports showed one (1) critical and one (1) high vulnerability which remains outstanding since its last scan on September 24, 2022. Based on the vulnerability scan policy, a reasonable effort shall be made to remediate high and critical vulnerabilities within 30 calendar days of discovery. The longer the vulnerability issues remain unaddressed, the higher the security risks that the District faces. ii. We noted that a critical security update for SIS Database Server released on August 9, 2022, was installed on October 16, 2022. Based on the District?s policy, patches designated as "Critical" by the manufacturer must be installed as soon as feasible without introducing instability or impacting service availability of production systems, and no later than thirty days after release. (Repeat finding) iii. We noted that the firewall rules included telnet which can lead to potential sniffing or eavesdropping attacks as the privileged credentials are sent in the network in clear text. This was subsequently removed by IT as of November 2022. C. Perform timely access revocation and system access review (Repeat Finding) Based on test of controls to verify that access of terminated employees are timely removed in Active Directory (AD), SAP, and SIS, we noted that out of the 30 terminated employees selected for testing: i. One (1) user was active in AD ii. Two (2) users were still active in SAP iii. 16 users were still active in SIS Moreover, while a privileged user access review is performed for AD, there is no review performed to check the validity of regular users in AD, and the validity and appropriateness of users in SAP and SIS. The purpose of properly establishing periodic user access review, coupled with limiting and monitoring administrative access within the system, is to ensure management?s understanding of the overall systems operation, its internal workflow requirements, and the segregation of duties within the systems that is required so that employees are not granted excessive, incompatible system access levels and workflow capabilities. D. Strengthen password controls ? optimize account lockout configuration in SAP Database Inspection of password configuration for SAP Database revealed that account lockout duration and threshold are set to unlimited. Based on the District?s password standard, account lockout duration and threshold should be set at 15 minutes and 10 invalid logon attempts, respectively. E. Establish and document approval of IT policies and procedures (Repeat finding) Inspection of IT-related policies and procedures showed the following documentations committed in the prior year, but are still in development as of November 2022: ? Risk Acceptance Process ? Portable Media Restriction Cause and Effect: A. Perform regular backup restoration tests Lack of proper restoration testing may hinder the District to recover its data completely and accurately. B. Improve server and network security Vulnerabilities in the systems may be exploited leading to malicious or unauthorized activities that could impact system and data integrity, or disclosure of confidential or sensitive information. C. Perform timely access revocation and system access review The risk of unauthorized access and security incidents or violations within the systems may occur. Furthermore, unauthorized or inappropriate access in the system increases the risk that unauthorized activities, including viewing and/or disclosure of confidential information, and fraudulent activities may be performed and not be detected and corrected on time. D. Strengthen password controls ? optimize account lockout configuration in SAP Database Inadequate security and password settings may lead to unauthorized access to the relevant IT environment that may result in the processing of unauthorized transactions or viewing of confidential information. E. Establish and document approval of IT policies and procedures With policies and procedures not yet fully reviewed, approved and implemented, the District may face the risk of obsolete operational procedures within the IT function which may result in processes and controls not being consistently performed across teams within the critical IT processes of the organization. As a result, tasks that must be performed regularly to ensure the proper utility of IT resources, protection and confidentiality of data, and system management measures may not be performed. Recommendation: A. Perform regular backup restoration tests Together with the DR tabletop exercises, we recommend that backup restoration tests should be performed at least once per year. Detailed testing schedules should be drafted based on DRP specifications and required restoration of the critical systems. Documentation of such tests should be maintained for full management awareness and approval. B. Improve server and network security To significantly improve security, we recommend that the District should revisit and strictly enforce appropriate and adequate vulnerability and patch management processes and controls. Standard protection measures might not provide ample security due to the rising cases of malware attacks. Proper patch management and updating operating systems of servers is necessary to combat various forms of cyber-attacks. C. Perform timely access revocation and system access review 1. We recommend that Management revoke the access of terminated employees and review the activities performed by those accounts after their termination date to ensure the validity and appropriateness of activities/transactions performed by these accounts, if any. 2. Concurrently, Management should improve the account termination procedures to ensure that access of terminated employees is timely revoked. 3. We also recommend that regular access review is performed and documented (for both regular and privilege users) to ensure that only valid and appropriate users remain in the system. The review may include, but are not limited to the following: a. Document management control over completeness and accuracy of the reports used in the review b. Define designated functions/roles to perform the review c. Monitor timeliness of the performance of the review and execution of corrective actions as a result of the review D. Strengthen password controls ? optimize account lockout configuration in SAP Database To further improve the security of SAP Database, we recommend for the District to align the current password configuration of SAP Database with the District?s password standards. E. Establish and document approval of IT policies and procedures Management should ensure that IT policies and procedures have been adequately developed and approved for the proper guidance and execution of IT functions. Committing the policies and procedures to writing would ensure a higher level of operational compliance and would provide grounds for the District?s action if operational procedures do not meet their objectives. A management review of all policies and procedures should be performed, at least, on an annual basis to ensure the capture of new changes and deletions of processes and technologies. Views of Responsible Officials and Planned Corrective Actions: A. Perform regular backup restoration tests i. The District is planning to complete a backup restoration by the end of Q1 2023. B. Improve server and network security i. The District has completed reviewing the changes needed to address the identified critical vulnerabilities. The vulnerability patch will be applied by the end of the 2022 calendar year. ii. The District completed the high vulnerability patch on November 10, 2022. iii. The District completed the critical patch updates outside of the identified 30 calendar day window due to minimizing substantial business impact. The patching periods fell under the critical business time period. Verbal approval was provided but the District will strictly follow procedure to obtain written authorization from the VC/CIO for delaying the patching. C. Perform timely access revocation and system access review i. The District has undergone a comprehensive discovery of our current environments and scoped out opportunities to optimize the deprovisioning synchronization. This scope has been incorporated into a public solicitation which completed early Fall 2022. Currently, the District awaits board authorization on issuing a professional services contract to begin the effort. The target is to initialize a project in January to automate deprovisioning synchronization of employees across the multiple EPR systems. Meanwhile, regular access reviews of SAP and SIS will be a separate process that will be regularly conducted. The target completion is early Q2 2023. D. Strengthen password controls ? optimize account lockout configuration in SAP Database i. The SAP Database accounts identified are system accounts that are not used for any type of interactive login. The password policy has been applied to interactive login accounts only thus these accounts were not included. The District is currently exploring the feasibility of applying these policies to the system accounts without impact to downstream automated processes. E. Establish and document approval of IT policies and procedures i. The LACCD Office of Information Technology Information Security Team has completed the initial draft of the Operational Protocol for Portable Media, which is currently under review. The OIT anticipates implementation will be completed by March 31, 2023. ii. An Operational Protocol for Risk Acceptance of SIS Permissions requires finalizing a formal Role-Based Access Control (RBAC) model for SIS. This process was delayed due to leadership changes in the Office of Educational Programs and Institutional Effectiveness (EPIE), the main process stakeholder, that occurred during the audit year. The OIT anticipates that the RBAC will be finalized and a Risk Acceptance Process for SIS permissions will be finalized and implemented by June 30, 2023. Personnel responsible for implementation: Carmen V. Lidz Position of responsible personnel: Vice Chancellor & Chief Information Officer
Finding FA 2022 003: Special Tests and Provision: Gramm Leach Bliley Act Student Information Security Perform Regular Backup Restoration Tests, Improve Server and Network Security, Perform Timely Access Revocation and System Access Review, Strengthen Password Controls ? Optimize Account Lockout Configuration in SAP Database, and Establish and Document Approval of IT Policies and Procedures Federal Program Information Assistance Listing Number: ALN 84.007, 84.033, 84.063, 84.264, 93.364 Federal Program Name: Student Financial Assistance Cluster Federal Agency: U.S. Department of Education Passed Through Entity: N/A Federal Award Number: Various Federal Award Year: July 1, 2021, to June 30, 2022 Compliance Requirement: Special Tests and Provisions ? Gramm Leach Bliley Act ? Student Information Security Criteria or Specific Requirement: Per GLB Act Safeguards Rule, Title 16 CFR Part 314, institutions are required to develop, implement, and maintain a comprehensive information security plan that is written and describes their program to protect sensitive information. In addition to developing their own safeguards, institutions covered by the Rule are responsible for taking steps to ensure that their affiliates and service providers safeguard sensitive information in their care. As part of its plan, the institution must: a) Designate an employee or employees to coordinate its information security program. b) Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of student information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromises of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, such a risk assessment should include consideration of risks in each relevant area of operations, including: ? Employee training and management; ? Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and ? Detecting, preventing and responding to attacks, intrusions, or other systems failures c) Design and implement information safeguards to control the risks you identify through risk assessment, and regularly test or otherwise monitor the effectiveness of the safeguards' key controls, systems, and procedures. d) Oversee service providers, by: ? Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the student information at issue; and ? Requiring your service providers by contact to implement and maintain such safeguards. e) Evaluate and adjust your information security program in light of the results of the testing and monitoring required by paragraph (c) of this section; any material changes to your operations or business arrangements; or any other circumstances that you know or have reason to know may have a material impact on your information security program. Also, per sections 501 and 505 (b)(2) of the GLB Act, institutions are required to comply with standards set forth for developing, implementing, and maintaining reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of student information. This part applies to all sensitive information in the institution?s possession, regardless of whether such information pertains to individuals with whom the institution has a student relationship or pertains to the students of other financial institutions that have provided such information to the institution. The objectives of section 501(b) of the Act, and of this part, are to: (1) Ensure the security and confidentiality of student information; (2) Protect against any anticipated threats or hazards to the security or integrity of such information; and (3) Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any student. Identified Conditions: A. Perform regular backup restoration tests The District performed a comprehensive Tabletop Disaster Recovery (DR) exercises for both SAP and SIS during the audit period. As part of the exercise, the DR Team simulated a scenario, fully supported with recovery considerations, steps, results, recovery challenges, and key recommendations to improve moving forward ? the exercise was also reviewed and approved by Vice Chancellor and Chief Information Officer. However, a key activity which is the actual backup restoration testing was not performed as part of the tabletop exercise or at any point during the audit period. B. Improve server and network security (Repeat Finding) Server and network security can be further improved. While the District has taken steps on securing systems, we noted the following: i. The latest SAP server vulnerability reports showed one (1) critical and one (1) high vulnerability which remains outstanding since its last scan on September 24, 2022. Based on the vulnerability scan policy, a reasonable effort shall be made to remediate high and critical vulnerabilities within 30 calendar days of discovery. The longer the vulnerability issues remain unaddressed, the higher the security risks that the District faces. ii. We noted that a critical security update for SIS Database Server released on August 9, 2022, was installed on October 16, 2022. Based on the District?s policy, patches designated as "Critical" by the manufacturer must be installed as soon as feasible without introducing instability or impacting service availability of production systems, and no later than thirty days after release. (Repeat finding) iii. We noted that the firewall rules included telnet which can lead to potential sniffing or eavesdropping attacks as the privileged credentials are sent in the network in clear text. This was subsequently removed by IT as of November 2022. C. Perform timely access revocation and system access review (Repeat Finding) Based on test of controls to verify that access of terminated employees are timely removed in Active Directory (AD), SAP, and SIS, we noted that out of the 30 terminated employees selected for testing: i. One (1) user was active in AD ii. Two (2) users were still active in SAP iii. 16 users were still active in SIS Moreover, while a privileged user access review is performed for AD, there is no review performed to check the validity of regular users in AD, and the validity and appropriateness of users in SAP and SIS. The purpose of properly establishing periodic user access review, coupled with limiting and monitoring administrative access within the system, is to ensure management?s understanding of the overall systems operation, its internal workflow requirements, and the segregation of duties within the systems that is required so that employees are not granted excessive, incompatible system access levels and workflow capabilities. D. Strengthen password controls ? optimize account lockout configuration in SAP Database Inspection of password configuration for SAP Database revealed that account lockout duration and threshold are set to unlimited. Based on the District?s password standard, account lockout duration and threshold should be set at 15 minutes and 10 invalid logon attempts, respectively. E. Establish and document approval of IT policies and procedures (Repeat finding) Inspection of IT-related policies and procedures showed the following documentations committed in the prior year, but are still in development as of November 2022: ? Risk Acceptance Process ? Portable Media Restriction Cause and Effect: A. Perform regular backup restoration tests Lack of proper restoration testing may hinder the District to recover its data completely and accurately. B. Improve server and network security Vulnerabilities in the systems may be exploited leading to malicious or unauthorized activities that could impact system and data integrity, or disclosure of confidential or sensitive information. C. Perform timely access revocation and system access review The risk of unauthorized access and security incidents or violations within the systems may occur. Furthermore, unauthorized or inappropriate access in the system increases the risk that unauthorized activities, including viewing and/or disclosure of confidential information, and fraudulent activities may be performed and not be detected and corrected on time. D. Strengthen password controls ? optimize account lockout configuration in SAP Database Inadequate security and password settings may lead to unauthorized access to the relevant IT environment that may result in the processing of unauthorized transactions or viewing of confidential information. E. Establish and document approval of IT policies and procedures With policies and procedures not yet fully reviewed, approved and implemented, the District may face the risk of obsolete operational procedures within the IT function which may result in processes and controls not being consistently performed across teams within the critical IT processes of the organization. As a result, tasks that must be performed regularly to ensure the proper utility of IT resources, protection and confidentiality of data, and system management measures may not be performed. Recommendation: A. Perform regular backup restoration tests Together with the DR tabletop exercises, we recommend that backup restoration tests should be performed at least once per year. Detailed testing schedules should be drafted based on DRP specifications and required restoration of the critical systems. Documentation of such tests should be maintained for full management awareness and approval. B. Improve server and network security To significantly improve security, we recommend that the District should revisit and strictly enforce appropriate and adequate vulnerability and patch management processes and controls. Standard protection measures might not provide ample security due to the rising cases of malware attacks. Proper patch management and updating operating systems of servers is necessary to combat various forms of cyber-attacks. C. Perform timely access revocation and system access review 1. We recommend that Management revoke the access of terminated employees and review the activities performed by those accounts after their termination date to ensure the validity and appropriateness of activities/transactions performed by these accounts, if any. 2. Concurrently, Management should improve the account termination procedures to ensure that access of terminated employees is timely revoked. 3. We also recommend that regular access review is performed and documented (for both regular and privilege users) to ensure that only valid and appropriate users remain in the system. The review may include, but are not limited to the following: a. Document management control over completeness and accuracy of the reports used in the review b. Define designated functions/roles to perform the review c. Monitor timeliness of the performance of the review and execution of corrective actions as a result of the review D. Strengthen password controls ? optimize account lockout configuration in SAP Database To further improve the security of SAP Database, we recommend for the District to align the current password configuration of SAP Database with the District?s password standards. E. Establish and document approval of IT policies and procedures Management should ensure that IT policies and procedures have been adequately developed and approved for the proper guidance and execution of IT functions. Committing the policies and procedures to writing would ensure a higher level of operational compliance and would provide grounds for the District?s action if operational procedures do not meet their objectives. A management review of all policies and procedures should be performed, at least, on an annual basis to ensure the capture of new changes and deletions of processes and technologies. Views of Responsible Officials and Planned Corrective Actions: A. Perform regular backup restoration tests i. The District is planning to complete a backup restoration by the end of Q1 2023. B. Improve server and network security i. The District has completed reviewing the changes needed to address the identified critical vulnerabilities. The vulnerability patch will be applied by the end of the 2022 calendar year. ii. The District completed the high vulnerability patch on November 10, 2022. iii. The District completed the critical patch updates outside of the identified 30 calendar day window due to minimizing substantial business impact. The patching periods fell under the critical business time period. Verbal approval was provided but the District will strictly follow procedure to obtain written authorization from the VC/CIO for delaying the patching. C. Perform timely access revocation and system access review i. The District has undergone a comprehensive discovery of our current environments and scoped out opportunities to optimize the deprovisioning synchronization. This scope has been incorporated into a public solicitation which completed early Fall 2022. Currently, the District awaits board authorization on issuing a professional services contract to begin the effort. The target is to initialize a project in January to automate deprovisioning synchronization of employees across the multiple EPR systems. Meanwhile, regular access reviews of SAP and SIS will be a separate process that will be regularly conducted. The target completion is early Q2 2023. D. Strengthen password controls ? optimize account lockout configuration in SAP Database i. The SAP Database accounts identified are system accounts that are not used for any type of interactive login. The password policy has been applied to interactive login accounts only thus these accounts were not included. The District is currently exploring the feasibility of applying these policies to the system accounts without impact to downstream automated processes. E. Establish and document approval of IT policies and procedures i. The LACCD Office of Information Technology Information Security Team has completed the initial draft of the Operational Protocol for Portable Media, which is currently under review. The OIT anticipates implementation will be completed by March 31, 2023. ii. An Operational Protocol for Risk Acceptance of SIS Permissions requires finalizing a formal Role-Based Access Control (RBAC) model for SIS. This process was delayed due to leadership changes in the Office of Educational Programs and Institutional Effectiveness (EPIE), the main process stakeholder, that occurred during the audit year. The OIT anticipates that the RBAC will be finalized and a Risk Acceptance Process for SIS permissions will be finalized and implemented by June 30, 2023. Personnel responsible for implementation: Carmen V. Lidz Position of responsible personnel: Vice Chancellor & Chief Information Officer
Finding FA 2022-001: Eligibility: Incorrect Federal Pell Grant Amounts Awarded (Repeat Finding) Federal Program Information Assistance Listing Number: ALN 84.063 Federal Program Name: Student Financial Assistance Cluster: Federal Pell Grant Program Federal Agency: U.S. Department of Education Passed Through Entity: N/A Federal Award Number: P063P200033 Federal Award Year: July 1, 2021, to June 30, 2022 Campus: Los Angeles City College Compliance Requirement: Eligibility Criteria or Specific Requirement: Per 34 Code of Federal Regulations (CFR) 690.62 Calculation of a Federal Pell Grant, the amount of a student?s Pell Grant for an academic year is based upon the payment and disbursement schedules published by the Secretary for each award year. The Uniform Guidance Compliance Supplement states that the Department of Education provides institutions Payment and Disbursement Schedules for determining Pell awards each year. The Payment or Disbursement Schedule provides the maximum annual amount a student would receive for a full academic year for a given enrollment status, Expected Family Contribution (EFC), and Cost of Attendance (COA). The Payment Schedule is used to determine the annual award for full-time, three-quarter time, half-time, and less-than-half-time students. 2 CFR section 200.303 requires that non-Federal entities receiving Federal awards establish and maintain internal control over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of the Federal awards. Identified Condition: Of the 15 students selected for eligibility testwork at Los Angeles City College, we noted that 1 student had an incorrectly calculated Federal Pell grant award, which resulted in an understatement of the disbursement to the student by $419. The student was eligible to receive $419 yet received none in Summer 2020. Causes and Effect: One overpayment was identified during the audit period due to a class withdrawn after Pell disbursement. In addition, the underpayment identified related to the summer term is due to manual processing. The summer term is unique because it requires District staff to manually review Pell awards from two aid years to ensure the student receives the highest award. The process is labor intensive and complex. Incorrect awards can result in institutional liability. Questioned Costs: See schedule of findings and Questioned Costs The District has a known net understatement of Pell grant award disbursements of $419. The projected total net understatement of the Pell grant award disbursements is $117,592 as follows: See schedule of findings and Questioned Costs This is computed by dividing the error found in the samples per term (Summer term ? net underpayment ($419) and Fall/Spring terms ? $0) over the total Pell awards disbursed in the sample size per term (Summer term - $26,361 and Fall/Spring terms - $545,632) multiplied by the total Pell awards disbursed for the identified colleges per term (Summer term - $7,398,149 and Fall/Spring terms - $103,509,698). The computation is made on a per-term basis on a campus level and not on a district-wide level. Recommendation: We recommend that the District make the necessary system modifications to the PeopleSoft Student Information System (SIS) to ensure student awards are properly calculated. This will help ensure that Federal Pell grants are properly awarded to students who meet the eligibility requirements. Views of Responsible Officials and Planned Corrective Actions: The District has already developed an automated summer Pell solution. The solution has been tested by the field and Central Financial Aid Unit (CFAU) and will be implemented Summer 2023. Personnel responsible for implementation: Steve Giorgi Position of responsible personnel: CFAU Financial Aid Manager Expected date of Implementation: Summer 2023
Finding FA 2022-002: Special Tests and Provision: Return of Title IV Funds: Incorrect Calculation of Return of Title IV Funds, Untimely Notification of Grant Overpayment to Students and Secretary, and Distance Education Courses ? Lack of Formal Process to Determine Accuracy of Student Withdrawal Date (Repeat Finding) Federal Program Information Federal Catalog Number: ALN 84.063 and 84.268 Federal Program Name: Student Financial Assistance Cluster: Federal Pell Grant Program Federal Direct Student Loans Federal Agency: U.S. Department of Education Passed Through Entity: N/A Federal Award Number: P063P210033, P063P215263, P063P210034, P063P210658, P063P210035, P063P215261, P063P215260, P063P210036, P063P215262, P268K220033, P268K225263, P268K220034, P268K220658, P268K220035, P268K225261, P268K225260, P268K220036, P268K225262 Federal Award Year: July 1, 2021, to June 30, 2022 Campuses: Los Angeles City College (Repeat Finding) East Los Angeles College Los Angeles Harbor College (Repeat Finding) Los Angeles Mission College Los Angeles Pierce College (Repeat Finding) Los Angeles Southwest College (Repeat Finding) Los Angeles Trade Technical College (Repeat Finding) Los Angeles Valley College (Repeat Finding) West Los Angeles College (Repeat Finding) Compliance Requirement: Special Tests and Provisions ? Return of Title IV Funds Criteria or Specific Requirement: Per 34 Code of Federal Regulations 668.22 Treatments of Title IV Funds. A. When a recipient of Title IV grant or loan assistance withdraws from an institution during a payment period or period of enrollment in which the recipient began attendance, the institution must determine the amount of title IV grant or loan assistance that the student earned as of the student's withdrawal date in accordance with paragraph (e) of 34 Code of Federal Regulations 668.22. Per the Unform Guidance Compliance Supplement: - If an institution is required to take attendance, the withdrawal date is the last date of academic attendance, as determined by the institution from its attendance records. - If an institution is not required to take attendance, the withdrawal date is (1) the date, as determined by the institution, that the student began the withdrawal process prescribed by the institution; (2) the date, as determined by the institution, that the student otherwise provided official notification to the institution, in writing or orally, of his or her intent to withdraw; (3) if the student ceases attendance without providing official notification to the institution of his or her withdrawal, the midpoint of the payment period or, if applicable, the period of enrollment; (4) if the institution determines that a student did not begin the withdrawal process or otherwise notify the institution of the intent to withdraw due to illness, accident, grievous personal loss or other circumstances beyond the student?s control, the date the institution determines is related to that circumstance; (5) if a student does not return from an approved leave of absence, the date that the institution determines the student began the leave of absence; or (6) if the student takes an unapproved leave of absence, the date that the student began the leave of absence. Notwithstanding the above, an institution that is not required to take attendance may use as the withdrawal date, the last date of attendance at an academically related activity as documented by the institution (34 CFR668.22(c) and (l)). Title IV funds may be expended only towards the education of the students who can be proven to have been in attendance at the institution. In a distance education context, documenting that a student has logged into an online distance education platform or system is not sufficient, by itself, to demonstrate attendance by the student. To avoid returning all funds for a student that did not begin attendance, an institution must be able to document ?attendance at any class.? To qualify as a last date of attendance for Return of Title IV purposes, an institution must demonstrate that a student participated in class or was otherwise engaged in an academically related activity, such as by contributing to an online discussion or initiating contact with a faculty member to ask a course-related question. The Uniform Guidance Compliance Supplement requires auditors to identify a sample of students who received Title IV assistance who withdrew, dropped out, or never began attendance during the audit period. Auditors are to review the return of Title IV funds determinations/calculations for conformity with Title IV requirements. B. Within 30 days of the date of the institution?s determination that the student withdrew, an institution must send a notice to any student who owes a title IV, HEA grant overpayment as a result of the student?s withdrawal from the institution in order to recover the overpayment in accordance with paragraph (h)(4)(i) of this section. An institution must refer to the Secretary, in accordance with procedures required by the Secretary, an overpayment of Title IV, HEA grant funds owed by a student as a result of the student?s withdrawal from the institution if? (A) The student does not repay the overpayment in full to the institution, or enter a repayment agreement with the institution or the Secretary in accordance with paragraph (h)(4)(i) of this section within the earlier of 45 days from the date the institution sends a notification to the student of the overpayment or 45 days from the date the institution was required to notify the student of the overpayment; C. For an institution that is not required to take attendance, an institution must determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the (1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew. D. The institution must disburse directly to a student any amount of a post-withdrawal disbursement of grant funds that is not credited to the student's account. The institution must make the disbursement as soon as possible, but no later than 45 days after the date of the institution's determination that the student withdrew, as defined in paragraph (l)(3) of this section. E. Title IV funds may be expended only towards the education of the students who can be proven to have been in attendance at the institution. In a distance education context, documenting that a student has logged into an online distance education platform or system is not sufficient, by itself, to demonstrate attendance by the student. To avoid returning all funds for a student that did not begin attendance, an institution must be able to document ?attendance at any class.? To qualify as a last date of attendance for Return of Title IV purposes, an institution must demonstrate that a student participated in class or was otherwise engaged in an academically related activity, such as by contributing to an online discussion or initiating contact with a faculty member to ask a course-related question. Per 668.173 Refund reserve standards. A. In accordance with procedures established by the Secretary or FFEL Program lender, an institution returns unearned title IV, HEA program funds timely if? 1) The institution deposits or transfers the funds into the bank account it maintains under ?668.163 no later than 45 days after the date it determines that the student withdrew; 2) The institution initiates an electronic funds transfer (EFT) no later than 45 days after the date it determines that the student withdrew; 3) The institution initiates an electronic transaction, no later than 45 days after the date it determines that the student withdrew, that informs an FFEL lender to adjust the borrower?s loan account for the amount returned; or 4) The institution issues a check no later than 45 days after the date it determines that the student withdrew. An institution does not satisfy this requirement if? i. The institution?s records show that the check was issued more than 45 days after the date the institution determined that the student withdrew; or ii. The date on the canceled check shows that the bank used by the Secretary or FFEL Program lender endorsed that check more than 60 days after the date the institution determined that the student withdrew. Identified Condition: Summary No. Identified Condition Campus A. B. Incorrect Calculation of Return of Title IV Funds Untimely Notification of Grant Overpayment to Students and Secretary West Los Angeles College Los Angeles Southwest College Los Angeles Trade Technical College C. Distance Education Courses - Lack of Formal Process to Determine Accuracy of Student Withdrawal Date Los Angeles City College East Los Angeles College Los Angeles Harbor College Los Angeles Mission College Los Angeles Pierce College Los Angeles Southwest College Los Angeles Trade Technical College Los Angeles Valley College West Los Angeles College Description A. Incorrect Calculation of Return of Title IV Funds West Los Angeles College We noted 1 of 15 students selected for return of Title IV funds testwork from the population of students who had withdrawn, dropped out, or never began attendance that had an incorrectly determined withdrawal date in Summer 2022, the effect of which decreased the amount due from school by $681. B. Untimely Notification of Grant Overpayment to Students and Secretary Los Angeles Southwest College We noted that 2 of 15 students selected for compliance testwork were notified beyond 30 days from the date of the institution?s determination that the student withdrew and owed overpayments as a result of the students? withdrawal. The required notification was submitted to both students 11 days after the institution?s determination date. Los Angeles Trade Technical College We noted that 1 of 15 students selected for compliance testwork was never provided with a Post Withdrawal Disbursement notification. Consequently, no disbursement was made to the student. C. Distance Education Courses - Lack of Formal Process to Determine Accuracy of Student Withdrawal Date For distance education (DE) courses, we noted that the withdrawal date used in the calculation of return to Title IV funds is the actual date the student initiated the withdrawal from the course in the system. The District does not currently have a formal process in place to monitor a student?s active participation in an online class and engagement in academic activities related to a DE course in order to determine the reasonableness and accuracy of the student?s withdrawal date in the system. Causes and Effect: A. Incorrect Calculation of Return of Title IV Funds The incorrect calculation of Return of Title IV (R2T4) funds was caused by human error. Staff failed to create the R2T4 worksheet timely, which could result in disciplinary action taken by the U.S. Department of Education. B. Untimely Notification of Grant Overpayment to Students and Secretary Untimely notification of grant overpayment to students and secretary was caused by human error. FA Technicians failed to send overpayment notifications timely, which may result in untimely return of unearned Title IV funds. Untimely notifications and untimely result of Title IV aid can result in institutional liability and disciplinary action taken by the U.S. Department of Education C. Distance Education Courses - Lack of Formal Process to Determine Accuracy of Student Withdrawal Date The calculation of return to Title IV funds is a complex manual process. An incorrect calculation can result in institutional liability and/or disciplinary action taken by the U.S. Department of Education. Questioned Costs: A. Incorrect Calculation of Return of Title IV Funds See schedule of findings and Questioned Costs The District has a known net overstatement of the amount due from the student of $108 and known net understatement of the amount due from District of ($457). The projected total net understatement of amounts due from both the student and District is $2,358 as follows: See schedule of findings and Questioned Costs This is computed by dividing the errors found in samples per term (Summer term ? net understatement $350 and Fall/Spring terms ? net understatement $0 over the total Pell awards disbursed in the sample size per term (Summer term - $31,869 and Fall/Spring terms - $83,972) multiplied by the total Pell awards disbursed for the identified colleges per term (Summer term - $214,918 and Fall/Spring terms - $3,097,004). The computation is made on a per-term basis on a campus level and not on a district-wide level. The District has a known net overstatement of the post-withdrawal disbursement by $6. Not all students accept post-withdrawal disbursements. As such, questioned cost is not extrapolated. B. Untimely Notification of Grant Overpayment to Students and Secretary Refer to item A. above. C. Distance Education Courses ? Lack of Formal Process to Determine Accuracy of Student Withdrawal Date None. Recommendation: We recommend that the District implement additional controls at the course instructor level to effectively monitor student participation and engagement in academic activities related to DE courses in order for the course instructor to determine the reasonableness and accuracy of a student?s withdrawal date listed in the system. This will help ensure that the withdrawal date used in the calculation of return of title IV funds is accurate. Additionally, we recommend that the District evaluate and improve its existing process and control procedures related to the return of Title IV funds, including notification and return due date requirements. This will help ensure 1) that the returns of Title IV funds are accurately calculated and 2) compliance with the notification and return due date requirements, in accordance with the Uniform Guidance and the Code of Federal Regulation. . Views of Responsible Officials and Planned Corrective Actions: A. Incorrect Calculation of Return of Title IV Funds The student in question has an unusual circumstance because the college canceled the last enrolled class. The student was correctly identified as a withdrawal through an external student information system (SIS) query designed to identify students with unusual circumstances not currently identified by the R2T4 program. Unfortunately, the R2T4 worksheet was not manually added to the SIS due to an inadvertent oversight. We believe this is an isolated incident, but in order to automate the manual process, CFAU requested the Office of Information Technology to incorporate the external query logic into the R2T4 program. The worksheet has been manually added. Note that the internal controls have been substantially strengthened which has reduced the number of students impacted year-over-year. B. Untimely Notification of Grant Overpayment to Students and Secretary The college inadvertently failed to report the student overpayment to NSDLS timely. Due to SIS communication limitations with this last batch for the summer 2022 term, the District was unable to send the notification through SIS and had to send the R2T4 OP notification outside of SIS manually resulting in the late notification. C. Distance Education Courses ? Lack of Formal Process to Determine Accuracy of Student Withdrawal Date With regards to student withdrawal dates as it relates to DE courses, the District will provide communications to all faculty throughout the semester instructing them to assess individual student participation in the class and to exclude students from the class if prior to exclusion deadlines, or drop students if exclusion deadlines have passed. The communications will refer to the Academic Senate guidelines on regular and substantive interaction and use of authentic assessments to ensure that active participation is being effectively evaluated. Communications will be times around core deadlines for enrollment and financial aid processes. The DE Coordinators will be informed of the new standard to supplement the existing required and optional trainings currently provided to teaching faculty. This process will be implemented in Fall 2022. Personnel responsible for implementation: Steve Giorgi Position of responsible personnel: CFAU Financial Aid Manager Expected Date of Implementation: Fall 2022
Finding FA 2022 003: Special Tests and Provision: Gramm Leach Bliley Act Student Information Security Perform Regular Backup Restoration Tests, Improve Server and Network Security, Perform Timely Access Revocation and System Access Review, Strengthen Password Controls ? Optimize Account Lockout Configuration in SAP Database, and Establish and Document Approval of IT Policies and Procedures Federal Program Information Assistance Listing Number: ALN 84.007, 84.033, 84.063, 84.264, 93.364 Federal Program Name: Student Financial Assistance Cluster Federal Agency: U.S. Department of Education Passed Through Entity: N/A Federal Award Number: Various Federal Award Year: July 1, 2021, to June 30, 2022 Compliance Requirement: Special Tests and Provisions ? Gramm Leach Bliley Act ? Student Information Security Criteria or Specific Requirement: Per GLB Act Safeguards Rule, Title 16 CFR Part 314, institutions are required to develop, implement, and maintain a comprehensive information security plan that is written and describes their program to protect sensitive information. In addition to developing their own safeguards, institutions covered by the Rule are responsible for taking steps to ensure that their affiliates and service providers safeguard sensitive information in their care. As part of its plan, the institution must: a) Designate an employee or employees to coordinate its information security program. b) Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of student information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromises of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, such a risk assessment should include consideration of risks in each relevant area of operations, including: ? Employee training and management; ? Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and ? Detecting, preventing and responding to attacks, intrusions, or other systems failures c) Design and implement information safeguards to control the risks you identify through risk assessment, and regularly test or otherwise monitor the effectiveness of the safeguards' key controls, systems, and procedures. d) Oversee service providers, by: ? Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the student information at issue; and ? Requiring your service providers by contact to implement and maintain such safeguards. e) Evaluate and adjust your information security program in light of the results of the testing and monitoring required by paragraph (c) of this section; any material changes to your operations or business arrangements; or any other circumstances that you know or have reason to know may have a material impact on your information security program. Also, per sections 501 and 505 (b)(2) of the GLB Act, institutions are required to comply with standards set forth for developing, implementing, and maintaining reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of student information. This part applies to all sensitive information in the institution?s possession, regardless of whether such information pertains to individuals with whom the institution has a student relationship or pertains to the students of other financial institutions that have provided such information to the institution. The objectives of section 501(b) of the Act, and of this part, are to: (1) Ensure the security and confidentiality of student information; (2) Protect against any anticipated threats or hazards to the security or integrity of such information; and (3) Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any student. Identified Conditions: A. Perform regular backup restoration tests The District performed a comprehensive Tabletop Disaster Recovery (DR) exercises for both SAP and SIS during the audit period. As part of the exercise, the DR Team simulated a scenario, fully supported with recovery considerations, steps, results, recovery challenges, and key recommendations to improve moving forward ? the exercise was also reviewed and approved by Vice Chancellor and Chief Information Officer. However, a key activity which is the actual backup restoration testing was not performed as part of the tabletop exercise or at any point during the audit period. B. Improve server and network security (Repeat Finding) Server and network security can be further improved. While the District has taken steps on securing systems, we noted the following: i. The latest SAP server vulnerability reports showed one (1) critical and one (1) high vulnerability which remains outstanding since its last scan on September 24, 2022. Based on the vulnerability scan policy, a reasonable effort shall be made to remediate high and critical vulnerabilities within 30 calendar days of discovery. The longer the vulnerability issues remain unaddressed, the higher the security risks that the District faces. ii. We noted that a critical security update for SIS Database Server released on August 9, 2022, was installed on October 16, 2022. Based on the District?s policy, patches designated as "Critical" by the manufacturer must be installed as soon as feasible without introducing instability or impacting service availability of production systems, and no later than thirty days after release. (Repeat finding) iii. We noted that the firewall rules included telnet which can lead to potential sniffing or eavesdropping attacks as the privileged credentials are sent in the network in clear text. This was subsequently removed by IT as of November 2022. C. Perform timely access revocation and system access review (Repeat Finding) Based on test of controls to verify that access of terminated employees are timely removed in Active Directory (AD), SAP, and SIS, we noted that out of the 30 terminated employees selected for testing: i. One (1) user was active in AD ii. Two (2) users were still active in SAP iii. 16 users were still active in SIS Moreover, while a privileged user access review is performed for AD, there is no review performed to check the validity of regular users in AD, and the validity and appropriateness of users in SAP and SIS. The purpose of properly establishing periodic user access review, coupled with limiting and monitoring administrative access within the system, is to ensure management?s understanding of the overall systems operation, its internal workflow requirements, and the segregation of duties within the systems that is required so that employees are not granted excessive, incompatible system access levels and workflow capabilities. D. Strengthen password controls ? optimize account lockout configuration in SAP Database Inspection of password configuration for SAP Database revealed that account lockout duration and threshold are set to unlimited. Based on the District?s password standard, account lockout duration and threshold should be set at 15 minutes and 10 invalid logon attempts, respectively. E. Establish and document approval of IT policies and procedures (Repeat finding) Inspection of IT-related policies and procedures showed the following documentations committed in the prior year, but are still in development as of November 2022: ? Risk Acceptance Process ? Portable Media Restriction Cause and Effect: A. Perform regular backup restoration tests Lack of proper restoration testing may hinder the District to recover its data completely and accurately. B. Improve server and network security Vulnerabilities in the systems may be exploited leading to malicious or unauthorized activities that could impact system and data integrity, or disclosure of confidential or sensitive information. C. Perform timely access revocation and system access review The risk of unauthorized access and security incidents or violations within the systems may occur. Furthermore, unauthorized or inappropriate access in the system increases the risk that unauthorized activities, including viewing and/or disclosure of confidential information, and fraudulent activities may be performed and not be detected and corrected on time. D. Strengthen password controls ? optimize account lockout configuration in SAP Database Inadequate security and password settings may lead to unauthorized access to the relevant IT environment that may result in the processing of unauthorized transactions or viewing of confidential information. E. Establish and document approval of IT policies and procedures With policies and procedures not yet fully reviewed, approved and implemented, the District may face the risk of obsolete operational procedures within the IT function which may result in processes and controls not being consistently performed across teams within the critical IT processes of the organization. As a result, tasks that must be performed regularly to ensure the proper utility of IT resources, protection and confidentiality of data, and system management measures may not be performed. Recommendation: A. Perform regular backup restoration tests Together with the DR tabletop exercises, we recommend that backup restoration tests should be performed at least once per year. Detailed testing schedules should be drafted based on DRP specifications and required restoration of the critical systems. Documentation of such tests should be maintained for full management awareness and approval. B. Improve server and network security To significantly improve security, we recommend that the District should revisit and strictly enforce appropriate and adequate vulnerability and patch management processes and controls. Standard protection measures might not provide ample security due to the rising cases of malware attacks. Proper patch management and updating operating systems of servers is necessary to combat various forms of cyber-attacks. C. Perform timely access revocation and system access review 1. We recommend that Management revoke the access of terminated employees and review the activities performed by those accounts after their termination date to ensure the validity and appropriateness of activities/transactions performed by these accounts, if any. 2. Concurrently, Management should improve the account termination procedures to ensure that access of terminated employees is timely revoked. 3. We also recommend that regular access review is performed and documented (for both regular and privilege users) to ensure that only valid and appropriate users remain in the system. The review may include, but are not limited to the following: a. Document management control over completeness and accuracy of the reports used in the review b. Define designated functions/roles to perform the review c. Monitor timeliness of the performance of the review and execution of corrective actions as a result of the review D. Strengthen password controls ? optimize account lockout configuration in SAP Database To further improve the security of SAP Database, we recommend for the District to align the current password configuration of SAP Database with the District?s password standards. E. Establish and document approval of IT policies and procedures Management should ensure that IT policies and procedures have been adequately developed and approved for the proper guidance and execution of IT functions. Committing the policies and procedures to writing would ensure a higher level of operational compliance and would provide grounds for the District?s action if operational procedures do not meet their objectives. A management review of all policies and procedures should be performed, at least, on an annual basis to ensure the capture of new changes and deletions of processes and technologies. Views of Responsible Officials and Planned Corrective Actions: A. Perform regular backup restoration tests i. The District is planning to complete a backup restoration by the end of Q1 2023. B. Improve server and network security i. The District has completed reviewing the changes needed to address the identified critical vulnerabilities. The vulnerability patch will be applied by the end of the 2022 calendar year. ii. The District completed the high vulnerability patch on November 10, 2022. iii. The District completed the critical patch updates outside of the identified 30 calendar day window due to minimizing substantial business impact. The patching periods fell under the critical business time period. Verbal approval was provided but the District will strictly follow procedure to obtain written authorization from the VC/CIO for delaying the patching. C. Perform timely access revocation and system access review i. The District has undergone a comprehensive discovery of our current environments and scoped out opportunities to optimize the deprovisioning synchronization. This scope has been incorporated into a public solicitation which completed early Fall 2022. Currently, the District awaits board authorization on issuing a professional services contract to begin the effort. The target is to initialize a project in January to automate deprovisioning synchronization of employees across the multiple EPR systems. Meanwhile, regular access reviews of SAP and SIS will be a separate process that will be regularly conducted. The target completion is early Q2 2023. D. Strengthen password controls ? optimize account lockout configuration in SAP Database i. The SAP Database accounts identified are system accounts that are not used for any type of interactive login. The password policy has been applied to interactive login accounts only thus these accounts were not included. The District is currently exploring the feasibility of applying these policies to the system accounts without impact to downstream automated processes. E. Establish and document approval of IT policies and procedures i. The LACCD Office of Information Technology Information Security Team has completed the initial draft of the Operational Protocol for Portable Media, which is currently under review. The OIT anticipates implementation will be completed by March 31, 2023. ii. An Operational Protocol for Risk Acceptance of SIS Permissions requires finalizing a formal Role-Based Access Control (RBAC) model for SIS. This process was delayed due to leadership changes in the Office of Educational Programs and Institutional Effectiveness (EPIE), the main process stakeholder, that occurred during the audit year. The OIT anticipates that the RBAC will be finalized and a Risk Acceptance Process for SIS permissions will be finalized and implemented by June 30, 2023. Personnel responsible for implementation: Carmen V. Lidz Position of responsible personnel: Vice Chancellor & Chief Information Officer
Finding FA 2022-002: Special Tests and Provision: Return of Title IV Funds: Incorrect Calculation of Return of Title IV Funds, Untimely Notification of Grant Overpayment to Students and Secretary, and Distance Education Courses ? Lack of Formal Process to Determine Accuracy of Student Withdrawal Date (Repeat Finding) Federal Program Information Federal Catalog Number: ALN 84.063 and 84.268 Federal Program Name: Student Financial Assistance Cluster: Federal Pell Grant Program Federal Direct Student Loans Federal Agency: U.S. Department of Education Passed Through Entity: N/A Federal Award Number: P063P210033, P063P215263, P063P210034, P063P210658, P063P210035, P063P215261, P063P215260, P063P210036, P063P215262, P268K220033, P268K225263, P268K220034, P268K220658, P268K220035, P268K225261, P268K225260, P268K220036, P268K225262 Federal Award Year: July 1, 2021, to June 30, 2022 Campuses: Los Angeles City College (Repeat Finding) East Los Angeles College Los Angeles Harbor College (Repeat Finding) Los Angeles Mission College Los Angeles Pierce College (Repeat Finding) Los Angeles Southwest College (Repeat Finding) Los Angeles Trade Technical College (Repeat Finding) Los Angeles Valley College (Repeat Finding) West Los Angeles College (Repeat Finding) Compliance Requirement: Special Tests and Provisions ? Return of Title IV Funds Criteria or Specific Requirement: Per 34 Code of Federal Regulations 668.22 Treatments of Title IV Funds. A. When a recipient of Title IV grant or loan assistance withdraws from an institution during a payment period or period of enrollment in which the recipient began attendance, the institution must determine the amount of title IV grant or loan assistance that the student earned as of the student's withdrawal date in accordance with paragraph (e) of 34 Code of Federal Regulations 668.22. Per the Unform Guidance Compliance Supplement: - If an institution is required to take attendance, the withdrawal date is the last date of academic attendance, as determined by the institution from its attendance records. - If an institution is not required to take attendance, the withdrawal date is (1) the date, as determined by the institution, that the student began the withdrawal process prescribed by the institution; (2) the date, as determined by the institution, that the student otherwise provided official notification to the institution, in writing or orally, of his or her intent to withdraw; (3) if the student ceases attendance without providing official notification to the institution of his or her withdrawal, the midpoint of the payment period or, if applicable, the period of enrollment; (4) if the institution determines that a student did not begin the withdrawal process or otherwise notify the institution of the intent to withdraw due to illness, accident, grievous personal loss or other circumstances beyond the student?s control, the date the institution determines is related to that circumstance; (5) if a student does not return from an approved leave of absence, the date that the institution determines the student began the leave of absence; or (6) if the student takes an unapproved leave of absence, the date that the student began the leave of absence. Notwithstanding the above, an institution that is not required to take attendance may use as the withdrawal date, the last date of attendance at an academically related activity as documented by the institution (34 CFR668.22(c) and (l)). Title IV funds may be expended only towards the education of the students who can be proven to have been in attendance at the institution. In a distance education context, documenting that a student has logged into an online distance education platform or system is not sufficient, by itself, to demonstrate attendance by the student. To avoid returning all funds for a student that did not begin attendance, an institution must be able to document ?attendance at any class.? To qualify as a last date of attendance for Return of Title IV purposes, an institution must demonstrate that a student participated in class or was otherwise engaged in an academically related activity, such as by contributing to an online discussion or initiating contact with a faculty member to ask a course-related question. The Uniform Guidance Compliance Supplement requires auditors to identify a sample of students who received Title IV assistance who withdrew, dropped out, or never began attendance during the audit period. Auditors are to review the return of Title IV funds determinations/calculations for conformity with Title IV requirements. B. Within 30 days of the date of the institution?s determination that the student withdrew, an institution must send a notice to any student who owes a title IV, HEA grant overpayment as a result of the student?s withdrawal from the institution in order to recover the overpayment in accordance with paragraph (h)(4)(i) of this section. An institution must refer to the Secretary, in accordance with procedures required by the Secretary, an overpayment of Title IV, HEA grant funds owed by a student as a result of the student?s withdrawal from the institution if? (A) The student does not repay the overpayment in full to the institution, or enter a repayment agreement with the institution or the Secretary in accordance with paragraph (h)(4)(i) of this section within the earlier of 45 days from the date the institution sends a notification to the student of the overpayment or 45 days from the date the institution was required to notify the student of the overpayment; C. For an institution that is not required to take attendance, an institution must determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the (1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew. D. The institution must disburse directly to a student any amount of a post-withdrawal disbursement of grant funds that is not credited to the student's account. The institution must make the disbursement as soon as possible, but no later than 45 days after the date of the institution's determination that the student withdrew, as defined in paragraph (l)(3) of this section. E. Title IV funds may be expended only towards the education of the students who can be proven to have been in attendance at the institution. In a distance education context, documenting that a student has logged into an online distance education platform or system is not sufficient, by itself, to demonstrate attendance by the student. To avoid returning all funds for a student that did not begin attendance, an institution must be able to document ?attendance at any class.? To qualify as a last date of attendance for Return of Title IV purposes, an institution must demonstrate that a student participated in class or was otherwise engaged in an academically related activity, such as by contributing to an online discussion or initiating contact with a faculty member to ask a course-related question. Per 668.173 Refund reserve standards. A. In accordance with procedures established by the Secretary or FFEL Program lender, an institution returns unearned title IV, HEA program funds timely if? 1) The institution deposits or transfers the funds into the bank account it maintains under ?668.163 no later than 45 days after the date it determines that the student withdrew; 2) The institution initiates an electronic funds transfer (EFT) no later than 45 days after the date it determines that the student withdrew; 3) The institution initiates an electronic transaction, no later than 45 days after the date it determines that the student withdrew, that informs an FFEL lender to adjust the borrower?s loan account for the amount returned; or 4) The institution issues a check no later than 45 days after the date it determines that the student withdrew. An institution does not satisfy this requirement if? i. The institution?s records show that the check was issued more than 45 days after the date the institution determined that the student withdrew; or ii. The date on the canceled check shows that the bank used by the Secretary or FFEL Program lender endorsed that check more than 60 days after the date the institution determined that the student withdrew. Identified Condition: Summary No. Identified Condition Campus A. B. Incorrect Calculation of Return of Title IV Funds Untimely Notification of Grant Overpayment to Students and Secretary West Los Angeles College Los Angeles Southwest College Los Angeles Trade Technical College C. Distance Education Courses - Lack of Formal Process to Determine Accuracy of Student Withdrawal Date Los Angeles City College East Los Angeles College Los Angeles Harbor College Los Angeles Mission College Los Angeles Pierce College Los Angeles Southwest College Los Angeles Trade Technical College Los Angeles Valley College West Los Angeles College Description A. Incorrect Calculation of Return of Title IV Funds West Los Angeles College We noted 1 of 15 students selected for return of Title IV funds testwork from the population of students who had withdrawn, dropped out, or never began attendance that had an incorrectly determined withdrawal date in Summer 2022, the effect of which decreased the amount due from school by $681. B. Untimely Notification of Grant Overpayment to Students and Secretary Los Angeles Southwest College We noted that 2 of 15 students selected for compliance testwork were notified beyond 30 days from the date of the institution?s determination that the student withdrew and owed overpayments as a result of the students? withdrawal. The required notification was submitted to both students 11 days after the institution?s determination date. Los Angeles Trade Technical College We noted that 1 of 15 students selected for compliance testwork was never provided with a Post Withdrawal Disbursement notification. Consequently, no disbursement was made to the student. C. Distance Education Courses - Lack of Formal Process to Determine Accuracy of Student Withdrawal Date For distance education (DE) courses, we noted that the withdrawal date used in the calculation of return to Title IV funds is the actual date the student initiated the withdrawal from the course in the system. The District does not currently have a formal process in place to monitor a student?s active participation in an online class and engagement in academic activities related to a DE course in order to determine the reasonableness and accuracy of the student?s withdrawal date in the system. Causes and Effect: A. Incorrect Calculation of Return of Title IV Funds The incorrect calculation of Return of Title IV (R2T4) funds was caused by human error. Staff failed to create the R2T4 worksheet timely, which could result in disciplinary action taken by the U.S. Department of Education. B. Untimely Notification of Grant Overpayment to Students and Secretary Untimely notification of grant overpayment to students and secretary was caused by human error. FA Technicians failed to send overpayment notifications timely, which may result in untimely return of unearned Title IV funds. Untimely notifications and untimely result of Title IV aid can result in institutional liability and disciplinary action taken by the U.S. Department of Education C. Distance Education Courses - Lack of Formal Process to Determine Accuracy of Student Withdrawal Date The calculation of return to Title IV funds is a complex manual process. An incorrect calculation can result in institutional liability and/or disciplinary action taken by the U.S. Department of Education. Questioned Costs: A. Incorrect Calculation of Return of Title IV Funds See schedule of findings and Questioned Costs The District has a known net overstatement of the amount due from the student of $108 and known net understatement of the amount due from District of ($457). The projected total net understatement of amounts due from both the student and District is $2,358 as follows: See schedule of findings and Questioned Costs This is computed by dividing the errors found in samples per term (Summer term ? net understatement $350 and Fall/Spring terms ? net understatement $0 over the total Pell awards disbursed in the sample size per term (Summer term - $31,869 and Fall/Spring terms - $83,972) multiplied by the total Pell awards disbursed for the identified colleges per term (Summer term - $214,918 and Fall/Spring terms - $3,097,004). The computation is made on a per-term basis on a campus level and not on a district-wide level. The District has a known net overstatement of the post-withdrawal disbursement by $6. Not all students accept post-withdrawal disbursements. As such, questioned cost is not extrapolated. B. Untimely Notification of Grant Overpayment to Students and Secretary Refer to item A. above. C. Distance Education Courses ? Lack of Formal Process to Determine Accuracy of Student Withdrawal Date None. Recommendation: We recommend that the District implement additional controls at the course instructor level to effectively monitor student participation and engagement in academic activities related to DE courses in order for the course instructor to determine the reasonableness and accuracy of a student?s withdrawal date listed in the system. This will help ensure that the withdrawal date used in the calculation of return of title IV funds is accurate. Additionally, we recommend that the District evaluate and improve its existing process and control procedures related to the return of Title IV funds, including notification and return due date requirements. This will help ensure 1) that the returns of Title IV funds are accurately calculated and 2) compliance with the notification and return due date requirements, in accordance with the Uniform Guidance and the Code of Federal Regulation. . Views of Responsible Officials and Planned Corrective Actions: A. Incorrect Calculation of Return of Title IV Funds The student in question has an unusual circumstance because the college canceled the last enrolled class. The student was correctly identified as a withdrawal through an external student information system (SIS) query designed to identify students with unusual circumstances not currently identified by the R2T4 program. Unfortunately, the R2T4 worksheet was not manually added to the SIS due to an inadvertent oversight. We believe this is an isolated incident, but in order to automate the manual process, CFAU requested the Office of Information Technology to incorporate the external query logic into the R2T4 program. The worksheet has been manually added. Note that the internal controls have been substantially strengthened which has reduced the number of students impacted year-over-year. B. Untimely Notification of Grant Overpayment to Students and Secretary The college inadvertently failed to report the student overpayment to NSDLS timely. Due to SIS communication limitations with this last batch for the summer 2022 term, the District was unable to send the notification through SIS and had to send the R2T4 OP notification outside of SIS manually resulting in the late notification. C. Distance Education Courses ? Lack of Formal Process to Determine Accuracy of Student Withdrawal Date With regards to student withdrawal dates as it relates to DE courses, the District will provide communications to all faculty throughout the semester instructing them to assess individual student participation in the class and to exclude students from the class if prior to exclusion deadlines, or drop students if exclusion deadlines have passed. The communications will refer to the Academic Senate guidelines on regular and substantive interaction and use of authentic assessments to ensure that active participation is being effectively evaluated. Communications will be times around core deadlines for enrollment and financial aid processes. The DE Coordinators will be informed of the new standard to supplement the existing required and optional trainings currently provided to teaching faculty. This process will be implemented in Fall 2022. Personnel responsible for implementation: Steve Giorgi Position of responsible personnel: CFAU Financial Aid Manager Expected Date of Implementation: Fall 2022
Finding FA 2022 003: Special Tests and Provision: Gramm Leach Bliley Act Student Information Security Perform Regular Backup Restoration Tests, Improve Server and Network Security, Perform Timely Access Revocation and System Access Review, Strengthen Password Controls ? Optimize Account Lockout Configuration in SAP Database, and Establish and Document Approval of IT Policies and Procedures Federal Program Information Assistance Listing Number: ALN 84.007, 84.033, 84.063, 84.264, 93.364 Federal Program Name: Student Financial Assistance Cluster Federal Agency: U.S. Department of Education Passed Through Entity: N/A Federal Award Number: Various Federal Award Year: July 1, 2021, to June 30, 2022 Compliance Requirement: Special Tests and Provisions ? Gramm Leach Bliley Act ? Student Information Security Criteria or Specific Requirement: Per GLB Act Safeguards Rule, Title 16 CFR Part 314, institutions are required to develop, implement, and maintain a comprehensive information security plan that is written and describes their program to protect sensitive information. In addition to developing their own safeguards, institutions covered by the Rule are responsible for taking steps to ensure that their affiliates and service providers safeguard sensitive information in their care. As part of its plan, the institution must: a) Designate an employee or employees to coordinate its information security program. b) Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of student information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromises of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, such a risk assessment should include consideration of risks in each relevant area of operations, including: ? Employee training and management; ? Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and ? Detecting, preventing and responding to attacks, intrusions, or other systems failures c) Design and implement information safeguards to control the risks you identify through risk assessment, and regularly test or otherwise monitor the effectiveness of the safeguards' key controls, systems, and procedures. d) Oversee service providers, by: ? Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the student information at issue; and ? Requiring your service providers by contact to implement and maintain such safeguards. e) Evaluate and adjust your information security program in light of the results of the testing and monitoring required by paragraph (c) of this section; any material changes to your operations or business arrangements; or any other circumstances that you know or have reason to know may have a material impact on your information security program. Also, per sections 501 and 505 (b)(2) of the GLB Act, institutions are required to comply with standards set forth for developing, implementing, and maintaining reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of student information. This part applies to all sensitive information in the institution?s possession, regardless of whether such information pertains to individuals with whom the institution has a student relationship or pertains to the students of other financial institutions that have provided such information to the institution. The objectives of section 501(b) of the Act, and of this part, are to: (1) Ensure the security and confidentiality of student information; (2) Protect against any anticipated threats or hazards to the security or integrity of such information; and (3) Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any student. Identified Conditions: A. Perform regular backup restoration tests The District performed a comprehensive Tabletop Disaster Recovery (DR) exercises for both SAP and SIS during the audit period. As part of the exercise, the DR Team simulated a scenario, fully supported with recovery considerations, steps, results, recovery challenges, and key recommendations to improve moving forward ? the exercise was also reviewed and approved by Vice Chancellor and Chief Information Officer. However, a key activity which is the actual backup restoration testing was not performed as part of the tabletop exercise or at any point during the audit period. B. Improve server and network security (Repeat Finding) Server and network security can be further improved. While the District has taken steps on securing systems, we noted the following: i. The latest SAP server vulnerability reports showed one (1) critical and one (1) high vulnerability which remains outstanding since its last scan on September 24, 2022. Based on the vulnerability scan policy, a reasonable effort shall be made to remediate high and critical vulnerabilities within 30 calendar days of discovery. The longer the vulnerability issues remain unaddressed, the higher the security risks that the District faces. ii. We noted that a critical security update for SIS Database Server released on August 9, 2022, was installed on October 16, 2022. Based on the District?s policy, patches designated as "Critical" by the manufacturer must be installed as soon as feasible without introducing instability or impacting service availability of production systems, and no later than thirty days after release. (Repeat finding) iii. We noted that the firewall rules included telnet which can lead to potential sniffing or eavesdropping attacks as the privileged credentials are sent in the network in clear text. This was subsequently removed by IT as of November 2022. C. Perform timely access revocation and system access review (Repeat Finding) Based on test of controls to verify that access of terminated employees are timely removed in Active Directory (AD), SAP, and SIS, we noted that out of the 30 terminated employees selected for testing: i. One (1) user was active in AD ii. Two (2) users were still active in SAP iii. 16 users were still active in SIS Moreover, while a privileged user access review is performed for AD, there is no review performed to check the validity of regular users in AD, and the validity and appropriateness of users in SAP and SIS. The purpose of properly establishing periodic user access review, coupled with limiting and monitoring administrative access within the system, is to ensure management?s understanding of the overall systems operation, its internal workflow requirements, and the segregation of duties within the systems that is required so that employees are not granted excessive, incompatible system access levels and workflow capabilities. D. Strengthen password controls ? optimize account lockout configuration in SAP Database Inspection of password configuration for SAP Database revealed that account lockout duration and threshold are set to unlimited. Based on the District?s password standard, account lockout duration and threshold should be set at 15 minutes and 10 invalid logon attempts, respectively. E. Establish and document approval of IT policies and procedures (Repeat finding) Inspection of IT-related policies and procedures showed the following documentations committed in the prior year, but are still in development as of November 2022: ? Risk Acceptance Process ? Portable Media Restriction Cause and Effect: A. Perform regular backup restoration tests Lack of proper restoration testing may hinder the District to recover its data completely and accurately. B. Improve server and network security Vulnerabilities in the systems may be exploited leading to malicious or unauthorized activities that could impact system and data integrity, or disclosure of confidential or sensitive information. C. Perform timely access revocation and system access review The risk of unauthorized access and security incidents or violations within the systems may occur. Furthermore, unauthorized or inappropriate access in the system increases the risk that unauthorized activities, including viewing and/or disclosure of confidential information, and fraudulent activities may be performed and not be detected and corrected on time. D. Strengthen password controls ? optimize account lockout configuration in SAP Database Inadequate security and password settings may lead to unauthorized access to the relevant IT environment that may result in the processing of unauthorized transactions or viewing of confidential information. E. Establish and document approval of IT policies and procedures With policies and procedures not yet fully reviewed, approved and implemented, the District may face the risk of obsolete operational procedures within the IT function which may result in processes and controls not being consistently performed across teams within the critical IT processes of the organization. As a result, tasks that must be performed regularly to ensure the proper utility of IT resources, protection and confidentiality of data, and system management measures may not be performed. Recommendation: A. Perform regular backup restoration tests Together with the DR tabletop exercises, we recommend that backup restoration tests should be performed at least once per year. Detailed testing schedules should be drafted based on DRP specifications and required restoration of the critical systems. Documentation of such tests should be maintained for full management awareness and approval. B. Improve server and network security To significantly improve security, we recommend that the District should revisit and strictly enforce appropriate and adequate vulnerability and patch management processes and controls. Standard protection measures might not provide ample security due to the rising cases of malware attacks. Proper patch management and updating operating systems of servers is necessary to combat various forms of cyber-attacks. C. Perform timely access revocation and system access review 1. We recommend that Management revoke the access of terminated employees and review the activities performed by those accounts after their termination date to ensure the validity and appropriateness of activities/transactions performed by these accounts, if any. 2. Concurrently, Management should improve the account termination procedures to ensure that access of terminated employees is timely revoked. 3. We also recommend that regular access review is performed and documented (for both regular and privilege users) to ensure that only valid and appropriate users remain in the system. The review may include, but are not limited to the following: a. Document management control over completeness and accuracy of the reports used in the review b. Define designated functions/roles to perform the review c. Monitor timeliness of the performance of the review and execution of corrective actions as a result of the review D. Strengthen password controls ? optimize account lockout configuration in SAP Database To further improve the security of SAP Database, we recommend for the District to align the current password configuration of SAP Database with the District?s password standards. E. Establish and document approval of IT policies and procedures Management should ensure that IT policies and procedures have been adequately developed and approved for the proper guidance and execution of IT functions. Committing the policies and procedures to writing would ensure a higher level of operational compliance and would provide grounds for the District?s action if operational procedures do not meet their objectives. A management review of all policies and procedures should be performed, at least, on an annual basis to ensure the capture of new changes and deletions of processes and technologies. Views of Responsible Officials and Planned Corrective Actions: A. Perform regular backup restoration tests i. The District is planning to complete a backup restoration by the end of Q1 2023. B. Improve server and network security i. The District has completed reviewing the changes needed to address the identified critical vulnerabilities. The vulnerability patch will be applied by the end of the 2022 calendar year. ii. The District completed the high vulnerability patch on November 10, 2022. iii. The District completed the critical patch updates outside of the identified 30 calendar day window due to minimizing substantial business impact. The patching periods fell under the critical business time period. Verbal approval was provided but the District will strictly follow procedure to obtain written authorization from the VC/CIO for delaying the patching. C. Perform timely access revocation and system access review i. The District has undergone a comprehensive discovery of our current environments and scoped out opportunities to optimize the deprovisioning synchronization. This scope has been incorporated into a public solicitation which completed early Fall 2022. Currently, the District awaits board authorization on issuing a professional services contract to begin the effort. The target is to initialize a project in January to automate deprovisioning synchronization of employees across the multiple EPR systems. Meanwhile, regular access reviews of SAP and SIS will be a separate process that will be regularly conducted. The target completion is early Q2 2023. D. Strengthen password controls ? optimize account lockout configuration in SAP Database i. The SAP Database accounts identified are system accounts that are not used for any type of interactive login. The password policy has been applied to interactive login accounts only thus these accounts were not included. The District is currently exploring the feasibility of applying these policies to the system accounts without impact to downstream automated processes. E. Establish and document approval of IT policies and procedures i. The LACCD Office of Information Technology Information Security Team has completed the initial draft of the Operational Protocol for Portable Media, which is currently under review. The OIT anticipates implementation will be completed by March 31, 2023. ii. An Operational Protocol for Risk Acceptance of SIS Permissions requires finalizing a formal Role-Based Access Control (RBAC) model for SIS. This process was delayed due to leadership changes in the Office of Educational Programs and Institutional Effectiveness (EPIE), the main process stakeholder, that occurred during the audit year. The OIT anticipates that the RBAC will be finalized and a Risk Acceptance Process for SIS permissions will be finalized and implemented by June 30, 2023. Personnel responsible for implementation: Carmen V. Lidz Position of responsible personnel: Vice Chancellor & Chief Information Officer
Finding FA 2022-004: Activities Allowed or Unallowed and Allowable Costs / Cost Principles: Expenditures Recorded In Incorrect Period Federal Program Information Federal Catalog Number: ALN 17.268 Federal Program Name: H-1B Job Training Grant Federal Agency: U.S. Department of Labor Passed Through Entity: N/A Federal Award Number: HG-33046-19-60-A-6 Federal Award Year: July 1, 2021 to June 30, 2022 Campus: West Los Angeles College Compliance Requirement: Activities Allowed or Unallowed and Allowable Costs / Cost Principles Criteria or Specific Requirement: Per Title 2, Part 200, Subpart E, ?200.403- Factors affecting allowability of costs, except where otherwise authorized by statute, costs must meet the following general criteria in order to be allowable under Federal awards: (e) Be determined in accordance with generally accepted accounting principles (GAAP), except, for state and local governments and Indian tribes only, as otherwise provided for in this part. Identified Condition: At West Los Angeles College, we noted that 2 out of 25 expenditures sampled were recorded in the incorrect period, for a total of $146,328. The expenditures were related to subrecipient payments that were incurred in fiscal year 2021 but were incorrectly recorded in fiscal year 2022. Causes and Effect: Per inquiry with the District, the cost is still within the program?s period of performance. The grant period is from July 15, 2019 to June 30, 2024. For the year ended June 30, 2021, the program team did not have a monitoring control in place to ensure expenses were recorded in the correct period. As a result, some expenses incurred near the end of the fiscal year are reported in the incorrect period. Questioned Costs: None. Recommendation: We recommend that the District implement a monitoring control that would identify expenditures incurred near the end of the fiscal year and ensure that they are recorded in the proper period. Views of Responsible Officials and Planned Corrective Actions: The Accounting Office will require all program personnel to complete a checklist of all expenditures incurred close to the end of the fiscal year in order to identify any expenditures that need to be accrued. Personnel responsible for implementation: Nyame-Tease Prempeh Position of responsible personnel: Assistant Director of Accounting Date of Implementation: July 1, 2023
Finding FA 2022 003: Special Tests and Provision: Gramm Leach Bliley Act Student Information Security Perform Regular Backup Restoration Tests, Improve Server and Network Security, Perform Timely Access Revocation and System Access Review, Strengthen Password Controls ? Optimize Account Lockout Configuration in SAP Database, and Establish and Document Approval of IT Policies and Procedures Federal Program Information Assistance Listing Number: ALN 84.007, 84.033, 84.063, 84.264, 93.364 Federal Program Name: Student Financial Assistance Cluster Federal Agency: U.S. Department of Education Passed Through Entity: N/A Federal Award Number: Various Federal Award Year: July 1, 2021, to June 30, 2022 Compliance Requirement: Special Tests and Provisions ? Gramm Leach Bliley Act ? Student Information Security Criteria or Specific Requirement: Per GLB Act Safeguards Rule, Title 16 CFR Part 314, institutions are required to develop, implement, and maintain a comprehensive information security plan that is written and describes their program to protect sensitive information. In addition to developing their own safeguards, institutions covered by the Rule are responsible for taking steps to ensure that their affiliates and service providers safeguard sensitive information in their care. As part of its plan, the institution must: a) Designate an employee or employees to coordinate its information security program. b) Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of student information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromises of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, such a risk assessment should include consideration of risks in each relevant area of operations, including: ? Employee training and management; ? Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and ? Detecting, preventing and responding to attacks, intrusions, or other systems failures c) Design and implement information safeguards to control the risks you identify through risk assessment, and regularly test or otherwise monitor the effectiveness of the safeguards' key controls, systems, and procedures. d) Oversee service providers, by: ? Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the student information at issue; and ? Requiring your service providers by contact to implement and maintain such safeguards. e) Evaluate and adjust your information security program in light of the results of the testing and monitoring required by paragraph (c) of this section; any material changes to your operations or business arrangements; or any other circumstances that you know or have reason to know may have a material impact on your information security program. Also, per sections 501 and 505 (b)(2) of the GLB Act, institutions are required to comply with standards set forth for developing, implementing, and maintaining reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of student information. This part applies to all sensitive information in the institution?s possession, regardless of whether such information pertains to individuals with whom the institution has a student relationship or pertains to the students of other financial institutions that have provided such information to the institution. The objectives of section 501(b) of the Act, and of this part, are to: (1) Ensure the security and confidentiality of student information; (2) Protect against any anticipated threats or hazards to the security or integrity of such information; and (3) Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any student. Identified Conditions: A. Perform regular backup restoration tests The District performed a comprehensive Tabletop Disaster Recovery (DR) exercises for both SAP and SIS during the audit period. As part of the exercise, the DR Team simulated a scenario, fully supported with recovery considerations, steps, results, recovery challenges, and key recommendations to improve moving forward ? the exercise was also reviewed and approved by Vice Chancellor and Chief Information Officer. However, a key activity which is the actual backup restoration testing was not performed as part of the tabletop exercise or at any point during the audit period. B. Improve server and network security (Repeat Finding) Server and network security can be further improved. While the District has taken steps on securing systems, we noted the following: i. The latest SAP server vulnerability reports showed one (1) critical and one (1) high vulnerability which remains outstanding since its last scan on September 24, 2022. Based on the vulnerability scan policy, a reasonable effort shall be made to remediate high and critical vulnerabilities within 30 calendar days of discovery. The longer the vulnerability issues remain unaddressed, the higher the security risks that the District faces. ii. We noted that a critical security update for SIS Database Server released on August 9, 2022, was installed on October 16, 2022. Based on the District?s policy, patches designated as "Critical" by the manufacturer must be installed as soon as feasible without introducing instability or impacting service availability of production systems, and no later than thirty days after release. (Repeat finding) iii. We noted that the firewall rules included telnet which can lead to potential sniffing or eavesdropping attacks as the privileged credentials are sent in the network in clear text. This was subsequently removed by IT as of November 2022. C. Perform timely access revocation and system access review (Repeat Finding) Based on test of controls to verify that access of terminated employees are timely removed in Active Directory (AD), SAP, and SIS, we noted that out of the 30 terminated employees selected for testing: i. One (1) user was active in AD ii. Two (2) users were still active in SAP iii. 16 users were still active in SIS Moreover, while a privileged user access review is performed for AD, there is no review performed to check the validity of regular users in AD, and the validity and appropriateness of users in SAP and SIS. The purpose of properly establishing periodic user access review, coupled with limiting and monitoring administrative access within the system, is to ensure management?s understanding of the overall systems operation, its internal workflow requirements, and the segregation of duties within the systems that is required so that employees are not granted excessive, incompatible system access levels and workflow capabilities. D. Strengthen password controls ? optimize account lockout configuration in SAP Database Inspection of password configuration for SAP Database revealed that account lockout duration and threshold are set to unlimited. Based on the District?s password standard, account lockout duration and threshold should be set at 15 minutes and 10 invalid logon attempts, respectively. E. Establish and document approval of IT policies and procedures (Repeat finding) Inspection of IT-related policies and procedures showed the following documentations committed in the prior year, but are still in development as of November 2022: ? Risk Acceptance Process ? Portable Media Restriction Cause and Effect: A. Perform regular backup restoration tests Lack of proper restoration testing may hinder the District to recover its data completely and accurately. B. Improve server and network security Vulnerabilities in the systems may be exploited leading to malicious or unauthorized activities that could impact system and data integrity, or disclosure of confidential or sensitive information. C. Perform timely access revocation and system access review The risk of unauthorized access and security incidents or violations within the systems may occur. Furthermore, unauthorized or inappropriate access in the system increases the risk that unauthorized activities, including viewing and/or disclosure of confidential information, and fraudulent activities may be performed and not be detected and corrected on time. D. Strengthen password controls ? optimize account lockout configuration in SAP Database Inadequate security and password settings may lead to unauthorized access to the relevant IT environment that may result in the processing of unauthorized transactions or viewing of confidential information. E. Establish and document approval of IT policies and procedures With policies and procedures not yet fully reviewed, approved and implemented, the District may face the risk of obsolete operational procedures within the IT function which may result in processes and controls not being consistently performed across teams within the critical IT processes of the organization. As a result, tasks that must be performed regularly to ensure the proper utility of IT resources, protection and confidentiality of data, and system management measures may not be performed. Recommendation: A. Perform regular backup restoration tests Together with the DR tabletop exercises, we recommend that backup restoration tests should be performed at least once per year. Detailed testing schedules should be drafted based on DRP specifications and required restoration of the critical systems. Documentation of such tests should be maintained for full management awareness and approval. B. Improve server and network security To significantly improve security, we recommend that the District should revisit and strictly enforce appropriate and adequate vulnerability and patch management processes and controls. Standard protection measures might not provide ample security due to the rising cases of malware attacks. Proper patch management and updating operating systems of servers is necessary to combat various forms of cyber-attacks. C. Perform timely access revocation and system access review 1. We recommend that Management revoke the access of terminated employees and review the activities performed by those accounts after their termination date to ensure the validity and appropriateness of activities/transactions performed by these accounts, if any. 2. Concurrently, Management should improve the account termination procedures to ensure that access of terminated employees is timely revoked. 3. We also recommend that regular access review is performed and documented (for both regular and privilege users) to ensure that only valid and appropriate users remain in the system. The review may include, but are not limited to the following: a. Document management control over completeness and accuracy of the reports used in the review b. Define designated functions/roles to perform the review c. Monitor timeliness of the performance of the review and execution of corrective actions as a result of the review D. Strengthen password controls ? optimize account lockout configuration in SAP Database To further improve the security of SAP Database, we recommend for the District to align the current password configuration of SAP Database with the District?s password standards. E. Establish and document approval of IT policies and procedures Management should ensure that IT policies and procedures have been adequately developed and approved for the proper guidance and execution of IT functions. Committing the policies and procedures to writing would ensure a higher level of operational compliance and would provide grounds for the District?s action if operational procedures do not meet their objectives. A management review of all policies and procedures should be performed, at least, on an annual basis to ensure the capture of new changes and deletions of processes and technologies. Views of Responsible Officials and Planned Corrective Actions: A. Perform regular backup restoration tests i. The District is planning to complete a backup restoration by the end of Q1 2023. B. Improve server and network security i. The District has completed reviewing the changes needed to address the identified critical vulnerabilities. The vulnerability patch will be applied by the end of the 2022 calendar year. ii. The District completed the high vulnerability patch on November 10, 2022. iii. The District completed the critical patch updates outside of the identified 30 calendar day window due to minimizing substantial business impact. The patching periods fell under the critical business time period. Verbal approval was provided but the District will strictly follow procedure to obtain written authorization from the VC/CIO for delaying the patching. C. Perform timely access revocation and system access review i. The District has undergone a comprehensive discovery of our current environments and scoped out opportunities to optimize the deprovisioning synchronization. This scope has been incorporated into a public solicitation which completed early Fall 2022. Currently, the District awaits board authorization on issuing a professional services contract to begin the effort. The target is to initialize a project in January to automate deprovisioning synchronization of employees across the multiple EPR systems. Meanwhile, regular access reviews of SAP and SIS will be a separate process that will be regularly conducted. The target completion is early Q2 2023. D. Strengthen password controls ? optimize account lockout configuration in SAP Database i. The SAP Database accounts identified are system accounts that are not used for any type of interactive login. The password policy has been applied to interactive login accounts only thus these accounts were not included. The District is currently exploring the feasibility of applying these policies to the system accounts without impact to downstream automated processes. E. Establish and document approval of IT policies and procedures i. The LACCD Office of Information Technology Information Security Team has completed the initial draft of the Operational Protocol for Portable Media, which is currently under review. The OIT anticipates implementation will be completed by March 31, 2023. ii. An Operational Protocol for Risk Acceptance of SIS Permissions requires finalizing a formal Role-Based Access Control (RBAC) model for SIS. This process was delayed due to leadership changes in the Office of Educational Programs and Institutional Effectiveness (EPIE), the main process stakeholder, that occurred during the audit year. The OIT anticipates that the RBAC will be finalized and a Risk Acceptance Process for SIS permissions will be finalized and implemented by June 30, 2023. Personnel responsible for implementation: Carmen V. Lidz Position of responsible personnel: Vice Chancellor & Chief Information Officer
Finding FA 2022 003: Special Tests and Provision: Gramm Leach Bliley Act Student Information Security Perform Regular Backup Restoration Tests, Improve Server and Network Security, Perform Timely Access Revocation and System Access Review, Strengthen Password Controls ? Optimize Account Lockout Configuration in SAP Database, and Establish and Document Approval of IT Policies and Procedures Federal Program Information Assistance Listing Number: ALN 84.007, 84.033, 84.063, 84.264, 93.364 Federal Program Name: Student Financial Assistance Cluster Federal Agency: U.S. Department of Education Passed Through Entity: N/A Federal Award Number: Various Federal Award Year: July 1, 2021, to June 30, 2022 Compliance Requirement: Special Tests and Provisions ? Gramm Leach Bliley Act ? Student Information Security Criteria or Specific Requirement: Per GLB Act Safeguards Rule, Title 16 CFR Part 314, institutions are required to develop, implement, and maintain a comprehensive information security plan that is written and describes their program to protect sensitive information. In addition to developing their own safeguards, institutions covered by the Rule are responsible for taking steps to ensure that their affiliates and service providers safeguard sensitive information in their care. As part of its plan, the institution must: a) Designate an employee or employees to coordinate its information security program. b) Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of student information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromises of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, such a risk assessment should include consideration of risks in each relevant area of operations, including: ? Employee training and management; ? Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and ? Detecting, preventing and responding to attacks, intrusions, or other systems failures c) Design and implement information safeguards to control the risks you identify through risk assessment, and regularly test or otherwise monitor the effectiveness of the safeguards' key controls, systems, and procedures. d) Oversee service providers, by: ? Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the student information at issue; and ? Requiring your service providers by contact to implement and maintain such safeguards. e) Evaluate and adjust your information security program in light of the results of the testing and monitoring required by paragraph (c) of this section; any material changes to your operations or business arrangements; or any other circumstances that you know or have reason to know may have a material impact on your information security program. Also, per sections 501 and 505 (b)(2) of the GLB Act, institutions are required to comply with standards set forth for developing, implementing, and maintaining reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of student information. This part applies to all sensitive information in the institution?s possession, regardless of whether such information pertains to individuals with whom the institution has a student relationship or pertains to the students of other financial institutions that have provided such information to the institution. The objectives of section 501(b) of the Act, and of this part, are to: (1) Ensure the security and confidentiality of student information; (2) Protect against any anticipated threats or hazards to the security or integrity of such information; and (3) Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any student. Identified Conditions: A. Perform regular backup restoration tests The District performed a comprehensive Tabletop Disaster Recovery (DR) exercises for both SAP and SIS during the audit period. As part of the exercise, the DR Team simulated a scenario, fully supported with recovery considerations, steps, results, recovery challenges, and key recommendations to improve moving forward ? the exercise was also reviewed and approved by Vice Chancellor and Chief Information Officer. However, a key activity which is the actual backup restoration testing was not performed as part of the tabletop exercise or at any point during the audit period. B. Improve server and network security (Repeat Finding) Server and network security can be further improved. While the District has taken steps on securing systems, we noted the following: i. The latest SAP server vulnerability reports showed one (1) critical and one (1) high vulnerability which remains outstanding since its last scan on September 24, 2022. Based on the vulnerability scan policy, a reasonable effort shall be made to remediate high and critical vulnerabilities within 30 calendar days of discovery. The longer the vulnerability issues remain unaddressed, the higher the security risks that the District faces. ii. We noted that a critical security update for SIS Database Server released on August 9, 2022, was installed on October 16, 2022. Based on the District?s policy, patches designated as "Critical" by the manufacturer must be installed as soon as feasible without introducing instability or impacting service availability of production systems, and no later than thirty days after release. (Repeat finding) iii. We noted that the firewall rules included telnet which can lead to potential sniffing or eavesdropping attacks as the privileged credentials are sent in the network in clear text. This was subsequently removed by IT as of November 2022. C. Perform timely access revocation and system access review (Repeat Finding) Based on test of controls to verify that access of terminated employees are timely removed in Active Directory (AD), SAP, and SIS, we noted that out of the 30 terminated employees selected for testing: i. One (1) user was active in AD ii. Two (2) users were still active in SAP iii. 16 users were still active in SIS Moreover, while a privileged user access review is performed for AD, there is no review performed to check the validity of regular users in AD, and the validity and appropriateness of users in SAP and SIS. The purpose of properly establishing periodic user access review, coupled with limiting and monitoring administrative access within the system, is to ensure management?s understanding of the overall systems operation, its internal workflow requirements, and the segregation of duties within the systems that is required so that employees are not granted excessive, incompatible system access levels and workflow capabilities. D. Strengthen password controls ? optimize account lockout configuration in SAP Database Inspection of password configuration for SAP Database revealed that account lockout duration and threshold are set to unlimited. Based on the District?s password standard, account lockout duration and threshold should be set at 15 minutes and 10 invalid logon attempts, respectively. E. Establish and document approval of IT policies and procedures (Repeat finding) Inspection of IT-related policies and procedures showed the following documentations committed in the prior year, but are still in development as of November 2022: ? Risk Acceptance Process ? Portable Media Restriction Cause and Effect: A. Perform regular backup restoration tests Lack of proper restoration testing may hinder the District to recover its data completely and accurately. B. Improve server and network security Vulnerabilities in the systems may be exploited leading to malicious or unauthorized activities that could impact system and data integrity, or disclosure of confidential or sensitive information. C. Perform timely access revocation and system access review The risk of unauthorized access and security incidents or violations within the systems may occur. Furthermore, unauthorized or inappropriate access in the system increases the risk that unauthorized activities, including viewing and/or disclosure of confidential information, and fraudulent activities may be performed and not be detected and corrected on time. D. Strengthen password controls ? optimize account lockout configuration in SAP Database Inadequate security and password settings may lead to unauthorized access to the relevant IT environment that may result in the processing of unauthorized transactions or viewing of confidential information. E. Establish and document approval of IT policies and procedures With policies and procedures not yet fully reviewed, approved and implemented, the District may face the risk of obsolete operational procedures within the IT function which may result in processes and controls not being consistently performed across teams within the critical IT processes of the organization. As a result, tasks that must be performed regularly to ensure the proper utility of IT resources, protection and confidentiality of data, and system management measures may not be performed. Recommendation: A. Perform regular backup restoration tests Together with the DR tabletop exercises, we recommend that backup restoration tests should be performed at least once per year. Detailed testing schedules should be drafted based on DRP specifications and required restoration of the critical systems. Documentation of such tests should be maintained for full management awareness and approval. B. Improve server and network security To significantly improve security, we recommend that the District should revisit and strictly enforce appropriate and adequate vulnerability and patch management processes and controls. Standard protection measures might not provide ample security due to the rising cases of malware attacks. Proper patch management and updating operating systems of servers is necessary to combat various forms of cyber-attacks. C. Perform timely access revocation and system access review 1. We recommend that Management revoke the access of terminated employees and review the activities performed by those accounts after their termination date to ensure the validity and appropriateness of activities/transactions performed by these accounts, if any. 2. Concurrently, Management should improve the account termination procedures to ensure that access of terminated employees is timely revoked. 3. We also recommend that regular access review is performed and documented (for both regular and privilege users) to ensure that only valid and appropriate users remain in the system. The review may include, but are not limited to the following: a. Document management control over completeness and accuracy of the reports used in the review b. Define designated functions/roles to perform the review c. Monitor timeliness of the performance of the review and execution of corrective actions as a result of the review D. Strengthen password controls ? optimize account lockout configuration in SAP Database To further improve the security of SAP Database, we recommend for the District to align the current password configuration of SAP Database with the District?s password standards. E. Establish and document approval of IT policies and procedures Management should ensure that IT policies and procedures have been adequately developed and approved for the proper guidance and execution of IT functions. Committing the policies and procedures to writing would ensure a higher level of operational compliance and would provide grounds for the District?s action if operational procedures do not meet their objectives. A management review of all policies and procedures should be performed, at least, on an annual basis to ensure the capture of new changes and deletions of processes and technologies. Views of Responsible Officials and Planned Corrective Actions: A. Perform regular backup restoration tests i. The District is planning to complete a backup restoration by the end of Q1 2023. B. Improve server and network security i. The District has completed reviewing the changes needed to address the identified critical vulnerabilities. The vulnerability patch will be applied by the end of the 2022 calendar year. ii. The District completed the high vulnerability patch on November 10, 2022. iii. The District completed the critical patch updates outside of the identified 30 calendar day window due to minimizing substantial business impact. The patching periods fell under the critical business time period. Verbal approval was provided but the District will strictly follow procedure to obtain written authorization from the VC/CIO for delaying the patching. C. Perform timely access revocation and system access review i. The District has undergone a comprehensive discovery of our current environments and scoped out opportunities to optimize the deprovisioning synchronization. This scope has been incorporated into a public solicitation which completed early Fall 2022. Currently, the District awaits board authorization on issuing a professional services contract to begin the effort. The target is to initialize a project in January to automate deprovisioning synchronization of employees across the multiple EPR systems. Meanwhile, regular access reviews of SAP and SIS will be a separate process that will be regularly conducted. The target completion is early Q2 2023. D. Strengthen password controls ? optimize account lockout configuration in SAP Database i. The SAP Database accounts identified are system accounts that are not used for any type of interactive login. The password policy has been applied to interactive login accounts only thus these accounts were not included. The District is currently exploring the feasibility of applying these policies to the system accounts without impact to downstream automated processes. E. Establish and document approval of IT policies and procedures i. The LACCD Office of Information Technology Information Security Team has completed the initial draft of the Operational Protocol for Portable Media, which is currently under review. The OIT anticipates implementation will be completed by March 31, 2023. ii. An Operational Protocol for Risk Acceptance of SIS Permissions requires finalizing a formal Role-Based Access Control (RBAC) model for SIS. This process was delayed due to leadership changes in the Office of Educational Programs and Institutional Effectiveness (EPIE), the main process stakeholder, that occurred during the audit year. The OIT anticipates that the RBAC will be finalized and a Risk Acceptance Process for SIS permissions will be finalized and implemented by June 30, 2023. Personnel responsible for implementation: Carmen V. Lidz Position of responsible personnel: Vice Chancellor & Chief Information Officer
Finding FA 2022 003: Special Tests and Provision: Gramm Leach Bliley Act Student Information Security Perform Regular Backup Restoration Tests, Improve Server and Network Security, Perform Timely Access Revocation and System Access Review, Strengthen Password Controls ? Optimize Account Lockout Configuration in SAP Database, and Establish and Document Approval of IT Policies and Procedures Federal Program Information Assistance Listing Number: ALN 84.007, 84.033, 84.063, 84.264, 93.364 Federal Program Name: Student Financial Assistance Cluster Federal Agency: U.S. Department of Education Passed Through Entity: N/A Federal Award Number: Various Federal Award Year: July 1, 2021, to June 30, 2022 Compliance Requirement: Special Tests and Provisions ? Gramm Leach Bliley Act ? Student Information Security Criteria or Specific Requirement: Per GLB Act Safeguards Rule, Title 16 CFR Part 314, institutions are required to develop, implement, and maintain a comprehensive information security plan that is written and describes their program to protect sensitive information. In addition to developing their own safeguards, institutions covered by the Rule are responsible for taking steps to ensure that their affiliates and service providers safeguard sensitive information in their care. As part of its plan, the institution must: a) Designate an employee or employees to coordinate its information security program. b) Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of student information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromises of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, such a risk assessment should include consideration of risks in each relevant area of operations, including: ? Employee training and management; ? Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and ? Detecting, preventing and responding to attacks, intrusions, or other systems failures c) Design and implement information safeguards to control the risks you identify through risk assessment, and regularly test or otherwise monitor the effectiveness of the safeguards' key controls, systems, and procedures. d) Oversee service providers, by: ? Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the student information at issue; and ? Requiring your service providers by contact to implement and maintain such safeguards. e) Evaluate and adjust your information security program in light of the results of the testing and monitoring required by paragraph (c) of this section; any material changes to your operations or business arrangements; or any other circumstances that you know or have reason to know may have a material impact on your information security program. Also, per sections 501 and 505 (b)(2) of the GLB Act, institutions are required to comply with standards set forth for developing, implementing, and maintaining reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of student information. This part applies to all sensitive information in the institution?s possession, regardless of whether such information pertains to individuals with whom the institution has a student relationship or pertains to the students of other financial institutions that have provided such information to the institution. The objectives of section 501(b) of the Act, and of this part, are to: (1) Ensure the security and confidentiality of student information; (2) Protect against any anticipated threats or hazards to the security or integrity of such information; and (3) Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any student. Identified Conditions: A. Perform regular backup restoration tests The District performed a comprehensive Tabletop Disaster Recovery (DR) exercises for both SAP and SIS during the audit period. As part of the exercise, the DR Team simulated a scenario, fully supported with recovery considerations, steps, results, recovery challenges, and key recommendations to improve moving forward ? the exercise was also reviewed and approved by Vice Chancellor and Chief Information Officer. However, a key activity which is the actual backup restoration testing was not performed as part of the tabletop exercise or at any point during the audit period. B. Improve server and network security (Repeat Finding) Server and network security can be further improved. While the District has taken steps on securing systems, we noted the following: i. The latest SAP server vulnerability reports showed one (1) critical and one (1) high vulnerability which remains outstanding since its last scan on September 24, 2022. Based on the vulnerability scan policy, a reasonable effort shall be made to remediate high and critical vulnerabilities within 30 calendar days of discovery. The longer the vulnerability issues remain unaddressed, the higher the security risks that the District faces. ii. We noted that a critical security update for SIS Database Server released on August 9, 2022, was installed on October 16, 2022. Based on the District?s policy, patches designated as "Critical" by the manufacturer must be installed as soon as feasible without introducing instability or impacting service availability of production systems, and no later than thirty days after release. (Repeat finding) iii. We noted that the firewall rules included telnet which can lead to potential sniffing or eavesdropping attacks as the privileged credentials are sent in the network in clear text. This was subsequently removed by IT as of November 2022. C. Perform timely access revocation and system access review (Repeat Finding) Based on test of controls to verify that access of terminated employees are timely removed in Active Directory (AD), SAP, and SIS, we noted that out of the 30 terminated employees selected for testing: i. One (1) user was active in AD ii. Two (2) users were still active in SAP iii. 16 users were still active in SIS Moreover, while a privileged user access review is performed for AD, there is no review performed to check the validity of regular users in AD, and the validity and appropriateness of users in SAP and SIS. The purpose of properly establishing periodic user access review, coupled with limiting and monitoring administrative access within the system, is to ensure management?s understanding of the overall systems operation, its internal workflow requirements, and the segregation of duties within the systems that is required so that employees are not granted excessive, incompatible system access levels and workflow capabilities. D. Strengthen password controls ? optimize account lockout configuration in SAP Database Inspection of password configuration for SAP Database revealed that account lockout duration and threshold are set to unlimited. Based on the District?s password standard, account lockout duration and threshold should be set at 15 minutes and 10 invalid logon attempts, respectively. E. Establish and document approval of IT policies and procedures (Repeat finding) Inspection of IT-related policies and procedures showed the following documentations committed in the prior year, but are still in development as of November 2022: ? Risk Acceptance Process ? Portable Media Restriction Cause and Effect: A. Perform regular backup restoration tests Lack of proper restoration testing may hinder the District to recover its data completely and accurately. B. Improve server and network security Vulnerabilities in the systems may be exploited leading to malicious or unauthorized activities that could impact system and data integrity, or disclosure of confidential or sensitive information. C. Perform timely access revocation and system access review The risk of unauthorized access and security incidents or violations within the systems may occur. Furthermore, unauthorized or inappropriate access in the system increases the risk that unauthorized activities, including viewing and/or disclosure of confidential information, and fraudulent activities may be performed and not be detected and corrected on time. D. Strengthen password controls ? optimize account lockout configuration in SAP Database Inadequate security and password settings may lead to unauthorized access to the relevant IT environment that may result in the processing of unauthorized transactions or viewing of confidential information. E. Establish and document approval of IT policies and procedures With policies and procedures not yet fully reviewed, approved and implemented, the District may face the risk of obsolete operational procedures within the IT function which may result in processes and controls not being consistently performed across teams within the critical IT processes of the organization. As a result, tasks that must be performed regularly to ensure the proper utility of IT resources, protection and confidentiality of data, and system management measures may not be performed. Recommendation: A. Perform regular backup restoration tests Together with the DR tabletop exercises, we recommend that backup restoration tests should be performed at least once per year. Detailed testing schedules should be drafted based on DRP specifications and required restoration of the critical systems. Documentation of such tests should be maintained for full management awareness and approval. B. Improve server and network security To significantly improve security, we recommend that the District should revisit and strictly enforce appropriate and adequate vulnerability and patch management processes and controls. Standard protection measures might not provide ample security due to the rising cases of malware attacks. Proper patch management and updating operating systems of servers is necessary to combat various forms of cyber-attacks. C. Perform timely access revocation and system access review 1. We recommend that Management revoke the access of terminated employees and review the activities performed by those accounts after their termination date to ensure the validity and appropriateness of activities/transactions performed by these accounts, if any. 2. Concurrently, Management should improve the account termination procedures to ensure that access of terminated employees is timely revoked. 3. We also recommend that regular access review is performed and documented (for both regular and privilege users) to ensure that only valid and appropriate users remain in the system. The review may include, but are not limited to the following: a. Document management control over completeness and accuracy of the reports used in the review b. Define designated functions/roles to perform the review c. Monitor timeliness of the performance of the review and execution of corrective actions as a result of the review D. Strengthen password controls ? optimize account lockout configuration in SAP Database To further improve the security of SAP Database, we recommend for the District to align the current password configuration of SAP Database with the District?s password standards. E. Establish and document approval of IT policies and procedures Management should ensure that IT policies and procedures have been adequately developed and approved for the proper guidance and execution of IT functions. Committing the policies and procedures to writing would ensure a higher level of operational compliance and would provide grounds for the District?s action if operational procedures do not meet their objectives. A management review of all policies and procedures should be performed, at least, on an annual basis to ensure the capture of new changes and deletions of processes and technologies. Views of Responsible Officials and Planned Corrective Actions: A. Perform regular backup restoration tests i. The District is planning to complete a backup restoration by the end of Q1 2023. B. Improve server and network security i. The District has completed reviewing the changes needed to address the identified critical vulnerabilities. The vulnerability patch will be applied by the end of the 2022 calendar year. ii. The District completed the high vulnerability patch on November 10, 2022. iii. The District completed the critical patch updates outside of the identified 30 calendar day window due to minimizing substantial business impact. The patching periods fell under the critical business time period. Verbal approval was provided but the District will strictly follow procedure to obtain written authorization from the VC/CIO for delaying the patching. C. Perform timely access revocation and system access review i. The District has undergone a comprehensive discovery of our current environments and scoped out opportunities to optimize the deprovisioning synchronization. This scope has been incorporated into a public solicitation which completed early Fall 2022. Currently, the District awaits board authorization on issuing a professional services contract to begin the effort. The target is to initialize a project in January to automate deprovisioning synchronization of employees across the multiple EPR systems. Meanwhile, regular access reviews of SAP and SIS will be a separate process that will be regularly conducted. The target completion is early Q2 2023. D. Strengthen password controls ? optimize account lockout configuration in SAP Database i. The SAP Database accounts identified are system accounts that are not used for any type of interactive login. The password policy has been applied to interactive login accounts only thus these accounts were not included. The District is currently exploring the feasibility of applying these policies to the system accounts without impact to downstream automated processes. E. Establish and document approval of IT policies and procedures i. The LACCD Office of Information Technology Information Security Team has completed the initial draft of the Operational Protocol for Portable Media, which is currently under review. The OIT anticipates implementation will be completed by March 31, 2023. ii. An Operational Protocol for Risk Acceptance of SIS Permissions requires finalizing a formal Role-Based Access Control (RBAC) model for SIS. This process was delayed due to leadership changes in the Office of Educational Programs and Institutional Effectiveness (EPIE), the main process stakeholder, that occurred during the audit year. The OIT anticipates that the RBAC will be finalized and a Risk Acceptance Process for SIS permissions will be finalized and implemented by June 30, 2023. Personnel responsible for implementation: Carmen V. Lidz Position of responsible personnel: Vice Chancellor & Chief Information Officer
Finding FA 2022-001: Eligibility: Incorrect Federal Pell Grant Amounts Awarded (Repeat Finding) Federal Program Information Assistance Listing Number: ALN 84.063 Federal Program Name: Student Financial Assistance Cluster: Federal Pell Grant Program Federal Agency: U.S. Department of Education Passed Through Entity: N/A Federal Award Number: P063P200033 Federal Award Year: July 1, 2021, to June 30, 2022 Campus: Los Angeles City College Compliance Requirement: Eligibility Criteria or Specific Requirement: Per 34 Code of Federal Regulations (CFR) 690.62 Calculation of a Federal Pell Grant, the amount of a student?s Pell Grant for an academic year is based upon the payment and disbursement schedules published by the Secretary for each award year. The Uniform Guidance Compliance Supplement states that the Department of Education provides institutions Payment and Disbursement Schedules for determining Pell awards each year. The Payment or Disbursement Schedule provides the maximum annual amount a student would receive for a full academic year for a given enrollment status, Expected Family Contribution (EFC), and Cost of Attendance (COA). The Payment Schedule is used to determine the annual award for full-time, three-quarter time, half-time, and less-than-half-time students. 2 CFR section 200.303 requires that non-Federal entities receiving Federal awards establish and maintain internal control over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of the Federal awards. Identified Condition: Of the 15 students selected for eligibility testwork at Los Angeles City College, we noted that 1 student had an incorrectly calculated Federal Pell grant award, which resulted in an understatement of the disbursement to the student by $419. The student was eligible to receive $419 yet received none in Summer 2020. Causes and Effect: One overpayment was identified during the audit period due to a class withdrawn after Pell disbursement. In addition, the underpayment identified related to the summer term is due to manual processing. The summer term is unique because it requires District staff to manually review Pell awards from two aid years to ensure the student receives the highest award. The process is labor intensive and complex. Incorrect awards can result in institutional liability. Questioned Costs: See schedule of findings and Questioned Costs The District has a known net understatement of Pell grant award disbursements of $419. The projected total net understatement of the Pell grant award disbursements is $117,592 as follows: See schedule of findings and Questioned Costs This is computed by dividing the error found in the samples per term (Summer term ? net underpayment ($419) and Fall/Spring terms ? $0) over the total Pell awards disbursed in the sample size per term (Summer term - $26,361 and Fall/Spring terms - $545,632) multiplied by the total Pell awards disbursed for the identified colleges per term (Summer term - $7,398,149 and Fall/Spring terms - $103,509,698). The computation is made on a per-term basis on a campus level and not on a district-wide level. Recommendation: We recommend that the District make the necessary system modifications to the PeopleSoft Student Information System (SIS) to ensure student awards are properly calculated. This will help ensure that Federal Pell grants are properly awarded to students who meet the eligibility requirements. Views of Responsible Officials and Planned Corrective Actions: The District has already developed an automated summer Pell solution. The solution has been tested by the field and Central Financial Aid Unit (CFAU) and will be implemented Summer 2023. Personnel responsible for implementation: Steve Giorgi Position of responsible personnel: CFAU Financial Aid Manager Expected date of Implementation: Summer 2023
Finding FA 2022-002: Special Tests and Provision: Return of Title IV Funds: Incorrect Calculation of Return of Title IV Funds, Untimely Notification of Grant Overpayment to Students and Secretary, and Distance Education Courses ? Lack of Formal Process to Determine Accuracy of Student Withdrawal Date (Repeat Finding) Federal Program Information Federal Catalog Number: ALN 84.063 and 84.268 Federal Program Name: Student Financial Assistance Cluster: Federal Pell Grant Program Federal Direct Student Loans Federal Agency: U.S. Department of Education Passed Through Entity: N/A Federal Award Number: P063P210033, P063P215263, P063P210034, P063P210658, P063P210035, P063P215261, P063P215260, P063P210036, P063P215262, P268K220033, P268K225263, P268K220034, P268K220658, P268K220035, P268K225261, P268K225260, P268K220036, P268K225262 Federal Award Year: July 1, 2021, to June 30, 2022 Campuses: Los Angeles City College (Repeat Finding) East Los Angeles College Los Angeles Harbor College (Repeat Finding) Los Angeles Mission College Los Angeles Pierce College (Repeat Finding) Los Angeles Southwest College (Repeat Finding) Los Angeles Trade Technical College (Repeat Finding) Los Angeles Valley College (Repeat Finding) West Los Angeles College (Repeat Finding) Compliance Requirement: Special Tests and Provisions ? Return of Title IV Funds Criteria or Specific Requirement: Per 34 Code of Federal Regulations 668.22 Treatments of Title IV Funds. A. When a recipient of Title IV grant or loan assistance withdraws from an institution during a payment period or period of enrollment in which the recipient began attendance, the institution must determine the amount of title IV grant or loan assistance that the student earned as of the student's withdrawal date in accordance with paragraph (e) of 34 Code of Federal Regulations 668.22. Per the Unform Guidance Compliance Supplement: - If an institution is required to take attendance, the withdrawal date is the last date of academic attendance, as determined by the institution from its attendance records. - If an institution is not required to take attendance, the withdrawal date is (1) the date, as determined by the institution, that the student began the withdrawal process prescribed by the institution; (2) the date, as determined by the institution, that the student otherwise provided official notification to the institution, in writing or orally, of his or her intent to withdraw; (3) if the student ceases attendance without providing official notification to the institution of his or her withdrawal, the midpoint of the payment period or, if applicable, the period of enrollment; (4) if the institution determines that a student did not begin the withdrawal process or otherwise notify the institution of the intent to withdraw due to illness, accident, grievous personal loss or other circumstances beyond the student?s control, the date the institution determines is related to that circumstance; (5) if a student does not return from an approved leave of absence, the date that the institution determines the student began the leave of absence; or (6) if the student takes an unapproved leave of absence, the date that the student began the leave of absence. Notwithstanding the above, an institution that is not required to take attendance may use as the withdrawal date, the last date of attendance at an academically related activity as documented by the institution (34 CFR668.22(c) and (l)). Title IV funds may be expended only towards the education of the students who can be proven to have been in attendance at the institution. In a distance education context, documenting that a student has logged into an online distance education platform or system is not sufficient, by itself, to demonstrate attendance by the student. To avoid returning all funds for a student that did not begin attendance, an institution must be able to document ?attendance at any class.? To qualify as a last date of attendance for Return of Title IV purposes, an institution must demonstrate that a student participated in class or was otherwise engaged in an academically related activity, such as by contributing to an online discussion or initiating contact with a faculty member to ask a course-related question. The Uniform Guidance Compliance Supplement requires auditors to identify a sample of students who received Title IV assistance who withdrew, dropped out, or never began attendance during the audit period. Auditors are to review the return of Title IV funds determinations/calculations for conformity with Title IV requirements. B. Within 30 days of the date of the institution?s determination that the student withdrew, an institution must send a notice to any student who owes a title IV, HEA grant overpayment as a result of the student?s withdrawal from the institution in order to recover the overpayment in accordance with paragraph (h)(4)(i) of this section. An institution must refer to the Secretary, in accordance with procedures required by the Secretary, an overpayment of Title IV, HEA grant funds owed by a student as a result of the student?s withdrawal from the institution if? (A) The student does not repay the overpayment in full to the institution, or enter a repayment agreement with the institution or the Secretary in accordance with paragraph (h)(4)(i) of this section within the earlier of 45 days from the date the institution sends a notification to the student of the overpayment or 45 days from the date the institution was required to notify the student of the overpayment; C. For an institution that is not required to take attendance, an institution must determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the (1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew. D. The institution must disburse directly to a student any amount of a post-withdrawal disbursement of grant funds that is not credited to the student's account. The institution must make the disbursement as soon as possible, but no later than 45 days after the date of the institution's determination that the student withdrew, as defined in paragraph (l)(3) of this section. E. Title IV funds may be expended only towards the education of the students who can be proven to have been in attendance at the institution. In a distance education context, documenting that a student has logged into an online distance education platform or system is not sufficient, by itself, to demonstrate attendance by the student. To avoid returning all funds for a student that did not begin attendance, an institution must be able to document ?attendance at any class.? To qualify as a last date of attendance for Return of Title IV purposes, an institution must demonstrate that a student participated in class or was otherwise engaged in an academically related activity, such as by contributing to an online discussion or initiating contact with a faculty member to ask a course-related question. Per 668.173 Refund reserve standards. A. In accordance with procedures established by the Secretary or FFEL Program lender, an institution returns unearned title IV, HEA program funds timely if? 1) The institution deposits or transfers the funds into the bank account it maintains under ?668.163 no later than 45 days after the date it determines that the student withdrew; 2) The institution initiates an electronic funds transfer (EFT) no later than 45 days after the date it determines that the student withdrew; 3) The institution initiates an electronic transaction, no later than 45 days after the date it determines that the student withdrew, that informs an FFEL lender to adjust the borrower?s loan account for the amount returned; or 4) The institution issues a check no later than 45 days after the date it determines that the student withdrew. An institution does not satisfy this requirement if? i. The institution?s records show that the check was issued more than 45 days after the date the institution determined that the student withdrew; or ii. The date on the canceled check shows that the bank used by the Secretary or FFEL Program lender endorsed that check more than 60 days after the date the institution determined that the student withdrew. Identified Condition: Summary No. Identified Condition Campus A. B. Incorrect Calculation of Return of Title IV Funds Untimely Notification of Grant Overpayment to Students and Secretary West Los Angeles College Los Angeles Southwest College Los Angeles Trade Technical College C. Distance Education Courses - Lack of Formal Process to Determine Accuracy of Student Withdrawal Date Los Angeles City College East Los Angeles College Los Angeles Harbor College Los Angeles Mission College Los Angeles Pierce College Los Angeles Southwest College Los Angeles Trade Technical College Los Angeles Valley College West Los Angeles College Description A. Incorrect Calculation of Return of Title IV Funds West Los Angeles College We noted 1 of 15 students selected for return of Title IV funds testwork from the population of students who had withdrawn, dropped out, or never began attendance that had an incorrectly determined withdrawal date in Summer 2022, the effect of which decreased the amount due from school by $681. B. Untimely Notification of Grant Overpayment to Students and Secretary Los Angeles Southwest College We noted that 2 of 15 students selected for compliance testwork were notified beyond 30 days from the date of the institution?s determination that the student withdrew and owed overpayments as a result of the students? withdrawal. The required notification was submitted to both students 11 days after the institution?s determination date. Los Angeles Trade Technical College We noted that 1 of 15 students selected for compliance testwork was never provided with a Post Withdrawal Disbursement notification. Consequently, no disbursement was made to the student. C. Distance Education Courses - Lack of Formal Process to Determine Accuracy of Student Withdrawal Date For distance education (DE) courses, we noted that the withdrawal date used in the calculation of return to Title IV funds is the actual date the student initiated the withdrawal from the course in the system. The District does not currently have a formal process in place to monitor a student?s active participation in an online class and engagement in academic activities related to a DE course in order to determine the reasonableness and accuracy of the student?s withdrawal date in the system. Causes and Effect: A. Incorrect Calculation of Return of Title IV Funds The incorrect calculation of Return of Title IV (R2T4) funds was caused by human error. Staff failed to create the R2T4 worksheet timely, which could result in disciplinary action taken by the U.S. Department of Education. B. Untimely Notification of Grant Overpayment to Students and Secretary Untimely notification of grant overpayment to students and secretary was caused by human error. FA Technicians failed to send overpayment notifications timely, which may result in untimely return of unearned Title IV funds. Untimely notifications and untimely result of Title IV aid can result in institutional liability and disciplinary action taken by the U.S. Department of Education C. Distance Education Courses - Lack of Formal Process to Determine Accuracy of Student Withdrawal Date The calculation of return to Title IV funds is a complex manual process. An incorrect calculation can result in institutional liability and/or disciplinary action taken by the U.S. Department of Education. Questioned Costs: A. Incorrect Calculation of Return of Title IV Funds See schedule of findings and Questioned Costs The District has a known net overstatement of the amount due from the student of $108 and known net understatement of the amount due from District of ($457). The projected total net understatement of amounts due from both the student and District is $2,358 as follows: See schedule of findings and Questioned Costs This is computed by dividing the errors found in samples per term (Summer term ? net understatement $350 and Fall/Spring terms ? net understatement $0 over the total Pell awards disbursed in the sample size per term (Summer term - $31,869 and Fall/Spring terms - $83,972) multiplied by the total Pell awards disbursed for the identified colleges per term (Summer term - $214,918 and Fall/Spring terms - $3,097,004). The computation is made on a per-term basis on a campus level and not on a district-wide level. The District has a known net overstatement of the post-withdrawal disbursement by $6. Not all students accept post-withdrawal disbursements. As such, questioned cost is not extrapolated. B. Untimely Notification of Grant Overpayment to Students and Secretary Refer to item A. above. C. Distance Education Courses ? Lack of Formal Process to Determine Accuracy of Student Withdrawal Date None. Recommendation: We recommend that the District implement additional controls at the course instructor level to effectively monitor student participation and engagement in academic activities related to DE courses in order for the course instructor to determine the reasonableness and accuracy of a student?s withdrawal date listed in the system. This will help ensure that the withdrawal date used in the calculation of return of title IV funds is accurate. Additionally, we recommend that the District evaluate and improve its existing process and control procedures related to the return of Title IV funds, including notification and return due date requirements. This will help ensure 1) that the returns of Title IV funds are accurately calculated and 2) compliance with the notification and return due date requirements, in accordance with the Uniform Guidance and the Code of Federal Regulation. . Views of Responsible Officials and Planned Corrective Actions: A. Incorrect Calculation of Return of Title IV Funds The student in question has an unusual circumstance because the college canceled the last enrolled class. The student was correctly identified as a withdrawal through an external student information system (SIS) query designed to identify students with unusual circumstances not currently identified by the R2T4 program. Unfortunately, the R2T4 worksheet was not manually added to the SIS due to an inadvertent oversight. We believe this is an isolated incident, but in order to automate the manual process, CFAU requested the Office of Information Technology to incorporate the external query logic into the R2T4 program. The worksheet has been manually added. Note that the internal controls have been substantially strengthened which has reduced the number of students impacted year-over-year. B. Untimely Notification of Grant Overpayment to Students and Secretary The college inadvertently failed to report the student overpayment to NSDLS timely. Due to SIS communication limitations with this last batch for the summer 2022 term, the District was unable to send the notification through SIS and had to send the R2T4 OP notification outside of SIS manually resulting in the late notification. C. Distance Education Courses ? Lack of Formal Process to Determine Accuracy of Student Withdrawal Date With regards to student withdrawal dates as it relates to DE courses, the District will provide communications to all faculty throughout the semester instructing them to assess individual student participation in the class and to exclude students from the class if prior to exclusion deadlines, or drop students if exclusion deadlines have passed. The communications will refer to the Academic Senate guidelines on regular and substantive interaction and use of authentic assessments to ensure that active participation is being effectively evaluated. Communications will be times around core deadlines for enrollment and financial aid processes. The DE Coordinators will be informed of the new standard to supplement the existing required and optional trainings currently provided to teaching faculty. This process will be implemented in Fall 2022. Personnel responsible for implementation: Steve Giorgi Position of responsible personnel: CFAU Financial Aid Manager Expected Date of Implementation: Fall 2022
Finding FA 2022 003: Special Tests and Provision: Gramm Leach Bliley Act Student Information Security Perform Regular Backup Restoration Tests, Improve Server and Network Security, Perform Timely Access Revocation and System Access Review, Strengthen Password Controls ? Optimize Account Lockout Configuration in SAP Database, and Establish and Document Approval of IT Policies and Procedures Federal Program Information Assistance Listing Number: ALN 84.007, 84.033, 84.063, 84.264, 93.364 Federal Program Name: Student Financial Assistance Cluster Federal Agency: U.S. Department of Education Passed Through Entity: N/A Federal Award Number: Various Federal Award Year: July 1, 2021, to June 30, 2022 Compliance Requirement: Special Tests and Provisions ? Gramm Leach Bliley Act ? Student Information Security Criteria or Specific Requirement: Per GLB Act Safeguards Rule, Title 16 CFR Part 314, institutions are required to develop, implement, and maintain a comprehensive information security plan that is written and describes their program to protect sensitive information. In addition to developing their own safeguards, institutions covered by the Rule are responsible for taking steps to ensure that their affiliates and service providers safeguard sensitive information in their care. As part of its plan, the institution must: a) Designate an employee or employees to coordinate its information security program. b) Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of student information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromises of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, such a risk assessment should include consideration of risks in each relevant area of operations, including: ? Employee training and management; ? Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and ? Detecting, preventing and responding to attacks, intrusions, or other systems failures c) Design and implement information safeguards to control the risks you identify through risk assessment, and regularly test or otherwise monitor the effectiveness of the safeguards' key controls, systems, and procedures. d) Oversee service providers, by: ? Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the student information at issue; and ? Requiring your service providers by contact to implement and maintain such safeguards. e) Evaluate and adjust your information security program in light of the results of the testing and monitoring required by paragraph (c) of this section; any material changes to your operations or business arrangements; or any other circumstances that you know or have reason to know may have a material impact on your information security program. Also, per sections 501 and 505 (b)(2) of the GLB Act, institutions are required to comply with standards set forth for developing, implementing, and maintaining reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of student information. This part applies to all sensitive information in the institution?s possession, regardless of whether such information pertains to individuals with whom the institution has a student relationship or pertains to the students of other financial institutions that have provided such information to the institution. The objectives of section 501(b) of the Act, and of this part, are to: (1) Ensure the security and confidentiality of student information; (2) Protect against any anticipated threats or hazards to the security or integrity of such information; and (3) Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any student. Identified Conditions: A. Perform regular backup restoration tests The District performed a comprehensive Tabletop Disaster Recovery (DR) exercises for both SAP and SIS during the audit period. As part of the exercise, the DR Team simulated a scenario, fully supported with recovery considerations, steps, results, recovery challenges, and key recommendations to improve moving forward ? the exercise was also reviewed and approved by Vice Chancellor and Chief Information Officer. However, a key activity which is the actual backup restoration testing was not performed as part of the tabletop exercise or at any point during the audit period. B. Improve server and network security (Repeat Finding) Server and network security can be further improved. While the District has taken steps on securing systems, we noted the following: i. The latest SAP server vulnerability reports showed one (1) critical and one (1) high vulnerability which remains outstanding since its last scan on September 24, 2022. Based on the vulnerability scan policy, a reasonable effort shall be made to remediate high and critical vulnerabilities within 30 calendar days of discovery. The longer the vulnerability issues remain unaddressed, the higher the security risks that the District faces. ii. We noted that a critical security update for SIS Database Server released on August 9, 2022, was installed on October 16, 2022. Based on the District?s policy, patches designated as "Critical" by the manufacturer must be installed as soon as feasible without introducing instability or impacting service availability of production systems, and no later than thirty days after release. (Repeat finding) iii. We noted that the firewall rules included telnet which can lead to potential sniffing or eavesdropping attacks as the privileged credentials are sent in the network in clear text. This was subsequently removed by IT as of November 2022. C. Perform timely access revocation and system access review (Repeat Finding) Based on test of controls to verify that access of terminated employees are timely removed in Active Directory (AD), SAP, and SIS, we noted that out of the 30 terminated employees selected for testing: i. One (1) user was active in AD ii. Two (2) users were still active in SAP iii. 16 users were still active in SIS Moreover, while a privileged user access review is performed for AD, there is no review performed to check the validity of regular users in AD, and the validity and appropriateness of users in SAP and SIS. The purpose of properly establishing periodic user access review, coupled with limiting and monitoring administrative access within the system, is to ensure management?s understanding of the overall systems operation, its internal workflow requirements, and the segregation of duties within the systems that is required so that employees are not granted excessive, incompatible system access levels and workflow capabilities. D. Strengthen password controls ? optimize account lockout configuration in SAP Database Inspection of password configuration for SAP Database revealed that account lockout duration and threshold are set to unlimited. Based on the District?s password standard, account lockout duration and threshold should be set at 15 minutes and 10 invalid logon attempts, respectively. E. Establish and document approval of IT policies and procedures (Repeat finding) Inspection of IT-related policies and procedures showed the following documentations committed in the prior year, but are still in development as of November 2022: ? Risk Acceptance Process ? Portable Media Restriction Cause and Effect: A. Perform regular backup restoration tests Lack of proper restoration testing may hinder the District to recover its data completely and accurately. B. Improve server and network security Vulnerabilities in the systems may be exploited leading to malicious or unauthorized activities that could impact system and data integrity, or disclosure of confidential or sensitive information. C. Perform timely access revocation and system access review The risk of unauthorized access and security incidents or violations within the systems may occur. Furthermore, unauthorized or inappropriate access in the system increases the risk that unauthorized activities, including viewing and/or disclosure of confidential information, and fraudulent activities may be performed and not be detected and corrected on time. D. Strengthen password controls ? optimize account lockout configuration in SAP Database Inadequate security and password settings may lead to unauthorized access to the relevant IT environment that may result in the processing of unauthorized transactions or viewing of confidential information. E. Establish and document approval of IT policies and procedures With policies and procedures not yet fully reviewed, approved and implemented, the District may face the risk of obsolete operational procedures within the IT function which may result in processes and controls not being consistently performed across teams within the critical IT processes of the organization. As a result, tasks that must be performed regularly to ensure the proper utility of IT resources, protection and confidentiality of data, and system management measures may not be performed. Recommendation: A. Perform regular backup restoration tests Together with the DR tabletop exercises, we recommend that backup restoration tests should be performed at least once per year. Detailed testing schedules should be drafted based on DRP specifications and required restoration of the critical systems. Documentation of such tests should be maintained for full management awareness and approval. B. Improve server and network security To significantly improve security, we recommend that the District should revisit and strictly enforce appropriate and adequate vulnerability and patch management processes and controls. Standard protection measures might not provide ample security due to the rising cases of malware attacks. Proper patch management and updating operating systems of servers is necessary to combat various forms of cyber-attacks. C. Perform timely access revocation and system access review 1. We recommend that Management revoke the access of terminated employees and review the activities performed by those accounts after their termination date to ensure the validity and appropriateness of activities/transactions performed by these accounts, if any. 2. Concurrently, Management should improve the account termination procedures to ensure that access of terminated employees is timely revoked. 3. We also recommend that regular access review is performed and documented (for both regular and privilege users) to ensure that only valid and appropriate users remain in the system. The review may include, but are not limited to the following: a. Document management control over completeness and accuracy of the reports used in the review b. Define designated functions/roles to perform the review c. Monitor timeliness of the performance of the review and execution of corrective actions as a result of the review D. Strengthen password controls ? optimize account lockout configuration in SAP Database To further improve the security of SAP Database, we recommend for the District to align the current password configuration of SAP Database with the District?s password standards. E. Establish and document approval of IT policies and procedures Management should ensure that IT policies and procedures have been adequately developed and approved for the proper guidance and execution of IT functions. Committing the policies and procedures to writing would ensure a higher level of operational compliance and would provide grounds for the District?s action if operational procedures do not meet their objectives. A management review of all policies and procedures should be performed, at least, on an annual basis to ensure the capture of new changes and deletions of processes and technologies. Views of Responsible Officials and Planned Corrective Actions: A. Perform regular backup restoration tests i. The District is planning to complete a backup restoration by the end of Q1 2023. B. Improve server and network security i. The District has completed reviewing the changes needed to address the identified critical vulnerabilities. The vulnerability patch will be applied by the end of the 2022 calendar year. ii. The District completed the high vulnerability patch on November 10, 2022. iii. The District completed the critical patch updates outside of the identified 30 calendar day window due to minimizing substantial business impact. The patching periods fell under the critical business time period. Verbal approval was provided but the District will strictly follow procedure to obtain written authorization from the VC/CIO for delaying the patching. C. Perform timely access revocation and system access review i. The District has undergone a comprehensive discovery of our current environments and scoped out opportunities to optimize the deprovisioning synchronization. This scope has been incorporated into a public solicitation which completed early Fall 2022. Currently, the District awaits board authorization on issuing a professional services contract to begin the effort. The target is to initialize a project in January to automate deprovisioning synchronization of employees across the multiple EPR systems. Meanwhile, regular access reviews of SAP and SIS will be a separate process that will be regularly conducted. The target completion is early Q2 2023. D. Strengthen password controls ? optimize account lockout configuration in SAP Database i. The SAP Database accounts identified are system accounts that are not used for any type of interactive login. The password policy has been applied to interactive login accounts only thus these accounts were not included. The District is currently exploring the feasibility of applying these policies to the system accounts without impact to downstream automated processes. E. Establish and document approval of IT policies and procedures i. The LACCD Office of Information Technology Information Security Team has completed the initial draft of the Operational Protocol for Portable Media, which is currently under review. The OIT anticipates implementation will be completed by March 31, 2023. ii. An Operational Protocol for Risk Acceptance of SIS Permissions requires finalizing a formal Role-Based Access Control (RBAC) model for SIS. This process was delayed due to leadership changes in the Office of Educational Programs and Institutional Effectiveness (EPIE), the main process stakeholder, that occurred during the audit year. The OIT anticipates that the RBAC will be finalized and a Risk Acceptance Process for SIS permissions will be finalized and implemented by June 30, 2023. Personnel responsible for implementation: Carmen V. Lidz Position of responsible personnel: Vice Chancellor & Chief Information Officer
Finding FA 2022-002: Special Tests and Provision: Return of Title IV Funds: Incorrect Calculation of Return of Title IV Funds, Untimely Notification of Grant Overpayment to Students and Secretary, and Distance Education Courses ? Lack of Formal Process to Determine Accuracy of Student Withdrawal Date (Repeat Finding) Federal Program Information Federal Catalog Number: ALN 84.063 and 84.268 Federal Program Name: Student Financial Assistance Cluster: Federal Pell Grant Program Federal Direct Student Loans Federal Agency: U.S. Department of Education Passed Through Entity: N/A Federal Award Number: P063P210033, P063P215263, P063P210034, P063P210658, P063P210035, P063P215261, P063P215260, P063P210036, P063P215262, P268K220033, P268K225263, P268K220034, P268K220658, P268K220035, P268K225261, P268K225260, P268K220036, P268K225262 Federal Award Year: July 1, 2021, to June 30, 2022 Campuses: Los Angeles City College (Repeat Finding) East Los Angeles College Los Angeles Harbor College (Repeat Finding) Los Angeles Mission College Los Angeles Pierce College (Repeat Finding) Los Angeles Southwest College (Repeat Finding) Los Angeles Trade Technical College (Repeat Finding) Los Angeles Valley College (Repeat Finding) West Los Angeles College (Repeat Finding) Compliance Requirement: Special Tests and Provisions ? Return of Title IV Funds Criteria or Specific Requirement: Per 34 Code of Federal Regulations 668.22 Treatments of Title IV Funds. A. When a recipient of Title IV grant or loan assistance withdraws from an institution during a payment period or period of enrollment in which the recipient began attendance, the institution must determine the amount of title IV grant or loan assistance that the student earned as of the student's withdrawal date in accordance with paragraph (e) of 34 Code of Federal Regulations 668.22. Per the Unform Guidance Compliance Supplement: - If an institution is required to take attendance, the withdrawal date is the last date of academic attendance, as determined by the institution from its attendance records. - If an institution is not required to take attendance, the withdrawal date is (1) the date, as determined by the institution, that the student began the withdrawal process prescribed by the institution; (2) the date, as determined by the institution, that the student otherwise provided official notification to the institution, in writing or orally, of his or her intent to withdraw; (3) if the student ceases attendance without providing official notification to the institution of his or her withdrawal, the midpoint of the payment period or, if applicable, the period of enrollment; (4) if the institution determines that a student did not begin the withdrawal process or otherwise notify the institution of the intent to withdraw due to illness, accident, grievous personal loss or other circumstances beyond the student?s control, the date the institution determines is related to that circumstance; (5) if a student does not return from an approved leave of absence, the date that the institution determines the student began the leave of absence; or (6) if the student takes an unapproved leave of absence, the date that the student began the leave of absence. Notwithstanding the above, an institution that is not required to take attendance may use as the withdrawal date, the last date of attendance at an academically related activity as documented by the institution (34 CFR668.22(c) and (l)). Title IV funds may be expended only towards the education of the students who can be proven to have been in attendance at the institution. In a distance education context, documenting that a student has logged into an online distance education platform or system is not sufficient, by itself, to demonstrate attendance by the student. To avoid returning all funds for a student that did not begin attendance, an institution must be able to document ?attendance at any class.? To qualify as a last date of attendance for Return of Title IV purposes, an institution must demonstrate that a student participated in class or was otherwise engaged in an academically related activity, such as by contributing to an online discussion or initiating contact with a faculty member to ask a course-related question. The Uniform Guidance Compliance Supplement requires auditors to identify a sample of students who received Title IV assistance who withdrew, dropped out, or never began attendance during the audit period. Auditors are to review the return of Title IV funds determinations/calculations for conformity with Title IV requirements. B. Within 30 days of the date of the institution?s determination that the student withdrew, an institution must send a notice to any student who owes a title IV, HEA grant overpayment as a result of the student?s withdrawal from the institution in order to recover the overpayment in accordance with paragraph (h)(4)(i) of this section. An institution must refer to the Secretary, in accordance with procedures required by the Secretary, an overpayment of Title IV, HEA grant funds owed by a student as a result of the student?s withdrawal from the institution if? (A) The student does not repay the overpayment in full to the institution, or enter a repayment agreement with the institution or the Secretary in accordance with paragraph (h)(4)(i) of this section within the earlier of 45 days from the date the institution sends a notification to the student of the overpayment or 45 days from the date the institution was required to notify the student of the overpayment; C. For an institution that is not required to take attendance, an institution must determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the (1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew. D. The institution must disburse directly to a student any amount of a post-withdrawal disbursement of grant funds that is not credited to the student's account. The institution must make the disbursement as soon as possible, but no later than 45 days after the date of the institution's determination that the student withdrew, as defined in paragraph (l)(3) of this section. E. Title IV funds may be expended only towards the education of the students who can be proven to have been in attendance at the institution. In a distance education context, documenting that a student has logged into an online distance education platform or system is not sufficient, by itself, to demonstrate attendance by the student. To avoid returning all funds for a student that did not begin attendance, an institution must be able to document ?attendance at any class.? To qualify as a last date of attendance for Return of Title IV purposes, an institution must demonstrate that a student participated in class or was otherwise engaged in an academically related activity, such as by contributing to an online discussion or initiating contact with a faculty member to ask a course-related question. Per 668.173 Refund reserve standards. A. In accordance with procedures established by the Secretary or FFEL Program lender, an institution returns unearned title IV, HEA program funds timely if? 1) The institution deposits or transfers the funds into the bank account it maintains under ?668.163 no later than 45 days after the date it determines that the student withdrew; 2) The institution initiates an electronic funds transfer (EFT) no later than 45 days after the date it determines that the student withdrew; 3) The institution initiates an electronic transaction, no later than 45 days after the date it determines that the student withdrew, that informs an FFEL lender to adjust the borrower?s loan account for the amount returned; or 4) The institution issues a check no later than 45 days after the date it determines that the student withdrew. An institution does not satisfy this requirement if? i. The institution?s records show that the check was issued more than 45 days after the date the institution determined that the student withdrew; or ii. The date on the canceled check shows that the bank used by the Secretary or FFEL Program lender endorsed that check more than 60 days after the date the institution determined that the student withdrew. Identified Condition: Summary No. Identified Condition Campus A. B. Incorrect Calculation of Return of Title IV Funds Untimely Notification of Grant Overpayment to Students and Secretary West Los Angeles College Los Angeles Southwest College Los Angeles Trade Technical College C. Distance Education Courses - Lack of Formal Process to Determine Accuracy of Student Withdrawal Date Los Angeles City College East Los Angeles College Los Angeles Harbor College Los Angeles Mission College Los Angeles Pierce College Los Angeles Southwest College Los Angeles Trade Technical College Los Angeles Valley College West Los Angeles College Description A. Incorrect Calculation of Return of Title IV Funds West Los Angeles College We noted 1 of 15 students selected for return of Title IV funds testwork from the population of students who had withdrawn, dropped out, or never began attendance that had an incorrectly determined withdrawal date in Summer 2022, the effect of which decreased the amount due from school by $681. B. Untimely Notification of Grant Overpayment to Students and Secretary Los Angeles Southwest College We noted that 2 of 15 students selected for compliance testwork were notified beyond 30 days from the date of the institution?s determination that the student withdrew and owed overpayments as a result of the students? withdrawal. The required notification was submitted to both students 11 days after the institution?s determination date. Los Angeles Trade Technical College We noted that 1 of 15 students selected for compliance testwork was never provided with a Post Withdrawal Disbursement notification. Consequently, no disbursement was made to the student. C. Distance Education Courses - Lack of Formal Process to Determine Accuracy of Student Withdrawal Date For distance education (DE) courses, we noted that the withdrawal date used in the calculation of return to Title IV funds is the actual date the student initiated the withdrawal from the course in the system. The District does not currently have a formal process in place to monitor a student?s active participation in an online class and engagement in academic activities related to a DE course in order to determine the reasonableness and accuracy of the student?s withdrawal date in the system. Causes and Effect: A. Incorrect Calculation of Return of Title IV Funds The incorrect calculation of Return of Title IV (R2T4) funds was caused by human error. Staff failed to create the R2T4 worksheet timely, which could result in disciplinary action taken by the U.S. Department of Education. B. Untimely Notification of Grant Overpayment to Students and Secretary Untimely notification of grant overpayment to students and secretary was caused by human error. FA Technicians failed to send overpayment notifications timely, which may result in untimely return of unearned Title IV funds. Untimely notifications and untimely result of Title IV aid can result in institutional liability and disciplinary action taken by the U.S. Department of Education C. Distance Education Courses - Lack of Formal Process to Determine Accuracy of Student Withdrawal Date The calculation of return to Title IV funds is a complex manual process. An incorrect calculation can result in institutional liability and/or disciplinary action taken by the U.S. Department of Education. Questioned Costs: A. Incorrect Calculation of Return of Title IV Funds See schedule of findings and Questioned Costs The District has a known net overstatement of the amount due from the student of $108 and known net understatement of the amount due from District of ($457). The projected total net understatement of amounts due from both the student and District is $2,358 as follows: See schedule of findings and Questioned Costs This is computed by dividing the errors found in samples per term (Summer term ? net understatement $350 and Fall/Spring terms ? net understatement $0 over the total Pell awards disbursed in the sample size per term (Summer term - $31,869 and Fall/Spring terms - $83,972) multiplied by the total Pell awards disbursed for the identified colleges per term (Summer term - $214,918 and Fall/Spring terms - $3,097,004). The computation is made on a per-term basis on a campus level and not on a district-wide level. The District has a known net overstatement of the post-withdrawal disbursement by $6. Not all students accept post-withdrawal disbursements. As such, questioned cost is not extrapolated. B. Untimely Notification of Grant Overpayment to Students and Secretary Refer to item A. above. C. Distance Education Courses ? Lack of Formal Process to Determine Accuracy of Student Withdrawal Date None. Recommendation: We recommend that the District implement additional controls at the course instructor level to effectively monitor student participation and engagement in academic activities related to DE courses in order for the course instructor to determine the reasonableness and accuracy of a student?s withdrawal date listed in the system. This will help ensure that the withdrawal date used in the calculation of return of title IV funds is accurate. Additionally, we recommend that the District evaluate and improve its existing process and control procedures related to the return of Title IV funds, including notification and return due date requirements. This will help ensure 1) that the returns of Title IV funds are accurately calculated and 2) compliance with the notification and return due date requirements, in accordance with the Uniform Guidance and the Code of Federal Regulation. . Views of Responsible Officials and Planned Corrective Actions: A. Incorrect Calculation of Return of Title IV Funds The student in question has an unusual circumstance because the college canceled the last enrolled class. The student was correctly identified as a withdrawal through an external student information system (SIS) query designed to identify students with unusual circumstances not currently identified by the R2T4 program. Unfortunately, the R2T4 worksheet was not manually added to the SIS due to an inadvertent oversight. We believe this is an isolated incident, but in order to automate the manual process, CFAU requested the Office of Information Technology to incorporate the external query logic into the R2T4 program. The worksheet has been manually added. Note that the internal controls have been substantially strengthened which has reduced the number of students impacted year-over-year. B. Untimely Notification of Grant Overpayment to Students and Secretary The college inadvertently failed to report the student overpayment to NSDLS timely. Due to SIS communication limitations with this last batch for the summer 2022 term, the District was unable to send the notification through SIS and had to send the R2T4 OP notification outside of SIS manually resulting in the late notification. C. Distance Education Courses ? Lack of Formal Process to Determine Accuracy of Student Withdrawal Date With regards to student withdrawal dates as it relates to DE courses, the District will provide communications to all faculty throughout the semester instructing them to assess individual student participation in the class and to exclude students from the class if prior to exclusion deadlines, or drop students if exclusion deadlines have passed. The communications will refer to the Academic Senate guidelines on regular and substantive interaction and use of authentic assessments to ensure that active participation is being effectively evaluated. Communications will be times around core deadlines for enrollment and financial aid processes. The DE Coordinators will be informed of the new standard to supplement the existing required and optional trainings currently provided to teaching faculty. This process will be implemented in Fall 2022. Personnel responsible for implementation: Steve Giorgi Position of responsible personnel: CFAU Financial Aid Manager Expected Date of Implementation: Fall 2022
Finding FA 2022 003: Special Tests and Provision: Gramm Leach Bliley Act Student Information Security Perform Regular Backup Restoration Tests, Improve Server and Network Security, Perform Timely Access Revocation and System Access Review, Strengthen Password Controls ? Optimize Account Lockout Configuration in SAP Database, and Establish and Document Approval of IT Policies and Procedures Federal Program Information Assistance Listing Number: ALN 84.007, 84.033, 84.063, 84.264, 93.364 Federal Program Name: Student Financial Assistance Cluster Federal Agency: U.S. Department of Education Passed Through Entity: N/A Federal Award Number: Various Federal Award Year: July 1, 2021, to June 30, 2022 Compliance Requirement: Special Tests and Provisions ? Gramm Leach Bliley Act ? Student Information Security Criteria or Specific Requirement: Per GLB Act Safeguards Rule, Title 16 CFR Part 314, institutions are required to develop, implement, and maintain a comprehensive information security plan that is written and describes their program to protect sensitive information. In addition to developing their own safeguards, institutions covered by the Rule are responsible for taking steps to ensure that their affiliates and service providers safeguard sensitive information in their care. As part of its plan, the institution must: a) Designate an employee or employees to coordinate its information security program. b) Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of student information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromises of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, such a risk assessment should include consideration of risks in each relevant area of operations, including: ? Employee training and management; ? Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and ? Detecting, preventing and responding to attacks, intrusions, or other systems failures c) Design and implement information safeguards to control the risks you identify through risk assessment, and regularly test or otherwise monitor the effectiveness of the safeguards' key controls, systems, and procedures. d) Oversee service providers, by: ? Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the student information at issue; and ? Requiring your service providers by contact to implement and maintain such safeguards. e) Evaluate and adjust your information security program in light of the results of the testing and monitoring required by paragraph (c) of this section; any material changes to your operations or business arrangements; or any other circumstances that you know or have reason to know may have a material impact on your information security program. Also, per sections 501 and 505 (b)(2) of the GLB Act, institutions are required to comply with standards set forth for developing, implementing, and maintaining reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of student information. This part applies to all sensitive information in the institution?s possession, regardless of whether such information pertains to individuals with whom the institution has a student relationship or pertains to the students of other financial institutions that have provided such information to the institution. The objectives of section 501(b) of the Act, and of this part, are to: (1) Ensure the security and confidentiality of student information; (2) Protect against any anticipated threats or hazards to the security or integrity of such information; and (3) Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any student. Identified Conditions: A. Perform regular backup restoration tests The District performed a comprehensive Tabletop Disaster Recovery (DR) exercises for both SAP and SIS during the audit period. As part of the exercise, the DR Team simulated a scenario, fully supported with recovery considerations, steps, results, recovery challenges, and key recommendations to improve moving forward ? the exercise was also reviewed and approved by Vice Chancellor and Chief Information Officer. However, a key activity which is the actual backup restoration testing was not performed as part of the tabletop exercise or at any point during the audit period. B. Improve server and network security (Repeat Finding) Server and network security can be further improved. While the District has taken steps on securing systems, we noted the following: i. The latest SAP server vulnerability reports showed one (1) critical and one (1) high vulnerability which remains outstanding since its last scan on September 24, 2022. Based on the vulnerability scan policy, a reasonable effort shall be made to remediate high and critical vulnerabilities within 30 calendar days of discovery. The longer the vulnerability issues remain unaddressed, the higher the security risks that the District faces. ii. We noted that a critical security update for SIS Database Server released on August 9, 2022, was installed on October 16, 2022. Based on the District?s policy, patches designated as "Critical" by the manufacturer must be installed as soon as feasible without introducing instability or impacting service availability of production systems, and no later than thirty days after release. (Repeat finding) iii. We noted that the firewall rules included telnet which can lead to potential sniffing or eavesdropping attacks as the privileged credentials are sent in the network in clear text. This was subsequently removed by IT as of November 2022. C. Perform timely access revocation and system access review (Repeat Finding) Based on test of controls to verify that access of terminated employees are timely removed in Active Directory (AD), SAP, and SIS, we noted that out of the 30 terminated employees selected for testing: i. One (1) user was active in AD ii. Two (2) users were still active in SAP iii. 16 users were still active in SIS Moreover, while a privileged user access review is performed for AD, there is no review performed to check the validity of regular users in AD, and the validity and appropriateness of users in SAP and SIS. The purpose of properly establishing periodic user access review, coupled with limiting and monitoring administrative access within the system, is to ensure management?s understanding of the overall systems operation, its internal workflow requirements, and the segregation of duties within the systems that is required so that employees are not granted excessive, incompatible system access levels and workflow capabilities. D. Strengthen password controls ? optimize account lockout configuration in SAP Database Inspection of password configuration for SAP Database revealed that account lockout duration and threshold are set to unlimited. Based on the District?s password standard, account lockout duration and threshold should be set at 15 minutes and 10 invalid logon attempts, respectively. E. Establish and document approval of IT policies and procedures (Repeat finding) Inspection of IT-related policies and procedures showed the following documentations committed in the prior year, but are still in development as of November 2022: ? Risk Acceptance Process ? Portable Media Restriction Cause and Effect: A. Perform regular backup restoration tests Lack of proper restoration testing may hinder the District to recover its data completely and accurately. B. Improve server and network security Vulnerabilities in the systems may be exploited leading to malicious or unauthorized activities that could impact system and data integrity, or disclosure of confidential or sensitive information. C. Perform timely access revocation and system access review The risk of unauthorized access and security incidents or violations within the systems may occur. Furthermore, unauthorized or inappropriate access in the system increases the risk that unauthorized activities, including viewing and/or disclosure of confidential information, and fraudulent activities may be performed and not be detected and corrected on time. D. Strengthen password controls ? optimize account lockout configuration in SAP Database Inadequate security and password settings may lead to unauthorized access to the relevant IT environment that may result in the processing of unauthorized transactions or viewing of confidential information. E. Establish and document approval of IT policies and procedures With policies and procedures not yet fully reviewed, approved and implemented, the District may face the risk of obsolete operational procedures within the IT function which may result in processes and controls not being consistently performed across teams within the critical IT processes of the organization. As a result, tasks that must be performed regularly to ensure the proper utility of IT resources, protection and confidentiality of data, and system management measures may not be performed. Recommendation: A. Perform regular backup restoration tests Together with the DR tabletop exercises, we recommend that backup restoration tests should be performed at least once per year. Detailed testing schedules should be drafted based on DRP specifications and required restoration of the critical systems. Documentation of such tests should be maintained for full management awareness and approval. B. Improve server and network security To significantly improve security, we recommend that the District should revisit and strictly enforce appropriate and adequate vulnerability and patch management processes and controls. Standard protection measures might not provide ample security due to the rising cases of malware attacks. Proper patch management and updating operating systems of servers is necessary to combat various forms of cyber-attacks. C. Perform timely access revocation and system access review 1. We recommend that Management revoke the access of terminated employees and review the activities performed by those accounts after their termination date to ensure the validity and appropriateness of activities/transactions performed by these accounts, if any. 2. Concurrently, Management should improve the account termination procedures to ensure that access of terminated employees is timely revoked. 3. We also recommend that regular access review is performed and documented (for both regular and privilege users) to ensure that only valid and appropriate users remain in the system. The review may include, but are not limited to the following: a. Document management control over completeness and accuracy of the reports used in the review b. Define designated functions/roles to perform the review c. Monitor timeliness of the performance of the review and execution of corrective actions as a result of the review D. Strengthen password controls ? optimize account lockout configuration in SAP Database To further improve the security of SAP Database, we recommend for the District to align the current password configuration of SAP Database with the District?s password standards. E. Establish and document approval of IT policies and procedures Management should ensure that IT policies and procedures have been adequately developed and approved for the proper guidance and execution of IT functions. Committing the policies and procedures to writing would ensure a higher level of operational compliance and would provide grounds for the District?s action if operational procedures do not meet their objectives. A management review of all policies and procedures should be performed, at least, on an annual basis to ensure the capture of new changes and deletions of processes and technologies. Views of Responsible Officials and Planned Corrective Actions: A. Perform regular backup restoration tests i. The District is planning to complete a backup restoration by the end of Q1 2023. B. Improve server and network security i. The District has completed reviewing the changes needed to address the identified critical vulnerabilities. The vulnerability patch will be applied by the end of the 2022 calendar year. ii. The District completed the high vulnerability patch on November 10, 2022. iii. The District completed the critical patch updates outside of the identified 30 calendar day window due to minimizing substantial business impact. The patching periods fell under the critical business time period. Verbal approval was provided but the District will strictly follow procedure to obtain written authorization from the VC/CIO for delaying the patching. C. Perform timely access revocation and system access review i. The District has undergone a comprehensive discovery of our current environments and scoped out opportunities to optimize the deprovisioning synchronization. This scope has been incorporated into a public solicitation which completed early Fall 2022. Currently, the District awaits board authorization on issuing a professional services contract to begin the effort. The target is to initialize a project in January to automate deprovisioning synchronization of employees across the multiple EPR systems. Meanwhile, regular access reviews of SAP and SIS will be a separate process that will be regularly conducted. The target completion is early Q2 2023. D. Strengthen password controls ? optimize account lockout configuration in SAP Database i. The SAP Database accounts identified are system accounts that are not used for any type of interactive login. The password policy has been applied to interactive login accounts only thus these accounts were not included. The District is currently exploring the feasibility of applying these policies to the system accounts without impact to downstream automated processes. E. Establish and document approval of IT policies and procedures i. The LACCD Office of Information Technology Information Security Team has completed the initial draft of the Operational Protocol for Portable Media, which is currently under review. The OIT anticipates implementation will be completed by March 31, 2023. ii. An Operational Protocol for Risk Acceptance of SIS Permissions requires finalizing a formal Role-Based Access Control (RBAC) model for SIS. This process was delayed due to leadership changes in the Office of Educational Programs and Institutional Effectiveness (EPIE), the main process stakeholder, that occurred during the audit year. The OIT anticipates that the RBAC will be finalized and a Risk Acceptance Process for SIS permissions will be finalized and implemented by June 30, 2023. Personnel responsible for implementation: Carmen V. Lidz Position of responsible personnel: Vice Chancellor & Chief Information Officer
Finding FA 2022-004: Activities Allowed or Unallowed and Allowable Costs / Cost Principles: Expenditures Recorded In Incorrect Period Federal Program Information Federal Catalog Number: ALN 17.268 Federal Program Name: H-1B Job Training Grant Federal Agency: U.S. Department of Labor Passed Through Entity: N/A Federal Award Number: HG-33046-19-60-A-6 Federal Award Year: July 1, 2021 to June 30, 2022 Campus: West Los Angeles College Compliance Requirement: Activities Allowed or Unallowed and Allowable Costs / Cost Principles Criteria or Specific Requirement: Per Title 2, Part 200, Subpart E, ?200.403- Factors affecting allowability of costs, except where otherwise authorized by statute, costs must meet the following general criteria in order to be allowable under Federal awards: (e) Be determined in accordance with generally accepted accounting principles (GAAP), except, for state and local governments and Indian tribes only, as otherwise provided for in this part. Identified Condition: At West Los Angeles College, we noted that 2 out of 25 expenditures sampled were recorded in the incorrect period, for a total of $146,328. The expenditures were related to subrecipient payments that were incurred in fiscal year 2021 but were incorrectly recorded in fiscal year 2022. Causes and Effect: Per inquiry with the District, the cost is still within the program?s period of performance. The grant period is from July 15, 2019 to June 30, 2024. For the year ended June 30, 2021, the program team did not have a monitoring control in place to ensure expenses were recorded in the correct period. As a result, some expenses incurred near the end of the fiscal year are reported in the incorrect period. Questioned Costs: None. Recommendation: We recommend that the District implement a monitoring control that would identify expenditures incurred near the end of the fiscal year and ensure that they are recorded in the proper period. Views of Responsible Officials and Planned Corrective Actions: The Accounting Office will require all program personnel to complete a checklist of all expenditures incurred close to the end of the fiscal year in order to identify any expenditures that need to be accrued. Personnel responsible for implementation: Nyame-Tease Prempeh Position of responsible personnel: Assistant Director of Accounting Date of Implementation: July 1, 2023
Finding FA 2022 003: Special Tests and Provision: Gramm Leach Bliley Act Student Information Security Perform Regular Backup Restoration Tests, Improve Server and Network Security, Perform Timely Access Revocation and System Access Review, Strengthen Password Controls ? Optimize Account Lockout Configuration in SAP Database, and Establish and Document Approval of IT Policies and Procedures Federal Program Information Assistance Listing Number: ALN 84.007, 84.033, 84.063, 84.264, 93.364 Federal Program Name: Student Financial Assistance Cluster Federal Agency: U.S. Department of Education Passed Through Entity: N/A Federal Award Number: Various Federal Award Year: July 1, 2021, to June 30, 2022 Compliance Requirement: Special Tests and Provisions ? Gramm Leach Bliley Act ? Student Information Security Criteria or Specific Requirement: Per GLB Act Safeguards Rule, Title 16 CFR Part 314, institutions are required to develop, implement, and maintain a comprehensive information security plan that is written and describes their program to protect sensitive information. In addition to developing their own safeguards, institutions covered by the Rule are responsible for taking steps to ensure that their affiliates and service providers safeguard sensitive information in their care. As part of its plan, the institution must: a) Designate an employee or employees to coordinate its information security program. b) Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of student information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromises of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, such a risk assessment should include consideration of risks in each relevant area of operations, including: ? Employee training and management; ? Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and ? Detecting, preventing and responding to attacks, intrusions, or other systems failures c) Design and implement information safeguards to control the risks you identify through risk assessment, and regularly test or otherwise monitor the effectiveness of the safeguards' key controls, systems, and procedures. d) Oversee service providers, by: ? Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the student information at issue; and ? Requiring your service providers by contact to implement and maintain such safeguards. e) Evaluate and adjust your information security program in light of the results of the testing and monitoring required by paragraph (c) of this section; any material changes to your operations or business arrangements; or any other circumstances that you know or have reason to know may have a material impact on your information security program. Also, per sections 501 and 505 (b)(2) of the GLB Act, institutions are required to comply with standards set forth for developing, implementing, and maintaining reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of student information. This part applies to all sensitive information in the institution?s possession, regardless of whether such information pertains to individuals with whom the institution has a student relationship or pertains to the students of other financial institutions that have provided such information to the institution. The objectives of section 501(b) of the Act, and of this part, are to: (1) Ensure the security and confidentiality of student information; (2) Protect against any anticipated threats or hazards to the security or integrity of such information; and (3) Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any student. Identified Conditions: A. Perform regular backup restoration tests The District performed a comprehensive Tabletop Disaster Recovery (DR) exercises for both SAP and SIS during the audit period. As part of the exercise, the DR Team simulated a scenario, fully supported with recovery considerations, steps, results, recovery challenges, and key recommendations to improve moving forward ? the exercise was also reviewed and approved by Vice Chancellor and Chief Information Officer. However, a key activity which is the actual backup restoration testing was not performed as part of the tabletop exercise or at any point during the audit period. B. Improve server and network security (Repeat Finding) Server and network security can be further improved. While the District has taken steps on securing systems, we noted the following: i. The latest SAP server vulnerability reports showed one (1) critical and one (1) high vulnerability which remains outstanding since its last scan on September 24, 2022. Based on the vulnerability scan policy, a reasonable effort shall be made to remediate high and critical vulnerabilities within 30 calendar days of discovery. The longer the vulnerability issues remain unaddressed, the higher the security risks that the District faces. ii. We noted that a critical security update for SIS Database Server released on August 9, 2022, was installed on October 16, 2022. Based on the District?s policy, patches designated as "Critical" by the manufacturer must be installed as soon as feasible without introducing instability or impacting service availability of production systems, and no later than thirty days after release. (Repeat finding) iii. We noted that the firewall rules included telnet which can lead to potential sniffing or eavesdropping attacks as the privileged credentials are sent in the network in clear text. This was subsequently removed by IT as of November 2022. C. Perform timely access revocation and system access review (Repeat Finding) Based on test of controls to verify that access of terminated employees are timely removed in Active Directory (AD), SAP, and SIS, we noted that out of the 30 terminated employees selected for testing: i. One (1) user was active in AD ii. Two (2) users were still active in SAP iii. 16 users were still active in SIS Moreover, while a privileged user access review is performed for AD, there is no review performed to check the validity of regular users in AD, and the validity and appropriateness of users in SAP and SIS. The purpose of properly establishing periodic user access review, coupled with limiting and monitoring administrative access within the system, is to ensure management?s understanding of the overall systems operation, its internal workflow requirements, and the segregation of duties within the systems that is required so that employees are not granted excessive, incompatible system access levels and workflow capabilities. D. Strengthen password controls ? optimize account lockout configuration in SAP Database Inspection of password configuration for SAP Database revealed that account lockout duration and threshold are set to unlimited. Based on the District?s password standard, account lockout duration and threshold should be set at 15 minutes and 10 invalid logon attempts, respectively. E. Establish and document approval of IT policies and procedures (Repeat finding) Inspection of IT-related policies and procedures showed the following documentations committed in the prior year, but are still in development as of November 2022: ? Risk Acceptance Process ? Portable Media Restriction Cause and Effect: A. Perform regular backup restoration tests Lack of proper restoration testing may hinder the District to recover its data completely and accurately. B. Improve server and network security Vulnerabilities in the systems may be exploited leading to malicious or unauthorized activities that could impact system and data integrity, or disclosure of confidential or sensitive information. C. Perform timely access revocation and system access review The risk of unauthorized access and security incidents or violations within the systems may occur. Furthermore, unauthorized or inappropriate access in the system increases the risk that unauthorized activities, including viewing and/or disclosure of confidential information, and fraudulent activities may be performed and not be detected and corrected on time. D. Strengthen password controls ? optimize account lockout configuration in SAP Database Inadequate security and password settings may lead to unauthorized access to the relevant IT environment that may result in the processing of unauthorized transactions or viewing of confidential information. E. Establish and document approval of IT policies and procedures With policies and procedures not yet fully reviewed, approved and implemented, the District may face the risk of obsolete operational procedures within the IT function which may result in processes and controls not being consistently performed across teams within the critical IT processes of the organization. As a result, tasks that must be performed regularly to ensure the proper utility of IT resources, protection and confidentiality of data, and system management measures may not be performed. Recommendation: A. Perform regular backup restoration tests Together with the DR tabletop exercises, we recommend that backup restoration tests should be performed at least once per year. Detailed testing schedules should be drafted based on DRP specifications and required restoration of the critical systems. Documentation of such tests should be maintained for full management awareness and approval. B. Improve server and network security To significantly improve security, we recommend that the District should revisit and strictly enforce appropriate and adequate vulnerability and patch management processes and controls. Standard protection measures might not provide ample security due to the rising cases of malware attacks. Proper patch management and updating operating systems of servers is necessary to combat various forms of cyber-attacks. C. Perform timely access revocation and system access review 1. We recommend that Management revoke the access of terminated employees and review the activities performed by those accounts after their termination date to ensure the validity and appropriateness of activities/transactions performed by these accounts, if any. 2. Concurrently, Management should improve the account termination procedures to ensure that access of terminated employees is timely revoked. 3. We also recommend that regular access review is performed and documented (for both regular and privilege users) to ensure that only valid and appropriate users remain in the system. The review may include, but are not limited to the following: a. Document management control over completeness and accuracy of the reports used in the review b. Define designated functions/roles to perform the review c. Monitor timeliness of the performance of the review and execution of corrective actions as a result of the review D. Strengthen password controls ? optimize account lockout configuration in SAP Database To further improve the security of SAP Database, we recommend for the District to align the current password configuration of SAP Database with the District?s password standards. E. Establish and document approval of IT policies and procedures Management should ensure that IT policies and procedures have been adequately developed and approved for the proper guidance and execution of IT functions. Committing the policies and procedures to writing would ensure a higher level of operational compliance and would provide grounds for the District?s action if operational procedures do not meet their objectives. A management review of all policies and procedures should be performed, at least, on an annual basis to ensure the capture of new changes and deletions of processes and technologies. Views of Responsible Officials and Planned Corrective Actions: A. Perform regular backup restoration tests i. The District is planning to complete a backup restoration by the end of Q1 2023. B. Improve server and network security i. The District has completed reviewing the changes needed to address the identified critical vulnerabilities. The vulnerability patch will be applied by the end of the 2022 calendar year. ii. The District completed the high vulnerability patch on November 10, 2022. iii. The District completed the critical patch updates outside of the identified 30 calendar day window due to minimizing substantial business impact. The patching periods fell under the critical business time period. Verbal approval was provided but the District will strictly follow procedure to obtain written authorization from the VC/CIO for delaying the patching. C. Perform timely access revocation and system access review i. The District has undergone a comprehensive discovery of our current environments and scoped out opportunities to optimize the deprovisioning synchronization. This scope has been incorporated into a public solicitation which completed early Fall 2022. Currently, the District awaits board authorization on issuing a professional services contract to begin the effort. The target is to initialize a project in January to automate deprovisioning synchronization of employees across the multiple EPR systems. Meanwhile, regular access reviews of SAP and SIS will be a separate process that will be regularly conducted. The target completion is early Q2 2023. D. Strengthen password controls ? optimize account lockout configuration in SAP Database i. The SAP Database accounts identified are system accounts that are not used for any type of interactive login. The password policy has been applied to interactive login accounts only thus these accounts were not included. The District is currently exploring the feasibility of applying these policies to the system accounts without impact to downstream automated processes. E. Establish and document approval of IT policies and procedures i. The LACCD Office of Information Technology Information Security Team has completed the initial draft of the Operational Protocol for Portable Media, which is currently under review. The OIT anticipates implementation will be completed by March 31, 2023. ii. An Operational Protocol for Risk Acceptance of SIS Permissions requires finalizing a formal Role-Based Access Control (RBAC) model for SIS. This process was delayed due to leadership changes in the Office of Educational Programs and Institutional Effectiveness (EPIE), the main process stakeholder, that occurred during the audit year. The OIT anticipates that the RBAC will be finalized and a Risk Acceptance Process for SIS permissions will be finalized and implemented by June 30, 2023. Personnel responsible for implementation: Carmen V. Lidz Position of responsible personnel: Vice Chancellor & Chief Information Officer