A. Formally Establish and Document Risk Acceptance Process
Requirements for risk assessments and risk acceptance processes to comply with GLBA were
expanded in June of 2023. The District engaged a third-party consultant to conduct a GLBA-compliant
risk assessment and advise on recommended changes t...
A. Formally Establish and Document Risk Acceptance Process
Requirements for risk assessments and risk acceptance processes to comply with GLBA were
expanded in June of 2023. The District engaged a third-party consultant to conduct a GLBA-compliant
risk assessment and advise on recommended changes to the District’s Written Information Security
Plan (WISP) to comply with the new requirements. The findings and recommendations were presented
to the District in October of 2023 and are currently under review. The District will initiate a project to
formalize risk acceptance by December 31st, 2023, and implement the risk acceptance process by
June 30, 2024.
B. Perform Regular Backup Restoration Tests
The District has engaged with a third party to build a testing environment to physically test restoration
of the SIS environment. Initiation of the project is pending processing of the Purchase Order. The
District anticipates completion of the restoration by December 31st, 2023.
With respect to SAP, the District is currently engaged in an effort to migrate the SAP database to
HANA. When this project is complete, the same test environment will be capable of performing physical
recovery tests for SAP. The HANA migration is estimated to be completed on February 28th, 2024.
C. Perform Timely Access Revocation and Regular Access Reviews
With respect to the District’s Single Sign-On (ADFS or SSO) environments, the District engaged
professional services consultants to address this item by automating the disablement of employee
accounts based upon the termination of assignment. The work is currently underway. The target
completion of the process is December 15, 2023. With respect to the SAP environment, the District has
engaged with a vendor to implement Multifactor Authentication (MFA) in the SAP environment. Work
will begin upon processing the Purchase Order. Once both efforts are complete, disabling employee
accounts in SSO, SIS and SAP will be performed automatically based upon the termination of
assignments according to criteria established by Human Resources.
With respect to access reviews of SIS and SAP, the District is currently researching the export of user
audit logs to the District’s analysis environment to enable regular reviews. The new target to perform
regular access reviews for SAP and SIS is the end of Q1 2024.
With respect to physical access reviews, the District Information Security Team will perform an annual
review of relevant operational protocols for data center access with the appropriate internal teams and
perform an audit of data access at a minimum of once per year. The first annual protocol review will be
completed by December 1st, 2023. The first annual audit will commence no later than March 1st, 2024.
D. Perform Necessary Due Diligence to Regularly Evaluate All Third-party Safeguards
To prevent recurrence, the LACCD Information Security Team will coordinate an annual review of
Administrative Protocol 3723A: Information Security Evaluation of Third-Party Providers with District
Financial Aid, Procurement and Educational Programming and Institutional Effectiveness (EPIE)
leadership teams to help assure future relevant contracts are provided to the Information Security
Team prior to renewal to allow for timely security review.
E. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS
The District is currently researching the export of user audit logs to the District’s analysis environment
to enable regular reviews. The new target to perform regular access reviews for SAP and SIS is the
end of Q1 2024.
F. Implement data encryption for Devices Storing Customer Data
The District engaged a third-party consultant to perform a comprehensive review of PeopleSoft security
controls, including the implementation of encryption of financial aid data within PeopleSoft. The results
are pending. Based upon those recommendations, the District will work with encryption providers to
develop and implement field-level encryption of financial aid data in SIS as appropriate.
With respect to end-user devices storing sensitive data, the District recently adopted workstation
hardening requirements that include whole-disk encryption for desktop and laptop computers used by
personnel who routinely access sensitive information, including financial aid data. The District will
implement the standards on workstations used by employees in financial aid and institutional research
by June 30, 2024. Once this is complete, additional workstations will be encrypted in order of potential
risk.
G. Strictly Implement Processes and Control for Direct Changes in the SAP Production
Environment
The requests for direct changes in SAP production will be tracked and included in our help desk
requests so that an auditable trail can be created leading to the purpose and completion of the
production changes. Additionally, direct production change requests will be reviewed and approved
following the LACCD Change Control process. Minor updates that do not fall within the change control
guidelines will require managerial approval within the help desk system.
Personnel Responsible for Implementation: Carmen V. Lidz
Position of Responsible Personnel: Vice Chancellor & Chief Information Officer