Finding FA 2022 003: Special Tests and Provision: Gramm Leach Bliley Act Student Information Security Perform Regular Backup Restoration Tests, Improve Server and Network Security, Perform Timely Access Revocation and System Access Review, Strengthen Password Controls ? Optimize Account Lockout Configuration in SAP Database, and Establish and Document Approval of IT Policies and Procedures Federal Program Information Assistance Listing Number: ALN 84.007, 84.033, 84.063, 84.264, 93.364 Federal Program Name: Student Financial Assistance Cluster Federal Agency: U.S. Department of Education Passed Through Entity: N/A Federal Award Number: Various Federal Award Year: July 1, 2021, to June 30, 2022 Compliance Requirement: Special Tests and Provisions ? Gramm Leach Bliley Act ? Student Information Security Criteria or Specific Requirement: Per GLB Act Safeguards Rule, Title 16 CFR Part 314, institutions are required to develop, implement, and maintain a comprehensive information security plan that is written and describes their program to protect sensitive information. In addition to developing their own safeguards, institutions covered by the Rule are responsible for taking steps to ensure that their affiliates and service providers safeguard sensitive information in their care. As part of its plan, the institution must: a) Designate an employee or employees to coordinate its information security program. b) Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of student information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromises of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, such a risk assessment should include consideration of risks in each relevant area of operations, including: ? Employee training and management; ? Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and ? Detecting, preventing and responding to attacks, intrusions, or other systems failures c) Design and implement information safeguards to control the risks you identify through risk assessment, and regularly test or otherwise monitor the effectiveness of the safeguards' key controls, systems, and procedures. d) Oversee service providers, by: ? Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the student information at issue; and ? Requiring your service providers by contact to implement and maintain such safeguards. e) Evaluate and adjust your information security program in light of the results of the testing and monitoring required by paragraph (c) of this section; any material changes to your operations or business arrangements; or any other circumstances that you know or have reason to know may have a material impact on your information security program. Also, per sections 501 and 505 (b)(2) of the GLB Act, institutions are required to comply with standards set forth for developing, implementing, and maintaining reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of student information. This part applies to all sensitive information in the institution?s possession, regardless of whether such information pertains to individuals with whom the institution has a student relationship or pertains to the students of other financial institutions that have provided such information to the institution. The objectives of section 501(b) of the Act, and of this part, are to: (1) Ensure the security and confidentiality of student information; (2) Protect against any anticipated threats or hazards to the security or integrity of such information; and (3) Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any student. Identified Conditions: A. Perform regular backup restoration tests The District performed a comprehensive Tabletop Disaster Recovery (DR) exercises for both SAP and SIS during the audit period. As part of the exercise, the DR Team simulated a scenario, fully supported with recovery considerations, steps, results, recovery challenges, and key recommendations to improve moving forward ? the exercise was also reviewed and approved by Vice Chancellor and Chief Information Officer. However, a key activity which is the actual backup restoration testing was not performed as part of the tabletop exercise or at any point during the audit period. B. Improve server and network security (Repeat Finding) Server and network security can be further improved. While the District has taken steps on securing systems, we noted the following: i. The latest SAP server vulnerability reports showed one (1) critical and one (1) high vulnerability which remains outstanding since its last scan on September 24, 2022. Based on the vulnerability scan policy, a reasonable effort shall be made to remediate high and critical vulnerabilities within 30 calendar days of discovery. The longer the vulnerability issues remain unaddressed, the higher the security risks that the District faces. ii. We noted that a critical security update for SIS Database Server released on August 9, 2022, was installed on October 16, 2022. Based on the District?s policy, patches designated as "Critical" by the manufacturer must be installed as soon as feasible without introducing instability or impacting service availability of production systems, and no later than thirty days after release. (Repeat finding) iii. We noted that the firewall rules included telnet which can lead to potential sniffing or eavesdropping attacks as the privileged credentials are sent in the network in clear text. This was subsequently removed by IT as of November 2022. C. Perform timely access revocation and system access review (Repeat Finding) Based on test of controls to verify that access of terminated employees are timely removed in Active Directory (AD), SAP, and SIS, we noted that out of the 30 terminated employees selected for testing: i. One (1) user was active in AD ii. Two (2) users were still active in SAP iii. 16 users were still active in SIS Moreover, while a privileged user access review is performed for AD, there is no review performed to check the validity of regular users in AD, and the validity and appropriateness of users in SAP and SIS. The purpose of properly establishing periodic user access review, coupled with limiting and monitoring administrative access within the system, is to ensure management?s understanding of the overall systems operation, its internal workflow requirements, and the segregation of duties within the systems that is required so that employees are not granted excessive, incompatible system access levels and workflow capabilities. D. Strengthen password controls ? optimize account lockout configuration in SAP Database Inspection of password configuration for SAP Database revealed that account lockout duration and threshold are set to unlimited. Based on the District?s password standard, account lockout duration and threshold should be set at 15 minutes and 10 invalid logon attempts, respectively. E. Establish and document approval of IT policies and procedures (Repeat finding) Inspection of IT-related policies and procedures showed the following documentations committed in the prior year, but are still in development as of November 2022: ? Risk Acceptance Process ? Portable Media Restriction Cause and Effect: A. Perform regular backup restoration tests Lack of proper restoration testing may hinder the District to recover its data completely and accurately. B. Improve server and network security Vulnerabilities in the systems may be exploited leading to malicious or unauthorized activities that could impact system and data integrity, or disclosure of confidential or sensitive information. C. Perform timely access revocation and system access review The risk of unauthorized access and security incidents or violations within the systems may occur. Furthermore, unauthorized or inappropriate access in the system increases the risk that unauthorized activities, including viewing and/or disclosure of confidential information, and fraudulent activities may be performed and not be detected and corrected on time. D. Strengthen password controls ? optimize account lockout configuration in SAP Database Inadequate security and password settings may lead to unauthorized access to the relevant IT environment that may result in the processing of unauthorized transactions or viewing of confidential information. E. Establish and document approval of IT policies and procedures With policies and procedures not yet fully reviewed, approved and implemented, the District may face the risk of obsolete operational procedures within the IT function which may result in processes and controls not being consistently performed across teams within the critical IT processes of the organization. As a result, tasks that must be performed regularly to ensure the proper utility of IT resources, protection and confidentiality of data, and system management measures may not be performed. Recommendation: A. Perform regular backup restoration tests Together with the DR tabletop exercises, we recommend that backup restoration tests should be performed at least once per year. Detailed testing schedules should be drafted based on DRP specifications and required restoration of the critical systems. Documentation of such tests should be maintained for full management awareness and approval. B. Improve server and network security To significantly improve security, we recommend that the District should revisit and strictly enforce appropriate and adequate vulnerability and patch management processes and controls. Standard protection measures might not provide ample security due to the rising cases of malware attacks. Proper patch management and updating operating systems of servers is necessary to combat various forms of cyber-attacks. C. Perform timely access revocation and system access review 1. We recommend that Management revoke the access of terminated employees and review the activities performed by those accounts after their termination date to ensure the validity and appropriateness of activities/transactions performed by these accounts, if any. 2. Concurrently, Management should improve the account termination procedures to ensure that access of terminated employees is timely revoked. 3. We also recommend that regular access review is performed and documented (for both regular and privilege users) to ensure that only valid and appropriate users remain in the system. The review may include, but are not limited to the following: a. Document management control over completeness and accuracy of the reports used in the review b. Define designated functions/roles to perform the review c. Monitor timeliness of the performance of the review and execution of corrective actions as a result of the review D. Strengthen password controls ? optimize account lockout configuration in SAP Database To further improve the security of SAP Database, we recommend for the District to align the current password configuration of SAP Database with the District?s password standards. E. Establish and document approval of IT policies and procedures Management should ensure that IT policies and procedures have been adequately developed and approved for the proper guidance and execution of IT functions. Committing the policies and procedures to writing would ensure a higher level of operational compliance and would provide grounds for the District?s action if operational procedures do not meet their objectives. A management review of all policies and procedures should be performed, at least, on an annual basis to ensure the capture of new changes and deletions of processes and technologies. Views of Responsible Officials and Planned Corrective Actions: A. Perform regular backup restoration tests i. The District is planning to complete a backup restoration by the end of Q1 2023. B. Improve server and network security i. The District has completed reviewing the changes needed to address the identified critical vulnerabilities. The vulnerability patch will be applied by the end of the 2022 calendar year. ii. The District completed the high vulnerability patch on November 10, 2022. iii. The District completed the critical patch updates outside of the identified 30 calendar day window due to minimizing substantial business impact. The patching periods fell under the critical business time period. Verbal approval was provided but the District will strictly follow procedure to obtain written authorization from the VC/CIO for delaying the patching. C. Perform timely access revocation and system access review i. The District has undergone a comprehensive discovery of our current environments and scoped out opportunities to optimize the deprovisioning synchronization. This scope has been incorporated into a public solicitation which completed early Fall 2022. Currently, the District awaits board authorization on issuing a professional services contract to begin the effort. The target is to initialize a project in January to automate deprovisioning synchronization of employees across the multiple EPR systems. Meanwhile, regular access reviews of SAP and SIS will be a separate process that will be regularly conducted. The target completion is early Q2 2023. D. Strengthen password controls ? optimize account lockout configuration in SAP Database i. The SAP Database accounts identified are system accounts that are not used for any type of interactive login. The password policy has been applied to interactive login accounts only thus these accounts were not included. The District is currently exploring the feasibility of applying these policies to the system accounts without impact to downstream automated processes. E. Establish and document approval of IT policies and procedures i. The LACCD Office of Information Technology Information Security Team has completed the initial draft of the Operational Protocol for Portable Media, which is currently under review. The OIT anticipates implementation will be completed by March 31, 2023. ii. An Operational Protocol for Risk Acceptance of SIS Permissions requires finalizing a formal Role-Based Access Control (RBAC) model for SIS. This process was delayed due to leadership changes in the Office of Educational Programs and Institutional Effectiveness (EPIE), the main process stakeholder, that occurred during the audit year. The OIT anticipates that the RBAC will be finalized and a Risk Acceptance Process for SIS permissions will be finalized and implemented by June 30, 2023. Personnel responsible for implementation: Carmen V. Lidz Position of responsible personnel: Vice Chancellor & Chief Information Officer