Audit Finds Charter Oak College Ill Prepared for Cyber Attacks

(TNS) — Charter Oak State College, which offers online higher education for residents, has failed to adequately plan for cyber attacks, natural disasters and environmental threats, a recent state audit concluded.

"We observed no purposeful strategy to minimize current identified threats to the continuous operation of the institution, such as a comprehensive risk assessment or regular threat assessments," auditors said. The audit said that lack of planning represented a "high risk" for the institution.

In written responses to the audit, the college agreed with some of the criticism and disagreed with other aspects related to cyber and threat risks. A spokeswoman for the college based in New Britain declined to offer additional comment.

As Connecticut's only public online college, Charter Oak offers associate to master level degrees to approximately 2,000 students a year. The institution's information technology group, which is the focus of the audit, oversees the college's technological needs.

ABSENCE OF PLANNING

Auditors noted the college mitigates much of its risk by leveraging cloud environments. But, the audit pointed out, a variety of on-campus equipment is still at risk from threats.

The audit noted a "well-developed security plan on critical information systems is an important control that supports the college's overall risk management. The purpose of this document is to reduce the probability and severity of incidents that could damage or destroy IT resources and their data," including internal and external threats, natural threats, environmental threats and cyber threats.

"The absence of robust risk assessment activities prevents Charter Oak State College from promptly identifying threats to its critical systems and inhibits the college's ability to respond to an event with sufficient and appropriate corrective action," the audit said. "There appears to be a lack of management oversight. Charter Oak State College information technology staff do not appear to be aware of the risk exposure associated with ineffective or absent administrative-level controls."

The finding had not been issued in prior audits.

In response, the college disagreed with the finding, saying its IT department developed the "organization's structure and internal controls" into a "digestible technology heat map. The document serves as a basis for where resources should be focused in the future."

The college added: "The expectation of performing risks assessments and focusing on key control activities are additionally stated in the evaluation and goals set annually between supervisors and employees within the applicable department. Although the technology heat map along with employee evaluations are considered confidential, the audit team has full access to evaluate the materials. While employee turnover and fulfilling student needs has slowed progress on addressing the action items within the heat map, the College feels it is incorrect to conclude that there is no purposeful strategy."

In rebuttal comments, auditors said: "We reviewed the heat map referenced in the college's response and concluded that it does not address our condition. While use of employee evaluations and goals is helpful for individual performance, it does not comprehensively address the risks to IT operations."

POLICY DEFICIENCIES

Auditors said the National Institute of Standards and Technology recommends robust procedural and policy documentation for aspects of the college's operations. The audit found the college lacked "high-level policy documents to govern a variety of procedures," including personnel security, risk assessment, contingency planning and maintenance.

"Information technology policies provide the foundation for the roles and responsibilities of information technology staff, as well as compliance for all Charter Oak State College employees," auditors said. "Missing or inadequate policies increase the risk of inadequate procedures (electronic or human), undermining efforts to ensure appropriate confidentiality, integrity, and data availability. The absence of policy level documents negatively affects the design and effectiveness of internal controls."

The finding had not been previously reported.

In response, the college agreed with the finding. "Charter Oak State is in communication with the [Connecticut State College and University's] Information Security Office, who are locating the staffing and funding to remedy the condition," the college said.

DISASTER PLAN INADEQUATE

Auditors also said that while the college provided evidence of a disaster recovery plan for third-party providers of critical software, the plan is out of date and has not been approved by current information technology leadership.

"A properly designed disaster recovery plan helps to enable rapid restoration of operations without irreparable damage to agency assets," auditors said. "The absence of these controls may prevent Charter Oak State College, an online-only institution, from promptly recovering from an event that compromises data integrity and availability."

Auditors said the issue appeared to be due to a "lack of management oversight" and noted the finding had not been previously reported.

In response, the college agreed with the finding.

"During the audit period it was planned to decommission two of the College's physical buildings to relocate and consolidate the College into a single new location," the college said. "As a result, disaster recovery plans were not updated while design and construction were underway. The College successfully relocated in fiscal year 2024 and is updating its disaster recovery plan accordingly with several milestones already achieved."

©2024 Journal Inquirer, Manchester, Conn. Distributed by Tribune Content Agency, LLC.