Desk Review-Formula Funding-Grayson College · Response: Grayson College has discontinued the use...
Transcript of Desk Review-Formula Funding-Grayson College · Response: Grayson College has discontinued the use...
Robert W Jenkins CHAIR
Vacant VICE CHAIR
David D Teuscher MD SECRETARY OF THE BOARD
Christina Delgado STUDENT REPRESENT A nvE
Dora G Alcala S Javaid Anwar Ambassador Sada Cumber Fred Farias Ill 0 0 Janelle Shepard John T Steen Jr
Raymund A Paredes COMMISSIONER OF HIGHER EDUCATION
512 427-6 101 Fax 512 427-6127
Web site http www thecbstate tx us
TEXAS HIGHER EDUCATION COORDINATING BOARD
PO Box 12788 Austin Texas 78711
March 9 2016
Dr Jeremy P McMillen President Grayson College 6101 Grayson Drive (Hwy 691) Denison Texas 75020
RE A Compliance Desk Review of Formula Funding at Grayson College
Dear Dr McMillen
I am attaching the final report of A Compliance Desk Review of Formula Funding at Grayson College Report No THECB-CM-FF-16-001
This Compliance Monitoring review report will be presented to the THECB Committee on Agency Operations a standing committee of the THECB Board on April 27 2016
If you have any questions or comments please let me know
Sincerely ~
JJMAIW Mark A Poehl CPA CIA CISA CFE Director Internal Audit and Compliance
A Compliance Desk Review of Formula Funding at Grayson College Report No THECB CM-FF-16-001
March 2016
EXECUTIVE SUMMARY
Processes were insufficient to ensure that data used for formula funding decision-making such as student enrollment information is accurate reliable and access is limited to those who have legitimate educational interests
Therefore our original review objectives including a determination of the accuracy of contact hours reported by Grayson College were unable to be met A follow up audit will be performed to evaluate Grayson Colleges information security controls as a basis for future base period assessment of the accuracy of contact hours reported for formula funding purposes
Review Scope Objective and Methodology
Our review included an examination of information security controls over enrollment data reported and certified by Grayson College
Our work included procedures to verify
bull Controls over access to data in the student information system were adequate
Due to weak information security controls we were unable to verify
bull Contact hoursenrollment met reporting requirements and bull Contact hours were eligible for formula funding
The review methodology included objectively reviewing and analyzing various forms of documentation of controls necessary to achieve the objectives of the review
Background
Fifty Public community college districts receive state appropriations based on their student enrollment data These institutions are governed by locally elected boards that have the authority to levy property taxes in their districts The state appropriations the colleges receive are used to fund administrative and instructional (education and general) services for post-secondary academic and vocationaltechnical education
State financing of higher education programs for public community colleges is provided from the States General Revenue Fund The THECB and the Comptroller of Public Accounts distributes these appropriations to colleges
A Compliance Desk Review of Formula Funding at Grayson College Report No THECB CM-FF-16-001
March 2016
based on allocations and performance measures Each college submits enrollment reports (CBM Reports) to the THECB to document the number of contact hours taught by the college in each semester The formula for state funding involves multiplying the base period contact hours submitted by colleges by the applicable funding rates
A Compliance Desk Review of Formula Funding at Grayson College Report No THECB CM-FF-16-001
March 2016
Detailed Observation Recommendation and Managements Response
1 Improve information technology processes and controls over security access to the student information system to ensure compliance with 34 sectCFR 9931 (FERPA) and to follow the best practices in Texas Administrative Code sectsect 20270 - 20276 Information technology controls over security access to the student information system require improvement
Information technology controls over security access to the student information system require improvement Although Grayson College has some policies and procedures in place to limit access to information systems the policies and procedures do not provide reasonable assurance that Grayson College is in compliance with FERPA (34 CFR sect 9931) and with the information security best practices in TAC Chapter 202 Information security weaknesses over student information included
A The existing PoiseJenzabar student information system does not provide enough granularity in access limitations to provide reasonable control of user access The user access controls are limited to just 11 different security profiles This creates overly broad access For example all 27 users that have access to the registration module (REG) have the same read and write access to registration data Many of these users would only require read access or modify access limited to certain registration screens
B Active user names for 294 users could not be associated with current employee names Grayson College confirmed that at least 34 of these active usernames should have been removed Only active employees should have active usernames A current list of active users should be maintained and reviewed against a current list of employees on a periodic basis to confirm appropriate access
C Generic user names for 232 users were identified and could not be associated with any one individual Grayson College confirmed that at least 33 of these needed to be removed Generic usernames should not be used so that activity associated with a particular user name can be tracked back to one individual
D Nine users were identified with overly broad access to multiple student information systems modules based on the users job function For example three users have access to eight or more of the eleven student information system modules six users have access to both the financial
A Compliance Desk Review of Formula Funding at Grayson College Report No THECB CM-FF-16-001
March 2016
aid module (AID) and the registration module (REG) and five users have access to both the registration module (REG) and the student business records module (SBR) Security access profiles and individual user access should be reviewed periodically Individual user access should be based on job position and only allow access as necessary
FERPA (34CFR sect 9931(a)(1)(ii)) requires that An educational agency or institution must use reasonable methods to ensure that school officials obtain access to only those education records in which they have a legitimate educational interests In addition as a best practice TAC sect 20271 (b)(8) requires developing and recommending policies and establishing procedures and practices necessary to ensure the security of information and information resources against unauthorized or accidental modification destruction or disclosure
Recommendation
Enhance security controls over student information to provide reasonable assurance that the user access permission controls are improved to comply with 34 CFR sect 9931 (FERPA) and align with the best practices of TAC sectsect 202 70 - 202 76 to better protect registration information and other student data from unauthorized use
Management Response
It is our belief that the Enterprise Resource Planning (ERP) system in use at the time of our visit was insufficient to address the concerns expressed in your audit I am pleased to report that Grayson College ceased using the POISE Enterprise Resource Planning (ERP) system on February 15 2016 We have migrated our student information to CAMS Enterprise our new ERP During this transition Grayson College has also migrated our network sign-on authentication system to Microsoft Active Directory Further our human resources system has been upgraded to Microsoft GP The combination of these systems allows for more control over our systems than was possible in our previous system We believe that this migration coupled with the judicious execution of smart procedures will address all of the concerns that emerged in the technology audit
Specific examples are listed as items A-D in the report We respectfully provide a response to each of those below
A System does not provide enough granularity in access limitations to provide reasonable control of user access
A Compliance Desk Review of Formula Funding at Grayson College Report No THECB CM-FF-16-001
March 2016
Response The new ERP (CAMS Enterprise) provides considerably more granular control and gives us the opportunity to add different levels of security We have a record on file of the access rights given to all users These rights were assigned by the supervisors and approved by another layer of administration The PoiseJenzabar student information system is no longer in use
B Active user names association with current employees
Response The previous list of active users in POISE no longer exists and the college has created a new list of active employees with appropriate rights Going forward no active employee will be given any rights until we have record of those rights on file with administrative approval Rights management is much easier within our new ERP (CAMS Enterprise) Further the implementation of Microsoft Active Directory provides another layer of access control and has been implemented A periodic review of the current list ofactive users against current employees will be conducted to ensure the processes are working effectively
C Generic user names
Response Grayson College has discontinued the use of generic user names The systems administrator has been instructed to never assign generic user names A sample review of user names will take place annually to assure this practice
D Overly broad access
Response Grayson College has implemented individual user access based on job position only allowing employees access to the modules within the CAMS Enterprise system that are tied to their job The systems administrator has been instructed not to assign rights to multiple modules unless necessary and approved by administration We will conduct a sample annual review to verify this practice
A Compliance Desk Review of Formula Funding at Grayson College Report No THECB CM-FF-16-001
March 2016
PERFORMED BY Mr Paul Maeyaert JD MBA Compliance Specialist
cc
THECB Board Members
Commissioners Office Dr Raymund A Paredes Commissioner of Higher Education Ms Linda Battles Deputy Commissioner for Agency Operations and
CommunicationCOO Dr David Gardner Deputy Commissioner for Academic Planning and Policy Mr William Franz General Counsel
Strategic Planning and Funding Dr Julie Eklund Assistant Commissioner Strategic Planning and Funding
Grayson College Mr Ronnie Cole Chair Board of Trustees Ms Christy Klemiuk Director of Admissions and Registrar Mr Gary Paikowski Vice President of Informational Technology
Texas Association of Community Colleges Mr Jacob Fraire President and CEO
STATUTORY DISTRIBUTION REQUIREMENT State Auditors Office Internal Audit Coordinator
Sunset Advisory Commission Mr Ken Levine Director
A Compliance Desk Review of Formula Funding at Grayson College Report No THECB CM-FF-16-001
March 2016
EXECUTIVE SUMMARY
Processes were insufficient to ensure that data used for formula funding decision-making such as student enrollment information is accurate reliable and access is limited to those who have legitimate educational interests
Therefore our original review objectives including a determination of the accuracy of contact hours reported by Grayson College were unable to be met A follow up audit will be performed to evaluate Grayson Colleges information security controls as a basis for future base period assessment of the accuracy of contact hours reported for formula funding purposes
Review Scope Objective and Methodology
Our review included an examination of information security controls over enrollment data reported and certified by Grayson College
Our work included procedures to verify
bull Controls over access to data in the student information system were adequate
Due to weak information security controls we were unable to verify
bull Contact hoursenrollment met reporting requirements and bull Contact hours were eligible for formula funding
The review methodology included objectively reviewing and analyzing various forms of documentation of controls necessary to achieve the objectives of the review
Background
Fifty Public community college districts receive state appropriations based on their student enrollment data These institutions are governed by locally elected boards that have the authority to levy property taxes in their districts The state appropriations the colleges receive are used to fund administrative and instructional (education and general) services for post-secondary academic and vocationaltechnical education
State financing of higher education programs for public community colleges is provided from the States General Revenue Fund The THECB and the Comptroller of Public Accounts distributes these appropriations to colleges
A Compliance Desk Review of Formula Funding at Grayson College Report No THECB CM-FF-16-001
March 2016
based on allocations and performance measures Each college submits enrollment reports (CBM Reports) to the THECB to document the number of contact hours taught by the college in each semester The formula for state funding involves multiplying the base period contact hours submitted by colleges by the applicable funding rates
A Compliance Desk Review of Formula Funding at Grayson College Report No THECB CM-FF-16-001
March 2016
Detailed Observation Recommendation and Managements Response
1 Improve information technology processes and controls over security access to the student information system to ensure compliance with 34 sectCFR 9931 (FERPA) and to follow the best practices in Texas Administrative Code sectsect 20270 - 20276 Information technology controls over security access to the student information system require improvement
Information technology controls over security access to the student information system require improvement Although Grayson College has some policies and procedures in place to limit access to information systems the policies and procedures do not provide reasonable assurance that Grayson College is in compliance with FERPA (34 CFR sect 9931) and with the information security best practices in TAC Chapter 202 Information security weaknesses over student information included
A The existing PoiseJenzabar student information system does not provide enough granularity in access limitations to provide reasonable control of user access The user access controls are limited to just 11 different security profiles This creates overly broad access For example all 27 users that have access to the registration module (REG) have the same read and write access to registration data Many of these users would only require read access or modify access limited to certain registration screens
B Active user names for 294 users could not be associated with current employee names Grayson College confirmed that at least 34 of these active usernames should have been removed Only active employees should have active usernames A current list of active users should be maintained and reviewed against a current list of employees on a periodic basis to confirm appropriate access
C Generic user names for 232 users were identified and could not be associated with any one individual Grayson College confirmed that at least 33 of these needed to be removed Generic usernames should not be used so that activity associated with a particular user name can be tracked back to one individual
D Nine users were identified with overly broad access to multiple student information systems modules based on the users job function For example three users have access to eight or more of the eleven student information system modules six users have access to both the financial
A Compliance Desk Review of Formula Funding at Grayson College Report No THECB CM-FF-16-001
March 2016
aid module (AID) and the registration module (REG) and five users have access to both the registration module (REG) and the student business records module (SBR) Security access profiles and individual user access should be reviewed periodically Individual user access should be based on job position and only allow access as necessary
FERPA (34CFR sect 9931(a)(1)(ii)) requires that An educational agency or institution must use reasonable methods to ensure that school officials obtain access to only those education records in which they have a legitimate educational interests In addition as a best practice TAC sect 20271 (b)(8) requires developing and recommending policies and establishing procedures and practices necessary to ensure the security of information and information resources against unauthorized or accidental modification destruction or disclosure
Recommendation
Enhance security controls over student information to provide reasonable assurance that the user access permission controls are improved to comply with 34 CFR sect 9931 (FERPA) and align with the best practices of TAC sectsect 202 70 - 202 76 to better protect registration information and other student data from unauthorized use
Management Response
It is our belief that the Enterprise Resource Planning (ERP) system in use at the time of our visit was insufficient to address the concerns expressed in your audit I am pleased to report that Grayson College ceased using the POISE Enterprise Resource Planning (ERP) system on February 15 2016 We have migrated our student information to CAMS Enterprise our new ERP During this transition Grayson College has also migrated our network sign-on authentication system to Microsoft Active Directory Further our human resources system has been upgraded to Microsoft GP The combination of these systems allows for more control over our systems than was possible in our previous system We believe that this migration coupled with the judicious execution of smart procedures will address all of the concerns that emerged in the technology audit
Specific examples are listed as items A-D in the report We respectfully provide a response to each of those below
A System does not provide enough granularity in access limitations to provide reasonable control of user access
A Compliance Desk Review of Formula Funding at Grayson College Report No THECB CM-FF-16-001
March 2016
Response The new ERP (CAMS Enterprise) provides considerably more granular control and gives us the opportunity to add different levels of security We have a record on file of the access rights given to all users These rights were assigned by the supervisors and approved by another layer of administration The PoiseJenzabar student information system is no longer in use
B Active user names association with current employees
Response The previous list of active users in POISE no longer exists and the college has created a new list of active employees with appropriate rights Going forward no active employee will be given any rights until we have record of those rights on file with administrative approval Rights management is much easier within our new ERP (CAMS Enterprise) Further the implementation of Microsoft Active Directory provides another layer of access control and has been implemented A periodic review of the current list ofactive users against current employees will be conducted to ensure the processes are working effectively
C Generic user names
Response Grayson College has discontinued the use of generic user names The systems administrator has been instructed to never assign generic user names A sample review of user names will take place annually to assure this practice
D Overly broad access
Response Grayson College has implemented individual user access based on job position only allowing employees access to the modules within the CAMS Enterprise system that are tied to their job The systems administrator has been instructed not to assign rights to multiple modules unless necessary and approved by administration We will conduct a sample annual review to verify this practice
A Compliance Desk Review of Formula Funding at Grayson College Report No THECB CM-FF-16-001
March 2016
PERFORMED BY Mr Paul Maeyaert JD MBA Compliance Specialist
cc
THECB Board Members
Commissioners Office Dr Raymund A Paredes Commissioner of Higher Education Ms Linda Battles Deputy Commissioner for Agency Operations and
CommunicationCOO Dr David Gardner Deputy Commissioner for Academic Planning and Policy Mr William Franz General Counsel
Strategic Planning and Funding Dr Julie Eklund Assistant Commissioner Strategic Planning and Funding
Grayson College Mr Ronnie Cole Chair Board of Trustees Ms Christy Klemiuk Director of Admissions and Registrar Mr Gary Paikowski Vice President of Informational Technology
Texas Association of Community Colleges Mr Jacob Fraire President and CEO
STATUTORY DISTRIBUTION REQUIREMENT State Auditors Office Internal Audit Coordinator
Sunset Advisory Commission Mr Ken Levine Director
A Compliance Desk Review of Formula Funding at Grayson College Report No THECB CM-FF-16-001
March 2016
based on allocations and performance measures Each college submits enrollment reports (CBM Reports) to the THECB to document the number of contact hours taught by the college in each semester The formula for state funding involves multiplying the base period contact hours submitted by colleges by the applicable funding rates
A Compliance Desk Review of Formula Funding at Grayson College Report No THECB CM-FF-16-001
March 2016
Detailed Observation Recommendation and Managements Response
1 Improve information technology processes and controls over security access to the student information system to ensure compliance with 34 sectCFR 9931 (FERPA) and to follow the best practices in Texas Administrative Code sectsect 20270 - 20276 Information technology controls over security access to the student information system require improvement
Information technology controls over security access to the student information system require improvement Although Grayson College has some policies and procedures in place to limit access to information systems the policies and procedures do not provide reasonable assurance that Grayson College is in compliance with FERPA (34 CFR sect 9931) and with the information security best practices in TAC Chapter 202 Information security weaknesses over student information included
A The existing PoiseJenzabar student information system does not provide enough granularity in access limitations to provide reasonable control of user access The user access controls are limited to just 11 different security profiles This creates overly broad access For example all 27 users that have access to the registration module (REG) have the same read and write access to registration data Many of these users would only require read access or modify access limited to certain registration screens
B Active user names for 294 users could not be associated with current employee names Grayson College confirmed that at least 34 of these active usernames should have been removed Only active employees should have active usernames A current list of active users should be maintained and reviewed against a current list of employees on a periodic basis to confirm appropriate access
C Generic user names for 232 users were identified and could not be associated with any one individual Grayson College confirmed that at least 33 of these needed to be removed Generic usernames should not be used so that activity associated with a particular user name can be tracked back to one individual
D Nine users were identified with overly broad access to multiple student information systems modules based on the users job function For example three users have access to eight or more of the eleven student information system modules six users have access to both the financial
A Compliance Desk Review of Formula Funding at Grayson College Report No THECB CM-FF-16-001
March 2016
aid module (AID) and the registration module (REG) and five users have access to both the registration module (REG) and the student business records module (SBR) Security access profiles and individual user access should be reviewed periodically Individual user access should be based on job position and only allow access as necessary
FERPA (34CFR sect 9931(a)(1)(ii)) requires that An educational agency or institution must use reasonable methods to ensure that school officials obtain access to only those education records in which they have a legitimate educational interests In addition as a best practice TAC sect 20271 (b)(8) requires developing and recommending policies and establishing procedures and practices necessary to ensure the security of information and information resources against unauthorized or accidental modification destruction or disclosure
Recommendation
Enhance security controls over student information to provide reasonable assurance that the user access permission controls are improved to comply with 34 CFR sect 9931 (FERPA) and align with the best practices of TAC sectsect 202 70 - 202 76 to better protect registration information and other student data from unauthorized use
Management Response
It is our belief that the Enterprise Resource Planning (ERP) system in use at the time of our visit was insufficient to address the concerns expressed in your audit I am pleased to report that Grayson College ceased using the POISE Enterprise Resource Planning (ERP) system on February 15 2016 We have migrated our student information to CAMS Enterprise our new ERP During this transition Grayson College has also migrated our network sign-on authentication system to Microsoft Active Directory Further our human resources system has been upgraded to Microsoft GP The combination of these systems allows for more control over our systems than was possible in our previous system We believe that this migration coupled with the judicious execution of smart procedures will address all of the concerns that emerged in the technology audit
Specific examples are listed as items A-D in the report We respectfully provide a response to each of those below
A System does not provide enough granularity in access limitations to provide reasonable control of user access
A Compliance Desk Review of Formula Funding at Grayson College Report No THECB CM-FF-16-001
March 2016
Response The new ERP (CAMS Enterprise) provides considerably more granular control and gives us the opportunity to add different levels of security We have a record on file of the access rights given to all users These rights were assigned by the supervisors and approved by another layer of administration The PoiseJenzabar student information system is no longer in use
B Active user names association with current employees
Response The previous list of active users in POISE no longer exists and the college has created a new list of active employees with appropriate rights Going forward no active employee will be given any rights until we have record of those rights on file with administrative approval Rights management is much easier within our new ERP (CAMS Enterprise) Further the implementation of Microsoft Active Directory provides another layer of access control and has been implemented A periodic review of the current list ofactive users against current employees will be conducted to ensure the processes are working effectively
C Generic user names
Response Grayson College has discontinued the use of generic user names The systems administrator has been instructed to never assign generic user names A sample review of user names will take place annually to assure this practice
D Overly broad access
Response Grayson College has implemented individual user access based on job position only allowing employees access to the modules within the CAMS Enterprise system that are tied to their job The systems administrator has been instructed not to assign rights to multiple modules unless necessary and approved by administration We will conduct a sample annual review to verify this practice
A Compliance Desk Review of Formula Funding at Grayson College Report No THECB CM-FF-16-001
March 2016
PERFORMED BY Mr Paul Maeyaert JD MBA Compliance Specialist
cc
THECB Board Members
Commissioners Office Dr Raymund A Paredes Commissioner of Higher Education Ms Linda Battles Deputy Commissioner for Agency Operations and
CommunicationCOO Dr David Gardner Deputy Commissioner for Academic Planning and Policy Mr William Franz General Counsel
Strategic Planning and Funding Dr Julie Eklund Assistant Commissioner Strategic Planning and Funding
Grayson College Mr Ronnie Cole Chair Board of Trustees Ms Christy Klemiuk Director of Admissions and Registrar Mr Gary Paikowski Vice President of Informational Technology
Texas Association of Community Colleges Mr Jacob Fraire President and CEO
STATUTORY DISTRIBUTION REQUIREMENT State Auditors Office Internal Audit Coordinator
Sunset Advisory Commission Mr Ken Levine Director
A Compliance Desk Review of Formula Funding at Grayson College Report No THECB CM-FF-16-001
March 2016
Detailed Observation Recommendation and Managements Response
1 Improve information technology processes and controls over security access to the student information system to ensure compliance with 34 sectCFR 9931 (FERPA) and to follow the best practices in Texas Administrative Code sectsect 20270 - 20276 Information technology controls over security access to the student information system require improvement
Information technology controls over security access to the student information system require improvement Although Grayson College has some policies and procedures in place to limit access to information systems the policies and procedures do not provide reasonable assurance that Grayson College is in compliance with FERPA (34 CFR sect 9931) and with the information security best practices in TAC Chapter 202 Information security weaknesses over student information included
A The existing PoiseJenzabar student information system does not provide enough granularity in access limitations to provide reasonable control of user access The user access controls are limited to just 11 different security profiles This creates overly broad access For example all 27 users that have access to the registration module (REG) have the same read and write access to registration data Many of these users would only require read access or modify access limited to certain registration screens
B Active user names for 294 users could not be associated with current employee names Grayson College confirmed that at least 34 of these active usernames should have been removed Only active employees should have active usernames A current list of active users should be maintained and reviewed against a current list of employees on a periodic basis to confirm appropriate access
C Generic user names for 232 users were identified and could not be associated with any one individual Grayson College confirmed that at least 33 of these needed to be removed Generic usernames should not be used so that activity associated with a particular user name can be tracked back to one individual
D Nine users were identified with overly broad access to multiple student information systems modules based on the users job function For example three users have access to eight or more of the eleven student information system modules six users have access to both the financial
A Compliance Desk Review of Formula Funding at Grayson College Report No THECB CM-FF-16-001
March 2016
aid module (AID) and the registration module (REG) and five users have access to both the registration module (REG) and the student business records module (SBR) Security access profiles and individual user access should be reviewed periodically Individual user access should be based on job position and only allow access as necessary
FERPA (34CFR sect 9931(a)(1)(ii)) requires that An educational agency or institution must use reasonable methods to ensure that school officials obtain access to only those education records in which they have a legitimate educational interests In addition as a best practice TAC sect 20271 (b)(8) requires developing and recommending policies and establishing procedures and practices necessary to ensure the security of information and information resources against unauthorized or accidental modification destruction or disclosure
Recommendation
Enhance security controls over student information to provide reasonable assurance that the user access permission controls are improved to comply with 34 CFR sect 9931 (FERPA) and align with the best practices of TAC sectsect 202 70 - 202 76 to better protect registration information and other student data from unauthorized use
Management Response
It is our belief that the Enterprise Resource Planning (ERP) system in use at the time of our visit was insufficient to address the concerns expressed in your audit I am pleased to report that Grayson College ceased using the POISE Enterprise Resource Planning (ERP) system on February 15 2016 We have migrated our student information to CAMS Enterprise our new ERP During this transition Grayson College has also migrated our network sign-on authentication system to Microsoft Active Directory Further our human resources system has been upgraded to Microsoft GP The combination of these systems allows for more control over our systems than was possible in our previous system We believe that this migration coupled with the judicious execution of smart procedures will address all of the concerns that emerged in the technology audit
Specific examples are listed as items A-D in the report We respectfully provide a response to each of those below
A System does not provide enough granularity in access limitations to provide reasonable control of user access
A Compliance Desk Review of Formula Funding at Grayson College Report No THECB CM-FF-16-001
March 2016
Response The new ERP (CAMS Enterprise) provides considerably more granular control and gives us the opportunity to add different levels of security We have a record on file of the access rights given to all users These rights were assigned by the supervisors and approved by another layer of administration The PoiseJenzabar student information system is no longer in use
B Active user names association with current employees
Response The previous list of active users in POISE no longer exists and the college has created a new list of active employees with appropriate rights Going forward no active employee will be given any rights until we have record of those rights on file with administrative approval Rights management is much easier within our new ERP (CAMS Enterprise) Further the implementation of Microsoft Active Directory provides another layer of access control and has been implemented A periodic review of the current list ofactive users against current employees will be conducted to ensure the processes are working effectively
C Generic user names
Response Grayson College has discontinued the use of generic user names The systems administrator has been instructed to never assign generic user names A sample review of user names will take place annually to assure this practice
D Overly broad access
Response Grayson College has implemented individual user access based on job position only allowing employees access to the modules within the CAMS Enterprise system that are tied to their job The systems administrator has been instructed not to assign rights to multiple modules unless necessary and approved by administration We will conduct a sample annual review to verify this practice
A Compliance Desk Review of Formula Funding at Grayson College Report No THECB CM-FF-16-001
March 2016
PERFORMED BY Mr Paul Maeyaert JD MBA Compliance Specialist
cc
THECB Board Members
Commissioners Office Dr Raymund A Paredes Commissioner of Higher Education Ms Linda Battles Deputy Commissioner for Agency Operations and
CommunicationCOO Dr David Gardner Deputy Commissioner for Academic Planning and Policy Mr William Franz General Counsel
Strategic Planning and Funding Dr Julie Eklund Assistant Commissioner Strategic Planning and Funding
Grayson College Mr Ronnie Cole Chair Board of Trustees Ms Christy Klemiuk Director of Admissions and Registrar Mr Gary Paikowski Vice President of Informational Technology
Texas Association of Community Colleges Mr Jacob Fraire President and CEO
STATUTORY DISTRIBUTION REQUIREMENT State Auditors Office Internal Audit Coordinator
Sunset Advisory Commission Mr Ken Levine Director
A Compliance Desk Review of Formula Funding at Grayson College Report No THECB CM-FF-16-001
March 2016
aid module (AID) and the registration module (REG) and five users have access to both the registration module (REG) and the student business records module (SBR) Security access profiles and individual user access should be reviewed periodically Individual user access should be based on job position and only allow access as necessary
FERPA (34CFR sect 9931(a)(1)(ii)) requires that An educational agency or institution must use reasonable methods to ensure that school officials obtain access to only those education records in which they have a legitimate educational interests In addition as a best practice TAC sect 20271 (b)(8) requires developing and recommending policies and establishing procedures and practices necessary to ensure the security of information and information resources against unauthorized or accidental modification destruction or disclosure
Recommendation
Enhance security controls over student information to provide reasonable assurance that the user access permission controls are improved to comply with 34 CFR sect 9931 (FERPA) and align with the best practices of TAC sectsect 202 70 - 202 76 to better protect registration information and other student data from unauthorized use
Management Response
It is our belief that the Enterprise Resource Planning (ERP) system in use at the time of our visit was insufficient to address the concerns expressed in your audit I am pleased to report that Grayson College ceased using the POISE Enterprise Resource Planning (ERP) system on February 15 2016 We have migrated our student information to CAMS Enterprise our new ERP During this transition Grayson College has also migrated our network sign-on authentication system to Microsoft Active Directory Further our human resources system has been upgraded to Microsoft GP The combination of these systems allows for more control over our systems than was possible in our previous system We believe that this migration coupled with the judicious execution of smart procedures will address all of the concerns that emerged in the technology audit
Specific examples are listed as items A-D in the report We respectfully provide a response to each of those below
A System does not provide enough granularity in access limitations to provide reasonable control of user access
A Compliance Desk Review of Formula Funding at Grayson College Report No THECB CM-FF-16-001
March 2016
Response The new ERP (CAMS Enterprise) provides considerably more granular control and gives us the opportunity to add different levels of security We have a record on file of the access rights given to all users These rights were assigned by the supervisors and approved by another layer of administration The PoiseJenzabar student information system is no longer in use
B Active user names association with current employees
Response The previous list of active users in POISE no longer exists and the college has created a new list of active employees with appropriate rights Going forward no active employee will be given any rights until we have record of those rights on file with administrative approval Rights management is much easier within our new ERP (CAMS Enterprise) Further the implementation of Microsoft Active Directory provides another layer of access control and has been implemented A periodic review of the current list ofactive users against current employees will be conducted to ensure the processes are working effectively
C Generic user names
Response Grayson College has discontinued the use of generic user names The systems administrator has been instructed to never assign generic user names A sample review of user names will take place annually to assure this practice
D Overly broad access
Response Grayson College has implemented individual user access based on job position only allowing employees access to the modules within the CAMS Enterprise system that are tied to their job The systems administrator has been instructed not to assign rights to multiple modules unless necessary and approved by administration We will conduct a sample annual review to verify this practice
A Compliance Desk Review of Formula Funding at Grayson College Report No THECB CM-FF-16-001
March 2016
PERFORMED BY Mr Paul Maeyaert JD MBA Compliance Specialist
cc
THECB Board Members
Commissioners Office Dr Raymund A Paredes Commissioner of Higher Education Ms Linda Battles Deputy Commissioner for Agency Operations and
CommunicationCOO Dr David Gardner Deputy Commissioner for Academic Planning and Policy Mr William Franz General Counsel
Strategic Planning and Funding Dr Julie Eklund Assistant Commissioner Strategic Planning and Funding
Grayson College Mr Ronnie Cole Chair Board of Trustees Ms Christy Klemiuk Director of Admissions and Registrar Mr Gary Paikowski Vice President of Informational Technology
Texas Association of Community Colleges Mr Jacob Fraire President and CEO
STATUTORY DISTRIBUTION REQUIREMENT State Auditors Office Internal Audit Coordinator
Sunset Advisory Commission Mr Ken Levine Director
A Compliance Desk Review of Formula Funding at Grayson College Report No THECB CM-FF-16-001
March 2016
Response The new ERP (CAMS Enterprise) provides considerably more granular control and gives us the opportunity to add different levels of security We have a record on file of the access rights given to all users These rights were assigned by the supervisors and approved by another layer of administration The PoiseJenzabar student information system is no longer in use
B Active user names association with current employees
Response The previous list of active users in POISE no longer exists and the college has created a new list of active employees with appropriate rights Going forward no active employee will be given any rights until we have record of those rights on file with administrative approval Rights management is much easier within our new ERP (CAMS Enterprise) Further the implementation of Microsoft Active Directory provides another layer of access control and has been implemented A periodic review of the current list ofactive users against current employees will be conducted to ensure the processes are working effectively
C Generic user names
Response Grayson College has discontinued the use of generic user names The systems administrator has been instructed to never assign generic user names A sample review of user names will take place annually to assure this practice
D Overly broad access
Response Grayson College has implemented individual user access based on job position only allowing employees access to the modules within the CAMS Enterprise system that are tied to their job The systems administrator has been instructed not to assign rights to multiple modules unless necessary and approved by administration We will conduct a sample annual review to verify this practice
A Compliance Desk Review of Formula Funding at Grayson College Report No THECB CM-FF-16-001
March 2016
PERFORMED BY Mr Paul Maeyaert JD MBA Compliance Specialist
cc
THECB Board Members
Commissioners Office Dr Raymund A Paredes Commissioner of Higher Education Ms Linda Battles Deputy Commissioner for Agency Operations and
CommunicationCOO Dr David Gardner Deputy Commissioner for Academic Planning and Policy Mr William Franz General Counsel
Strategic Planning and Funding Dr Julie Eklund Assistant Commissioner Strategic Planning and Funding
Grayson College Mr Ronnie Cole Chair Board of Trustees Ms Christy Klemiuk Director of Admissions and Registrar Mr Gary Paikowski Vice President of Informational Technology
Texas Association of Community Colleges Mr Jacob Fraire President and CEO
STATUTORY DISTRIBUTION REQUIREMENT State Auditors Office Internal Audit Coordinator
Sunset Advisory Commission Mr Ken Levine Director
A Compliance Desk Review of Formula Funding at Grayson College Report No THECB CM-FF-16-001
March 2016
PERFORMED BY Mr Paul Maeyaert JD MBA Compliance Specialist
cc
THECB Board Members
Commissioners Office Dr Raymund A Paredes Commissioner of Higher Education Ms Linda Battles Deputy Commissioner for Agency Operations and
CommunicationCOO Dr David Gardner Deputy Commissioner for Academic Planning and Policy Mr William Franz General Counsel
Strategic Planning and Funding Dr Julie Eklund Assistant Commissioner Strategic Planning and Funding
Grayson College Mr Ronnie Cole Chair Board of Trustees Ms Christy Klemiuk Director of Admissions and Registrar Mr Gary Paikowski Vice President of Informational Technology
Texas Association of Community Colleges Mr Jacob Fraire President and CEO
STATUTORY DISTRIBUTION REQUIREMENT State Auditors Office Internal Audit Coordinator
Sunset Advisory Commission Mr Ken Levine Director
A Compliance Desk Review of Formula Funding at Grayson College Report No THECB CM-FF-16-001
March 2016