Charter Oak College lacks adequate cyber attacks and disaster planning

The State Capitol on Tuesday, April 23, 2024.

The State Capitol on Tuesday, April 23, 2024.

Lau Guzmán / Hearst Connecticut Media

Charter Oak State College, which offers online higher education for residents, has failed to adequately plan for cyberattacks, natural disasters and environmental threats, a recent state audit found.

“We did not observe a targeted strategy to minimize currently identified threats to the continued operation of the institution, such as a comprehensive risk assessment or regular threat assessments,” auditors said. The audit found that a lack of planning posed a “high risk” to the institution.

In written responses to the audit, the council agreed with some of the criticism and disagreed with other aspects related to cyber and threat risks. A spokeswoman for the college in New Britain declined to comment further.

Article continues below this ad

As the only public online university in Connecticut, Charter Oak offers approximately 2,000 students a graduate or graduate degree each year. The institution’s information technology group, which is the focus of the audit, oversees the college’s technology needs.

Lack of planning

Auditors noted that the college mitigates much of its risk by using cloud environments. But, the audit found, a variety of equipment on campus remains at risk from threats.

Article continues below this ad

The audit found that a “well-developed security plan for critical information systems is an important control that supports the college’s overall risk management. The purpose of this document is to reduce the likelihood and severity of incidents that could damage or destroy IT assets and their data, including internal and external threats, natural threats, environmental threats and cyber threats.

“The lack of robust risk assessment activities prevents Charter Oak State College from promptly identifying threats to its critical systems and hinders the college’s ability to respond to an event with sufficient and appropriate corrective action,” the audit said. “There appears to be a lack of management oversight. Charter Oak State College’s information technology staff appears unaware of the risks associated with ineffective or missing administrative-level controls.

The finding had not emerged in previous audits.

In response, the council disagreed with the finding, saying the IT department had developed the “organizational structure and internal controls” into a “digestible technology heat map.” The document serves as a basis for where resources should be focused in the future.”

Article continues below this ad

The council added: “The expectation of conducting risk assessments and focusing on key control activities is additionally stated in the evaluation and in the objectives established annually between supervisors and employees within the relevant department. Although the technology heatmap and employee reviews are considered confidential, the audit team has full access to review the materials. While staff turnover and meeting student needs have slowed progress in addressing the action items within the heat map, the Board believes it is incorrect to conclude that there is no targeted strategy.”

In rebuttal comments, auditors said: “We have reviewed the heat map referenced in the council’s response and concluded that it does not address our condition. While the use of employee evaluations and objectives is useful for individual performance, it does not fully address risks to IT operations.”

Policy shortcomings

Auditors said the National Institute of Standards and Technology recommends robust procedural and policy documentation for aspects of the college’s operations. The audit found that the college did not have ‘high-level policy documents to govern a variety of procedures’ including staff security, risk assessment, emergency planning and maintenance.

Article continues below this ad

“The information technology policy provides the foundation for the roles and responsibilities of information technology personnel, as well as compliance for all Charter Oak State College employees,” auditors said. “Missing or inadequate policies increase the risk of inadequate procedures (electronic or human), undermining efforts to ensure appropriate confidentiality, integrity and availability of data. The lack of documents at policy level has a negative impact on the design and effectiveness of internal controls.”

The finding had not been previously reported.

In response, the council agreed with the finding. “Charter Oak State is in contact with the (Connecticut State College and University) Information Security Office, which is seeking staff and funding to address the condition,” the college said.

The contingency plan is inadequate

Auditors also said that while the council has provided evidence of a disaster recovery plan for third-party providers of critical software, the plan is outdated and has not been approved by current information technology leaders.

Article continues below this ad

“A well-designed disaster recovery plan helps enable rapid recovery of operations without irreparable damage to agency assets,” auditors said. “The lack of these controls could prevent Charter Oak State College, an online-only institution, from quickly recovering from an event that compromises data integrity and availability.”

Auditors said the problem appeared to be due to a “lack of management oversight” and noted the finding had not previously been reported.

In response, the council agreed with the finding.

Article continues below this ad

“During the audit period, the intention was to dismantle two of the college’s physical buildings and relocate the college to a single new location,” the college said. “As a result, disaster recovery plans were not updated while design and construction were underway. The College successfully relocated in fiscal year 2024 and is updating its disaster recovery plan accordingly, with several milestones already achieved.”

Back To Top