REPORT DIGEST STATE UNIVERSITIES RETIREMENT SYSTEM COMPLIANCE EXAMINATION FOR THE YEAR ENDED JUNE 30, 2021 Release Date: March 10, 2022 FINDINGS THIS AUDIT: 2 CATEGORY: NEW -- REPEAT -- TOTAL Category 1: 0 -- 0 -- 0 Category 2: 2 -- 0 -- 2 Category 3: 0 -- 0 -- 0 TOTAL: 2 -- 0 – 2 FINDINGS LAST AUDIT: 1 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov INTRODUCTION This digest covers our compliance examination of the State Universities Retirement System (System) for the year ended June 30, 2021. A separate Financial Audit as of and for the year ended June 30, 2021, was previously released on December 22, 2021. SYNOPSIS • (21-1) The System had not implemented formal internal controls related to cybersecurity programs, practices and control of confidential information. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS Lack of Cybersecurity Programs and Practices The State Universities Retirement System (System) had not implemented formal internal controls related to cybersecurity programs, practices and control of confidential information. It is the mission of the System to “secure and deliver retirement benefits promised” to its members. As a result, the System maintains large volumes of confidential information including retiree names, addresses, health information, Social Security numbers, bank account numbers, etc. The Illinois State Auditing Act (30 ILCS 5/3-24) requires the Auditor General to review State agencies and their cybersecurity programs and practices. During our examination of the System’s cybersecurity program, practices, and control of confidential information, we noted the System had not: • Developed a configuration management policy, system development standards, and onboarding procedures for contractors. • Developed policies and procedures for reviewing and monitoring security implementation and violations. • Periodically reviewed its policies and procedures to ensure they depicted the current security environment. The last review was conducted in 2017. • Developed a project management framework to ensure new applications were adequately developed and implemented in accordance with management’s expectations. • Developed a risk management methodology, conducted a comprehensive risk assessment, or implemented risk reducing internal controls. • Required employees to acknowledge receipt of changes to the System’s policies. • Developed a data classification methodology and classified its data to identify and ensure adequate protection of information. • Required contractors to complete cybersecurity training. • Conducted a review of individuals with physical access to the System’s offices. • Implemented tools to actively monitor security events over all their applications. Although the System had developed a change management policy, it did not address control over emergency changes, approval to move changes to the production environment, and proper segregation of duties. (Finding 1, pages 8-11). We recommended the System: • Develop policies regarding configuration management, system development, and onboarding for contractors. • Develop policies and procedures for reviewing and monitoring security implementation and violations. • At least annually review its policies and procedures to ensure they depict the current security environment. • Develop a project management framework to ensure new applications are adequately developed and implemented. • Develop a risk management methodology, conduct a comprehensive risk assessment, and implement risk reducing internal controls. • Require employees to acknowledge receipt of changes to the System’s policies. • Develop a data classification methodology and classify its data to identify and ensure adequate protection of information. • Require contractors to complete cybersecurity training. • Conduct a review of individuals with physical access to the System’s offices. • Implement tools to actively monitor security events over all their applications. Additionally, we recommended the System update its change management policy to include control related to: • Emergency changes, • Approvals to move changes to the production environment, and • Proper segregation of duties. System officials disagreed with the statement “The State Universities Retirement System had not implemented formal internal controls related to cybersecurity programs, practices and control of confidential information.” SURS maintains a highly secure computer environment that safeguards confidential and personal information from attacks and unauthorized disclosure, but it recognizes that formal policies and procedures need to be documented to show how this is being done. SURS hired an Information Security Manager at the beginning of fiscal year 2022, to assist with formalizing and developing new policies, procedures, and strengthening controls around information security. In addition to the new position, SURS began a formal Policy Program Management Project to organize current policies and procedures and to develop a standardized process for drafting, reviewing, and approving current and new policies. Although this project is still on-going, once completed it will include a full repository of all SURS policies (including a Policy on Policies) and a process to ensure that the review and approval of each new policy and subsequent policy modification is documented. SURS is also developing a formal process to be used when employees are required to sign an acknowledgement that they have reviewed and are aware of the policies that are applicable to them. The Configuration and Change Management policies have been updated to reflect the recommendations above. The System Development Lifecycle policy documentation will be reviewed and updated. Procedures already exist in SURS service desk for onboarding contractors. SURS will review these procedures and update if necessary. SURS already has solutions in place for monitoring security events and automated response solutions and already subscribes to third party solutions to assist with 24 x 7 monitoring and remediation of critical events. SURS recognizes the importance of centralizing events from all applications and systems into a central solution to provide visibility and response automation and will investigate commercial solutions available. Once these tools have been identified and implemented, new policies and procedures will be developed to reflect the current policies and procedures in place. The Project Management Office is new to SURS and is still being developed. SURS concurs with the recommendation that there is a need to implement a project management framework to ensure new applications are adequately developed and implemented. SURS performs an annual formal risk assessment of its information and technology systems to identify current and future risk, and to identify and implement controls that mitigate that risk. With the onboarding of the Security Manager, SURS will address the need to formalize the policies and procedures in the area of Risk Management that are already in place. During fiscal year 2020, SURS contracted with a third-party vendor to assist with a data classification methodology which has been implemented. A policy was also developed through this process, however, has not yet been formally approved and adopted. This policy will be formally approved as part of the Policy Program Management Project. SURS currently offers cybersecurity training to all contract workers and to all vendors who have access to our network as part of the Pension Administration System Project, however, SURS does not currently mandate that the contract workers complete cybersecurity training. SURS will work with contract workers, contractors and vendors that have access to the SURS system to ensure that they have completed cyber security awareness training on at least an annual basis. Regarding new contracts moving forward, it should be noted that absent a specific law that requires these contractors and vendors to complete cyber security awareness training on an annual basis as a condition precedent of doing business with SURS, we may not be able to obtain these recommended contract terms. SURS conducts periodic reviews of building access to sensitive areas but does not currently perform an annual review of all facility access. SURS will create procedures to perform this review. In an Accountant’s Comment we noted that Cybersecurity programs and practices entails more than ensuring the entities environment is secure. A Cybersecurity program also requires formally documented and adequately detailed policies, procedures, training and monitoring for security events. As documented above, the System had not formally developed or implemented such controls. Further, a Cybersecurity program necessitates the completion of a comprehensive risk assessment which includes identifying the applications and confidential data in order to map the controls to safeguard the integrity, security and availability of the applications and data. The System had not conducted such an assessment. OTHER FINDING The remaining finding pertains to a Lack of Formal Controls over the Review of Internal Controls for Service Providers. We will review the Agency’s progress towards the implementation of our recommendations in our next State compliance examination. AUDITOR’S OPINION The auditors stated the financial statements of the System as of and for the year ended June 30, 2021 are fairly stated in all material respects. ACCOUNTANT’S OPINION The accountants conducted a compliance examination of the System for the year ended June 30, 2021, as required by the Illinois State Auditing Act. The accountants stated the System complied, in all material respects, with the requirements described in the report. This compliance examination was conducted by BKD, LLP. JANE CLARK Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:TLK