REPORT DIGEST STATE UNIVERSITIES CIVIL SERVICE SYSTEM COMPLIANCE EXAMINATION FOR THE TWO YEARS ENDED JUNE 30, 2021 Release Date: November 3, 2022 FINDINGS THIS AUDIT: 1 CATEGORY: NEW -- REPEAT – TOTAL Category 1: 0 -- 0 -- 0 Category 2: 1 -- 0 -- 1 Category 3: 0 -- 0 -- 0 TOTAL: 1 -- 0 -- 1 FINDINGS LAST AUDIT: 0 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov SYNOPSIS • (21-01) The State Universities Civil Service System had not implemented adequate internal controls related to cybersecurity programs, practices, and control of confidential information. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS WEAKNESSES IN CYBERSECURITY PROGRAMS AND PRACTICES The State Universities Civil Service System (System) had not implemented adequate internal controls related to cybersecurity programs, practices, and control of confidential information. The System is provided authority through legislative statute and is empowered through the University Civil Service Merit Board to develop, maintain, and administer a comprehensive and efficient program of human resource administration for the higher education community, specifically related to the employment and employment relationship with their auxiliary and support staff positions. To assist the System in meeting their statutory requirements, the System maintains several applications which contain confidential and/or personal information. The Illinois State Auditing Act (30 ILCS 5/3-2.4) requires the Auditor General to review State agencies and their cybersecurity programs and practices. During our examination of the System’s cybersecurity program, practices, and control of confidential information, we noted the System had not: • Developed a risk management methodology, conducted a comprehensive risk assessment, or implemented risk reducing internal controls. • Established incident response procedures, including procedures for reviewing and monitoring security violations and establishing corrective action plans for addressing incidents identified. • Developed a data classification methodology for classifying their data based on risk and had not classified its data. • Required employees to acknowledge receipt of security related policies and procedures. (Finding 2021-001, pages 9-10) We recommended the System: • Develop a risk management methodology, conduct a comprehensive risk assessment, and implement risk reducing internal controls based on the risk assessment performed; • Establish incident response procedures, including procedures for reviewing and monitoring for security violations and establishing corrective action plans for addressing incidents identified; • Develop a data classification methodology for classifying their data based on risk, and classify their data once the methodology had been established; and, • Require employees to acknowledge receipt of security related policies and procedures. The System concurred with the finding and will develop the recommendation of the Auditor. ACCOUNTANT’S OPINION The accountants conducted a State compliance examination of the System for the two years ended June 30, 2021, as required by the Illinois State Auditing Act. The accountants stated the System complied, in all material respects, with the requirements described in the report. This State compliance examination was conducted by the Office of the Auditor General’s staff. JANE CLARK Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:JC