The Board of Visitors’ Audit, Compliance and Risk Committee convened Friday to discuss audits of various processes and issues relating to the University. The open session was kept brief while the closed session took up the remainder of the allotted time, part of which was used to discuss the University’s plans to implement enhanced protections against cybersecurity attacks.
In the closed session, cybersecurity risks related to the University’s networks took up most of the focus. Because public discourse about the University’s cybersecurity weaknesses could expose vulnerabilities to hackers, discussion of these risks remained closed in accordance with the exemptions present in the Virginia Freedom of Information Act. The state of Virginia allows for discussions on cybersecurity risks and proprietary business information in such closed sessions to protect the University’s interests.
Chair and Board Member Thomas A. Depasquale commenced proceedings during the meeting with an agenda overview. He asked that the Committee direct their attention to written reports containing information from the University’s Records and Information Management Office.
In the written report, the Audit Department and Records and Information Management reports summarized University audit work performed from Nov. 16, 2023, to Jan. 31, 2024. In one of the reports, Mandiant, a cybersecurity consulting company that has worked with the University since the 2015 cyberattack on its IT systems, evaluated U.Va. Health’s ability to respond to ransomware attacks.
This assessment was outlined by Mandiant’s Purple Team Assessment evaluations, which test an organization's ability to counter cyber threats by simulating industry-specific scenarios. Three out of seven recommendations by Mandiant met objectives regarding the strategies employed to effectively mitigate risk. Records and Information Management at the University implemented corrective action plans for two out of the four recommendations that were partially met.
The University has faced several cybersecurity threats recently, with the latest coming in the form of misleading email scams to students. The enhancement plans discussed in the closed session, alongside the recommendations set by Mandiant, address proactive measures to fortify the University’s cyber defense.
Additionally, oversight checks were conducted for child daycare services at the University. Issues relating to building safety and security were labeled as top priorities, underlining a critical area for improvement identified by the report.
Other topics covered in the report included a safety and security follow-up, Workday expense reimbursements, hazardous materials handling and a HIPAA security risk follow-up. The Safety & Security program follow-up examined workplace violence coordination and fire safety consolidation, while the 2023 Workday expense reimbursements audit focused on enhancing editing and approving employee accounts.
The hazardous materials handling audit addressed coal lifecycle management at the University heating plant, and the HIPAA security risk assessment follow-up aimed to strengthen password standards for the University.
Looking forward, The Institute of Internal Auditors, which offers audit and security services, has announced updates for its auditing framework known as the Global Internal Audit Standards. These new standards could change how the committee assesses its operational process. Additionally, a two-year risk-based internal audit plan is planned for review and approval in the next meeting.
The Audit, Compliance and Risk Committee is scheduled to reconvene during the next Board of Visitors meeting in June June.
Read More
Virginia Attorney General Speaks On Free Speech And Criminal Justice Reform
By Vyshnavi Tatta | YesterdayMiyares said pursuing repeat criminal offenders is a more crucial step in reducing crime, saying that studies show a small percentage of criminals commit a majority of crimes.
Student Council passes summer budget, bill supporting allergy policy reform
By Arshiya Pant | YesterdayThe biggest expenditure categories outlined in the summer 2024 budget were CIO Consultant funds and Support and Access Services, respectively receiving $67,000 and $65,950.
New Vice President of Research Lori McMahon aims to work towards U.Va.’s 2030 plan
By Caroline Hagood | YesterdayMcMahon said she was drawn to the University after reading the University's 2030 plan and that she was inspired by the vision of President Jim Ryan and other University leaders.
