City University of New York

Employee Access to the Student Information Management System at Selected Campuses

The City University of New York (CUNY) consists of eleven senior colleges, six community colleges, and several other specialized and professional schools. The majority of CUNY campuses use the Student Information Management System (SIMS) to track students’ personal information, account balances, course selections, grades and loan information.

We visited four campuses and identified significant weaknesses in their controls over access to SIMS. Because of these weaknesses, unauthorized users could have access to SIMS; and some authorized users might have inappropriate access to certain types or levels of SIMS information. For example, we found that 60 former employees at the four campuses still had access to SIMS after they left CUNY, and 35 of the 55 employees we interviewed had never changed their SIMS password. We also determined that 21 of these 55 employees had the ability to change grades, adjust student account balances, or override controls preventing students with outstanding balances from registering for classes, even though these employees did not need such capabilities. We recommended that a number of actions be taken to strengthen the campuses’ controls over access to SIMS.

A copy of this report may be requested through the OSC Communications Office by email or by calling 518-474-4015.