Purpose

To determine whether the City University of New York (CUNY) adequately controls access to the CUNY Fully Integrated Resources and Services Tool system (CUNYfirst) and whether CUNY adequately measured if users’ needs were met. The audit covers the period January 1, 2013 through October 23, 2015.

Background

CUNYfirst, which replaced CUNY’s Financial Management, Human Capital Management, and Campus Solutions applications, is an Enterprise Resource Program. The objective of CUNYfirst was to replace CUNY’s legacy systems with an integrated and flexible state-of-the-art solution. During its early phases, CUNYfirst implementation was expected to be complete by 2012. By October 29, 2015, 20 campuses had at least part of the system implemented, and at that time, the projected date for project completion was October 2016. As of September 30, 2015, CUNY reported the cost to develop and implement CUNYfirst was $249.75 million.

CUNYfirst, like many large computer systems, uses role-based access. Roles are created for the various functions at CUNY, such as the Admissions Office or Registrar. These roles give individuals permission to perform certain operations that are assigned to these functions. For example, in the Admissions Office one of the roles would be to allow staff to update academic test data for a student. Students and staff are assigned particular roles, and thereby acquire the rights to access certain CUNYfirst applications.

As of April 23, 2015, CUNY reported CUNYfirst had approximately 1.27 million accounts (1.15 million students and 123,000 employees). The student accounts include both former and current students. The employee category includes faculty, administrative, and student employees whether active, inactive, or retired.

Key Findings

We concluded that CUNY’s processes and controls did not adequately restrict CUNYfirst users’ access to ensure that individuals only had appropriate roles assigned. For example, we determined that:

• CUNY’s Central Office (CUNY Central) granted 60 roles to Application Security Liaisons, or ASLs (information technology personnel who grant access to CUNYfirst at the campuses) without adequate justification. The business needs for the ASLs to have the roles in question were unclear. In addition, there were 27 roles that were removed from employees who had left CUNY, but not until 3 to 32 months after their departure.
• A student had access to CUNYfirst Financial and Supply Chain Management (FSCM) module, a business application that students normally cannot access. Such access requires an approved access form; however, no form was on file for this student. The student, who was not an employee of the campus and had no business need for FSCM, could access FSCM data and accessed the FSCM application on three occasions. We also examined 244 employees’ accounts, all of which required approved access forms. We identified 170 employees who had 990 unauthorized roles, including 83 that were designated by CUNY as “sensitive.” For example, certain users’ roles allowed them to change personal information for any student, and this role was not restricted to the campus where the ASL worked.
• Multiple individuals appeared to have roles for which they had no business purpose. For example, 22 employees outside of financial aid could apply for student loans for individuals other than themselves. CUNY officials stated that while it may appear that these functions (such as applying for a loan) could be executed, they most likely could not. However, they provided no basis to support their statement. Also, a student employee had unauthorized grade change capability. For the period January through May 2015, this student employee changed grades 127 times for other students, but did not change her own grades.
• In 37 of 49 sampled cases, a user delegated a function to another person, but did not indicate an end date for the delegation. Without specifying an end date, the individual with delegated rights retains access indefinitely, increasing the risk of improper use.

Also, CUNY performed a survey of CUNYfirst users and potential users in November 2012 that did not include any students. Since then, another 11 campuses have implemented CUNYfirst; however, no survey or other process to obtain feedback from the users has been performed.

Our audit also identified certain findings and made a corresponding recommendation pertaining to the data integrity of particular CUNYfirst functions. We presented these findings and recommendation in detail to CUNY officials during the course of the audit’s fieldwork. However, to help preserve security over these functions, we did not detail the findings and recommendation in this report.

Key Recommendations

• Require CUNY Central and the campuses to prepare and maintain documentation of all approvals of roles that are assigned or removed in CUNYfirst.
• Require CUNY Central, in addition to the attestations, to actively monitor all user access within CUNYfirst.
• Periodically review and adjust the user access roles in the system to meet the actual needs of the individuals identified in our audit and system-wide.
• Create a policy requiring a formal end and/or review date for all role delegations in CUNYfirst.
• Periodically survey users from all CUNYfirst user groups to measure whether their needs are being met.

Other Related Audits/Reports of Interest

City University of New York - York College: Time and Attendance Practices for Public Safety Staff (2013-S-65)
CUNY SPS: Controls Over Bank Accounts (2014-S-78)