The Cavalier Daily
Serving the University Community Since 1890

Board of Visitors’ Audit, Compliance and Risk Committee holds closed meeting to discuss cybersecurity risks

Audits discussed in previous open session meetings, including U.Va. Health’s cyber defenses and community health, were addressed in written reports

<p>Because public discourse about the University’s cybersecurity weaknesses could expose vulnerabilities to hackers, discussion of specific risks remained closed in accordance with the exemptions present in the Virginia Freedom of Information Act.&nbsp;</p>

Because public discourse about the University’s cybersecurity weaknesses could expose vulnerabilities to hackers, discussion of specific risks remained closed in accordance with the exemptions present in the Virginia Freedom of Information Act. 

The Board of Visitors’ Audit, Compliance and Risk Committee convened Friday to discuss audits of various processes and issues relating to the University. The open session was kept brief while the closed session took up the remainder of the allotted time, part of which was used to discuss the University’s plans to implement enhanced protections against cybersecurity attacks.

In the closed session, cybersecurity risks related to the University’s networks took up most of the focus. Because public discourse about the University’s cybersecurity weaknesses could expose vulnerabilities to hackers, discussion of these risks remained closed in accordance with the exemptions present in the Virginia Freedom of Information Act. The state of Virginia allows for discussions on cybersecurity risks and proprietary business information in such closed sessions to protect the University’s interests.

Chair and Board Member Thomas A. Depasquale commenced proceedings during the meeting with an agenda overview. He asked that the Committee direct their attention to written reports containing information from the University’s Records and Information Management Office. 

In the written report, the Audit Department and Records and Information Management reports summarized University audit work performed from Nov. 16, 2023, to Jan. 31, 2024. In one of the reports, Mandiant, a cybersecurity consulting company that has worked with the University since the 2015 cyberattack on its IT systems, evaluated U.Va. Health’s ability to respond to ransomware attacks. 

This assessment was outlined by Mandiant’s Purple Team Assessment evaluations, which test an organization's ability to counter cyber threats by simulating industry-specific scenarios. Three out of seven recommendations by Mandiant met objectives regarding the strategies employed to effectively mitigate risk. Records and Information Management at the University implemented corrective action plans for two out of the four recommendations that were partially met.

The University has faced several cybersecurity threats recently, with the latest coming in the form of misleading email scams to students. The enhancement plans discussed in the closed session, alongside the recommendations set by Mandiant, address proactive measures to fortify the University’s cyber defense.

Additionally, oversight checks were conducted for child daycare services at the University. Issues relating to building safety and security were labeled as top priorities, underlining a critical area for improvement identified by the report. 

Other topics covered in the report included a safety and security follow-up, Workday expense reimbursements, hazardous materials handling and a HIPAA security risk follow-up. The Safety & Security program follow-up examined workplace violence coordination and fire safety consolidation, while the 2023 Workday expense reimbursements audit focused on enhancing editing and approving employee accounts. 

The hazardous materials handling audit addressed coal lifecycle management at the University heating plant, and the HIPAA security risk assessment follow-up aimed to strengthen password standards for the University. 

Looking forward, The Institute of Internal Auditors, which offers audit and security services, has announced updates for its auditing framework known as the Global Internal Audit Standards. These new standards could change how the committee assesses its operational process. Additionally, a two-year risk-based internal audit plan is planned for review and approval in the next meeting.

The Audit, Compliance and Risk Committee is scheduled to reconvene during the next Board of Visitors meeting in June June.

Local Savings

Comments

Latest Video

Latest Podcast

With Election Day looming overhead, students are faced with questions about how and why this election, and their vote, matters. Ella Nelsen and Blake Boudreaux, presidents of University Democrats and College Republicans, respectively, and fourth-year College students, delve into the changes that student advocacy and political involvement are facing this election season.