The Board of Visitors’ Audit, Compliance and Risk Committee convened Friday to discuss audits of various processes and issues relating to the University. The open session was kept brief while the closed session took up the remainder of the allotted time, part of which was used to discuss the University’s plans to implement enhanced protections against cybersecurity attacks.
In the closed session, cybersecurity risks related to the University’s networks took up most of the focus. Because public discourse about the University’s cybersecurity weaknesses could expose vulnerabilities to hackers, discussion of these risks remained closed in accordance with the exemptions present in the Virginia Freedom of Information Act. The state of Virginia allows for discussions on cybersecurity risks and proprietary business information in such closed sessions to protect the University’s interests.
Chair and Board Member Thomas A. Depasquale commenced proceedings during the meeting with an agenda overview. He asked that the Committee direct their attention to written reports containing information from the University’s Records and Information Management Office.
In the written report, the Audit Department and Records and Information Management reports summarized University audit work performed from Nov. 16, 2023, to Jan. 31, 2024. In one of the reports, Mandiant, a cybersecurity consulting company that has worked with the University since the 2015 cyberattack on its IT systems, evaluated U.Va. Health’s ability to respond to ransomware attacks.
This assessment was outlined by Mandiant’s Purple Team Assessment evaluations, which test an organization's ability to counter cyber threats by simulating industry-specific scenarios. Three out of seven recommendations by Mandiant met objectives regarding the strategies employed to effectively mitigate risk. Records and Information Management at the University implemented corrective action plans for two out of the four recommendations that were partially met.
The University has faced several cybersecurity threats recently, with the latest coming in the form of misleading email scams to students. The enhancement plans discussed in the closed session, alongside the recommendations set by Mandiant, address proactive measures to fortify the University’s cyber defense.
Additionally, oversight checks were conducted for child daycare services at the University. Issues relating to building safety and security were labeled as top priorities, underlining a critical area for improvement identified by the report.
Other topics covered in the report included a safety and security follow-up, Workday expense reimbursements, hazardous materials handling and a HIPAA security risk follow-up. The Safety & Security program follow-up examined workplace violence coordination and fire safety consolidation, while the 2023 Workday expense reimbursements audit focused on enhancing editing and approving employee accounts.
The hazardous materials handling audit addressed coal lifecycle management at the University heating plant, and the HIPAA security risk assessment follow-up aimed to strengthen password standards for the University.
Looking forward, The Institute of Internal Auditors, which offers audit and security services, has announced updates for its auditing framework known as the Global Internal Audit Standards. These new standards could change how the committee assesses its operational process. Additionally, a two-year risk-based internal audit plan is planned for review and approval in the next meeting.
The Audit, Compliance and Risk Committee is scheduled to reconvene during the next Board of Visitors meeting in June June.