Summary

On June 17, 1998, Valencia Community College outsourced the management and operation of its information technology functions to COLLEGIS, Inc., which staffs the College’s Office of Information Technology. The contract, as amended, provides for the College to pay COLLEGIS $14,916,000 for the period of June 18, 1998, through June 17, 2003, with optional extensions that, if exercised, could increase the total contract cost to $18,550,900.

Our review of the COLLEGIS contract and selected information systems functions of the College disclosed deficiencies in the College’s management of the contract and in selected computer general controls. These deficiencies, along with related recommendations, are summarized in the following paragraphs.

Finding No. 1

The College contracted for the provision of information technology (IT) services with COLLEGIS without having a long-range information resource technology plan and without soliciting proposals from other vendors.

The College, with COLLEGIS’ assistance, was in the process of developing a Strategic Technology Plan that, as of June 22, 2000, was still in draft status. Notwithstanding a provision of State Board of Education Rules that exempted the College from the three-bid requirement, we believe the significant financial and administrative impact of the COLLEGIS contract should have prompted the College to solicit additional proposals from other vendors providing similar services. A lack of documentation of the contract negotiations with COLLEGIS precluded us from determining whether the negotiations were conducted in the College’s best interests.

The College should ensure that IT purchases are made in accordance with an approved long-range information resource technology plan and that proposals are solicited before the College enters into arrangements similar to the COLLEGIS contract.

Finding No. 2:

The College has not enforced a contract provision with regard to COLLEGIS implementing the Oracle financial services and human resources/payroll systems. As a result, the College has incurred $233,833.50 in additional costs for Oracle consultants.

The contract with COLLEGIS provides that COLLEGIS shall, among other things, develop a detailed implementation project plan and provide various technology services described in the contract and accompanying exhibits. A detailed implementation project plan, that would have specified additional consulting services costs to be paid for by the College, was not developed. COLLEGIS billed the College and was reimbursed a total of $233,833.50, in excess of the contract cost, for the cost of two Oracle consultants that COLLEGIS hired to assist in the project. These services should have been provided by COLLEGIS, at no additional charge, as part of the scope of services described in the COLLEGIS contract.

The College should seek reimbursement from COLLEGIS for the payments made for the Oracle consultants. The College should also require COLLEGIS to provide technically proficient staff capable of providing the expertise necessary to accomplish the scope of services specified under the contract.

Finding No. 3:

The College’s draft Strategic Technology Plan for 2000-2004 does not include estimated costs and timelines to ensure feasibility and performance of the strategic objectives set forth in the plan.

Since September 1998, an external technology strategic planning consultant engaged by COLLEGIS has led the development of a Strategic Technology Plan for 2000-2004. As of June 22, 2000, the draft plan had not been approved by the Board.

The College should include dollar amounts and time frames in its strategic technology plans so that subordinate short-range operational plans and budgets can be developed to accomplish the long-range goals and objectives of the College.

Finding No. 4:

The College has not performed certain provisions for which it is responsible in its contract with COLLEGIS. Additionally, the College is not adequately monitoring COLLEGIS' performance under the contract.

The contract with COLLEGIS places certain responsibilities on COLLEGIS and other responsibilities on the College. We found compliance deficiencies on the part of both COLLEGIS and the College.

Generally, the College has not, as provided in the contract, formally established various plans, policies, procedures, and standards to guide COLLEGIS in performing its duties. Additionally, as of February 29, 2000, annual outcome measurements to use in monitoring COLLEGIS service delivery had not been distributed to the governance committee.

The College should develop and formally adopt the above-mentioned criteria and performance measures to guide and monitor COLLEGIS’ contract performance.

Finding No. 5:

The College’s information resources disaster recovery draft plan lacks key provisions, including a formal agreement with the back-up site and disaster recovery planning for the current client/server environment.

In the College’s contract with COLLEGIS, the vendor is required to ensure that backup and disaster recovery processes have been implemented and tested. The draft plan being developed by COLLEGIS is targeted for completion by the end of calendar year 2000. The plan addresses the mainframe computing environment, but not the client/server environment in which the new financial services and human resources/payroll systems operate.

No formal agreement exists with Northeast Regional Data Center, the back-up site identified in the draft plan. Disaster recovery planning for the current human resources/payroll, financial services, and student applications has not been documented or tested at the alternate site.

The College should continue to develop its disaster recovery plan and address the aforementioned provisions. The College should also test the plan at least annually.

Finding No. 6

The College has not established formal policies and procedures governing application systems development and maintenance. Controls over the program change process need strengthening.

Contractually required information technology policies and procedures have not been finalized by COLLEGIS. The College continues to operate without formal standards governing application change control for either its mainframe systems or purchased client/server systems.

Current program change practices need improvement in the areas of documenting testing, user acceptance, and supervisory review of changes; monitoring the progress of program changes; and moving changes into the production environment. The College should complete its systems development and maintenance standards and distribute them to appropriate personnel.

Finding No. 7:

Deficiencies were noted in the College’s information technology access controls.

Access control deficiencies that need addressing by the College include:

• Access policies and procedures are not current with respect to the College’s new client/server computing environment and do not address some significant security matters.

• Internet usage policies need to be developed.

• The College needs a security awareness program that emphasizes the importance of information security.

• Computer programmers and operators have inappropriate access capabilities.

• Access capabilities of former employees were not, in some instances, revoked in a timely manner.

Finding No. 8

The College has not established appropriate access control procedures regarding passwords.

We noted the following password control deficiencies, many of which were attributed by the College to limitations in its mainframe security systems:

• Mainframe users are not forced to change their password after their initial sign-on to the system or when a security administrator has reset their password.

• Except in the ICCF security system, mainframe users were not periodically forced to change their password.

• A password verification program is not used to limit the recycling of user passwords or the use of easily compromised passwords.

• Passwords are not encrypted in the CICS mainframe security tables and can be viewed or printed in plain text by security administrators and contracted system programmers.

The College should research the feasibility of implementing a mainframe security system capable of establishing the security parameters listed above. The College should also determine if its client/server environment has features that can be used to correct the exposures listed above.

Finding No. 9:

The College does not routinely use audit trails and logs to aid in the review and investigation of unauthorized access attempts to the College’s information resources.

The College has not established procedures for security administrators and College administrators to regularly monitor system security. The mainframe security systems are limited in their recording and reporting of certain security events, limiting the ability of security administrators to monitor system activity for violations.

The College should regularly review access violation reports to timely detect unauthorized attempts to access computer programs and/or data. The College should also consider procuring a security product that could provide the reporting capability not currently available. Additionally, the College should review Oracle alerts as a potential source of information to the College.

Prior Audit Findings

Findings this Audit: 9

Findings Prior Audit: 6

Repeat Findings: 3 (Nos. 5-7)

For those functions within the scope of this audit, the College has corrected the deficiencies noted in audit report No. 13398, except as noted in this report.

Pursuant to Section 11.45(7)(d), Florida Statutes, the President provided a written response to the audit findings and recommendations included in this report. In his response, the President disagreed with some of our audit findings. The President's complete response is shown as Appendix B in the detailed report.