UNIVERSITY OF VIRGINIA BOARD OF VISITORS. Meeting of the Audit, Compliance, and Risk Committee

Transcription

1 UNIVERSITY OF VIRGINIA BOARD OF VISITORS Meeting of the Audit, Compliance, and Risk Committee March 1, 2018

2

3 AUDIT, COMPLIANCE, AND RISK COMMITTEE Thursday, March 1, :45 11:30 a.m. Upper West Oval Room, The Rotunda Committee Members: Babur B. Lateef, M.D., Chair Robert M. Blue Mark T. Bowles L. D. Britt, M.D. Frank M. Conner III, Ex-officio Margaret F. Riley Adelaide Wilcox King, Faculty Consulting Member AGENDA PAGE I. REMARKS BY THE COMMITTEE CHAIR (Dr. Lateef) 1 II. III. IV. COMMITTEE DISCUSSION Office of Audit and Compliance Report: NIST Compliance: Protecting Controlled Unclassified 2 Information (CUI) in Non-Federal Information Systems (Mr. Gary Nimax to introduce Ms. Virginia Evans and Mr. Melur Ramasubramanian; Ms. Evans and Mr. Ramasubramian to report) WRITTEN REPORTS A. Enterprise Risk Management - University Key Risks 3 B. Office of Audit and Compliance Status Report 4 CLOSED SESSION Consultation with University Counsel regarding legal compliance matters requiring the provision of legal advice by counsel as provided for in Section (A) (8) of the Code of Virginia.

4

5 UNIVERSITY OF VIRGINIA BOARD OF VISITORS AGENDA ITEM SUMMARY BOARD MEETING: March 1, 2018 COMMITTEE: AGENDA ITEM: ACTION REQUIRED: Audit, Compliance, and Risk I. Remarks by the Committee Chair None BACKGROUND: Dr. Babur Lateef, the Committee Chair, will open the meeting and provide an overview of the agenda. 1

6 UNIVERSITY OF VIRGINIA BOARD OF VISITORS AGENDA ITEM SUMMARY BOARD MEETING: March 1, 2018 COMMITTEE: AGENDA ITEM: ACTION REQUIRED: Audit, Compliance, and Risk II. NIST Compliance: Protecting Controlled Unclassified Information (CUI) in Non-Federal Information Systems None BACKGROUND: NIST is a cybersecurity control framework intended for government contractors and other organizations, including research universities, that might handle Controlled Unclassified Information (CUI) as part of their operations. In December 2015, the Department of Defense (DoD) published an addendum to DFARS ( ) specifying as the cybersecurity framework government contractors must implement if they handle CUI. This addendum set a deadline for all parties with contracts falling under these regulations to implement the controls of for those contracts prior to Dec. 31, After that, noncompliant parties will be at risk of losing their contracts. Given the relatively new requirement for many organizations to prove compliance from 2018 onward, the controls of NIST have become a very important measure for research compliance programs. DISCUSSION: Mr. Melur (Ram) Ramasubramanian, Vice President of Research, and Ms. Virginia Evans, Chief Information Officer, will brief the Committee on the cybersecurity requirements, how they apply to UVA, and the steps being taken to ensure compliance with NIST

7 UNIVERSITY OF VIRGINIA BOARD OF VISITORS AGENDA ITEM SUMMARY BOARD MEETING: March 1, 2018 COMMITTEE: AGENDA ITEM: ACTION REQUIRED: Audit, Compliance, and Risk III.A. Enterprise Risk Management University Key Risks None BACKGROUND: The University s Enterprise Risk Management (ERM) program is designed to identify and manage key enterprise level risks and opportunities that could either prevent or enable the University in meeting its strategic objectives and mission. Mr. Jim Matteo, Associate Vice President and Treasurer, prepared a report on the updated ERM risk lists for the Academic Division and Health System. The University follows an annual ERM cycle that begins each August with the review of University goals and objectives. Key risks and opportunities are identified in the fall and narrowed down into key risk and opportunity lists for the University s Academic Division and Health System. For each key risk, a risk lead (i.e., the person who manages the risk on a daily basis) develops a risk management plan. Each risk management plan is reviewed and approved by an executive owner (i.e., an executive who has responsibility to see that the risk is being managed). The risk management plans are reviewed and updated on at least a semi-annually. The University presents updated key risk lists to the BOV at its March meeting and presents an annual report of the ERM program to the BOV at its June meeting. The University recently completed an update of its key risk lists. The only change to the risk lists from last year is the addition of one risk to the Health System s key risk list related to industry consolidation. Mr. Matteo is putting a process in place to identify and pursue opportunities arising out of the ERM process as well as efforts underway to strengthen risk mitigation plans. An overview of the phases of the ERM annual cycle as well as the updated risk lists are available in the Appendix to the Audit, Compliance, and Risk Committee s presentation deck. 3

8 UNIVERSITY OF VIRGINIA BOARD OF VISITORS AGENDA ITEM SUMMARY BOARD MEETING: March 1, 2018 COMMITTEE: AGENDA ITEM: ACTION REQUIRED: Audit, Compliance, and Risk III.B. Office of Audit and Compliance Status Report None Office of Audit and Compliance Department Status Report: FY18 Year to Date UVA s Audit and Institutional Compliance Program functions were combined in September 2017 to achieve increased alignment and improve oversight of institutional compliance risks and issues. Benefits of the new structure to date: Integration has brought efficiencies through real time communication, consultation, and coordination between Audit and Institutional Compliance We are teaming to consider procurement and adoption of a common IT system for housing audit and compliance controls and assessments o Avoids duplication of effort and proliferation of systems o Harmonization of audit and compliance terminology, risk ratings, and cadence of risk assessments means less confusion for our stakeholders ( what s the difference between audit and compliance? ) and a lower tax on their time, people, and processes Seat at the table for high priority compliance issues (e.g. NIST Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations) Vision and Benefits of Office of Audit and Compliance--Future State Function We will elevate the performance of a combined Office of Audit and Compliance to deliver data-driven, institutional level controls assurance and risk monitoring services. Organizationally positioned in the Office of the President, with direct reporting to the BOV, the Office of Audit and Compliance is uniquely positioned to address pan-university risks and controls. We expand on unit-level assurance and compliance activities, providing objective and transparent reporting to the BOV and UVA leadership. 4

9 An updated charter for the Office of Audit and Compliance, further detailing roles and responsibilities, will be presented to the Audit, Compliance, and Risk Committee s review and approval at the June 2018 meeting. IIA Standard 2500: Monitoring Progress The chief audit executive must establish and maintain a system to monitor the disposition of results communicated to management. ACTION PLAN COMPLETION STATUS BY PRIORITY RATING Closed Open Past Due Not Yet Due PRIORITY PRIORITY LEGACY (UNRATED) 2 Details of Open Past Due Action Plans: Audit Archives and Special Collections Archives and Special Collections Past Due Action Item Electronic Security Harrison Small: Procure a new security system for Harrison Small building and implement installation plan (Due 1/1/18) Electronic Security Ivy Stacks: Secure access through CBORD Access Control System and provide training on inventory management and materials at Ivy Stacks (Due 1/1/18) Priority Rating P1 P1 Action Plan Owner Guy Mengel, Director Library Facilities and Security Guy Mengel, Director Library Facilities and Security 5

10 Audit Archives and Special Collections Archives and Special Collections Archives and Special Collections Past Due Action Item Environmental Conditions: Work with UVA Facilities Management to explore procedures to reduce corrosion in fire suppression system (Due 9/1/17) Security Cameras: Develop plans and cost estimates related to security camera issues noted (in Processing Room) (Due 9/1/17) Security Cameras: Address length of time camera video footage is maintained as part of new security system upgrade (1/1/18) Priority Rating P2 P2 P2 Action Plan Owner Guy Mengel, Director Library Facilities and Security Guy Mengel, Director Library Facilities and Security Guy Mengel, Director Library Facilities and Security Audit Work Completed or In Flight as of March 2018 Board of Visitors Meeting: Status Completed Completed Completed Completed Completed Subject Undergraduate Safety in Labs, Shops, and Studios Safety and Security Review Foundation Relationship Assessment Strategic Investment Fund Process Opportunities Research Compliance: Institutional Base Salaries Executive Travel and Expenses UVA Division Academic Pan- University Pan- University Pan- University Pan- University Pan- University Project Type Integrated Assurance Liaison to 3 rd party consultant Agreed Upon Procedures Memo to BOV SIF Administrative Committee Audit Audit 6

11 Status Subject UVA Division Project Type Medical Center Incident Response Health Readiness (Ransomware) System Assessment Medical Device Procurement and Health Current State Security System Assessment Construction Contract Audits: University Hospital Expansion Health Project System Audit (co-sourced) Participation on Charge Capture: Health cross functional Surgery System lean initiative Cash Receipts and Health Refunds System Audit Distributed IT Systems Management Academic Audit Travel and Expense Management Academic Audit Ufirst (HR Consultation on test Transformation and plans and project Workday Pan- status prior to Implementation) University 7/1/18 go live Planned Athletics Business Office Academic Health Planned Epic System Access System Institutional Compliance Update Transition audit (co-sourced) Audit Below is the mid-year status of the institutional compliance goals identified by Gary Nimax, Assistant Vice President for Compliance, for fiscal year Compliance Goals - Fiscal Year Review and update the university s Code of Ethics for approval by the Board of Visitors. Completed best practices review of peer codes of ethics to consider ways in which to improve the university s Code of Ethics. Drafted edited version of Code for review and comment by the university s Compliance Network. Updated Code to be shared with the Board of Visitors for review and approval. 7

12 2. Complete the onboarding of the medical center s new Compliance and Privacy Officer, Regina Verde, including the operational changes necessary since that role was converted from an academic division position to a medical center position. Regina Verde completed her first year in the role, bringing a renewed philosophy and fresh ideas to the department. Operational changes implemented and functioning. 3. Review improvements to be made regarding the university s compliance with digital accessibility, background check policies, and UFirst project compliance requirements. Digital accessibility executive committee met on February 13, 2018 to review status and discuss the position that has been posted to search for a full-time project manager. New background policy is being finalized, with new policy to be posted shortly. Continued to review UFirst compliance, including a discussion of related compliance concerns and a demonstration of the new learning management system with the Compliance Network. 4. Use the results of the compliance risk assessment conducted in partnership with Audit Department and General Counsel to confirm the strength of the university s compliance efforts. This assessment evaluated which compliance areas present the greatest risks, based on the consequences of non-compliance (legal, operational, and reputational), levels of effort necessary to address regulatory changes, regulatory scrutiny, and crossfunctional coordination. Began a joint review of risk assessment rankings to update scores and add new compliance requirements, starting with medical center compliance requirements. 5. Expand marketing and use of the university s anonymous helpline in order to more effectively monitor compliance reporting. Obtained additional software licenses and training for staff to implement the necessary changes. Contracted with a firm to add a web intake form to accept online reports. 8