The University of Texas of the Permian Basin Institutional Compliance Program Quarterly Report For the Quarter Ended February 28, 2007 Section I – Organizational Matters A quarterly meeting of the Institutional Compliance Committee was held on February 15, 2007. The next meeting is scheduled for May 7, 2007 There were no changes in membership on the Institutional Compliance Committee during the quarter and there were no changes in the Compliance staff. Section II - Risk Assessment, Monitoring Activities and Specialized Training (Performed by Responsible Party) High-Risk Area #1: Information Security Responsible Party: Keith Yarbrough, Director of Information Resources Key “A” risk(s) identified: Unauthorized information disclosure through password access obtained by deceiving user Inadequate protection of confidential information including Social Security Numbers Lack of training on information security Key Monitoring Activities: Monitoring of all network traffic to centralized servers with the Nitro IPS/IDS appliance. Some unauthorized software within the UTPB local area network was detected and remediated through removal of the software. UTPB has recently purchased additional capabilities in this area. In addition to monitoring network traffic at additional sensor points, the expanded Nitro system will also provide essential log correlation capabilities across multiple network devices. Temporal correlation between multiple network devices (routers, firewalls, intrusion detection systems, etc.) is essential in understanding a dynamic network environment. Nitro IDS/IPS appliance is blocking selected traffic signatures and vulnerabilities. The blocking is done by the appliance vendor according to identified threats. Review of logon / logon attempt logs for Student Information System (SIS) server on a daily basis. Monitoring revealed several attempts to penetrate the system from outside the local area network. Consequently, access to this system from the outside has been restricted at the firewall. Logon attempt monitoring for this system continues on a routine basis Specialized Training: An online training program is being developed for users who require access to our systems. The first course will be for users requiring access to the SIS. Potential users will be required to complete the online course and pass a quiz before the user will be given an 1 The University of Texas of the Permian Basin Institutional Compliance Program Quarterly Report For the Quarter Ended February 28, 2007 account on that system. Implementation is expected during the fiscal year. One section of this training has been incorporated into the faculty training module for the CampusConnect Faculty Access System. High-Risk Area #2: Research Responsible Party: J. Tillapaugh, Assistant Vice President for Graduate Studies and Sponsored Research Key “A” risk(s) identified: Inadequate training about Federal reporting requirements Noncompliance with new Federal reporting requirements such as Time and Effort Inappropriate use of animal and human subjects, research subjects and materials Key Monitoring Activities: A Time and Effort Policy to be included in the UTPB Handbook of Operating Procedures was presented to the Institutional Compliance Committee on November 30, 2006. The policy is currently open for comments. The Compliance Committee approved the policy at its meeting on February 15, 2007. Monitoring plan activities are being prepared based on the new policy. Specialized Training: The Time and Effort Reporting training program provided by UT System is being customized to the policy that is currently under consideration. We are continuing our present PI training process which will be revised for consistency with the new Time and Effort Policy. No training was conducted during the second quarter of FY 2007. Risk assessments for the remaining “top” risks will be completed during the third quarter of this fiscal year. Monitoring and reporting procedures will be established at that time. High-Risk Area #3: Animal and Human Subjects Research Responsible Party: J. Tillapaugh, Assistant Vice President for Graduate Studies and Sponsored Research Key “A” risk(s) identified: Inadequate training about Federal reporting requirements Inappropriate use of animal and human subjects, research subjects and materials 2 The University of Texas of the Permian Basin Institutional Compliance Program Quarterly Report For the Quarter Ended February 28, 2007 Key Monitoring Activities: The human subject research review and approval system continues to function well, with 129 protocols submitted in the first two quarters of FY 2007. Four were not completed through the approval process, and forty four were revised for compliance and final approval. Institutional Animal Care and Use has received important attention in the first two quarters, with the development of revisions in policies and procedures as called for by the USDA’s Standards and UT System recommendations for compliance. The new statements proposed by the Institutional Animal Care and Use Committee received internal approvals. The revised policies and application forms have been posted to two web sites at UTPB, administrative forms and the Graduate Studies home page. Monitoring plan activities will be prepared based on the new policies during the third quarter of FY 2007. Specialized Training: Investigators must certify that they have received training on the posted federal guidelines and regulations in order to present a protocol for review and approval. No additional training was required or conducted during the first and second quarters of FY 2007. High Risk Area #4: Learning Environment, retention and graduation rates. Responsible Party: Dr. Susan Lara, Vice President for Student Services Key “A” risks identified: Failure to provide a learning environment for success Failure to meet student expectations Failure to meet established measures of retention and Failure to meet established standards for graduation rates. Key Monitoring Activities: Enrollment management plan that was prepared and distributed in May 2006 has been reviewed and progress has been noted and discussed in Student Services Directors Meetings and in Enrollment Management Committee Meetings Students on academic probation are being tracked and given additional activities to help them succeed. Managing Academia for Personal Success (MAPS) program in place for early referrals Monitoring of freshmen through the freshmen seminar coordinator. 3 The University of Texas of the Permian Basin Institutional Compliance Program Quarterly Report For the Quarter Ended February 28, 2007 Specialized Training: All Student Services personnel have been trained on enrollment management and have been asked to ensure their areas are in compliance Student Services student workers have been given additional training for customer relations and helpfulness Staff have attended conferences in their fields to gain more information that will help them to assist students High Risk Area #5: Recruitment Responsible Party: Dr. Susan Lara, Vice President for Student Services Key “A” risks identified: Failure to recruit and attract students Key Monitoring Activities: Established a weekly meeting with director of admissions to review his office’s actions and effectiveness. Asked for weekly admissions reports and conducted discussions with administrative council, Student Services directors, Enrollment Management Committee and Director of Admissions Developing new recruiting plan Met with admissions staff to review their progress Specialized Training: Admissions counselors have been sent to meetings for training An admissions retreat has been held to train admissions staff and to provide guidance. High Risk Area #6: Unsafe student behavior [including drug and alcohol use] Responsible Party: Dr. Susan Lara, Vice President for Student Services Key “A” risks identified: Students may use drugs and alcohol Students may practice unsafe sex and other behaviors Students may be at risk for violent attacks and or domestic violence Specialized Training: 4 The University of Texas of the Permian Basin Institutional Compliance Program Quarterly Report For the Quarter Ended February 28, 2007 Provided seminars and activities for drug and alcohol awareness Provided “Street Smart” campaign before spring break Provided awareness of alcohol risks through “green beans” campaign Provided training for handling rapes and attacks Provided awareness of Aids, safe sex and use of contraceptives High Risk Area #7: Inadequate financial information to establish current position and close out prior year; Bad financial rating status; Failure to achieve budget assumptions Responsible Party: Dr. Chris Forrest, Vice President for Business Affairs Key “A” Risks Identified: Inadequate financial information to establish current position and close out prior year Bad financial rating status Failure to achieve budget assumptions Key Monitoring Activities: The risk of having inadequate financial information to close the prior year and failure to achieve budget assumptions was partially assessed through the Deloitte & Touche financial audit for UTPB and through a newly developed variance analysis format Section III – Monitoring and Assurance Activities (Performed by Compliance Office) High-Risk Area #1: Information Security Assessment of Control Structure: Opportunity for Enhancement Assurance Activities Conducted: The following assurance activities are planned with respect to Information Security: 1) Confidentiality of Social Security Numbers—progress on implementation of BPM 66 2) Confidentiality and integrity of Digital Research Data—progress on implementation of BPM 75 3) TAC 202—compliance with DIR Rules and Regulations regarding IT Security High-Risk Area #2: Research Assessment of Control Structure: Opportunity for Enhancement Assurance activity to be conducted: 1) Audit of Time and Effort Reporting—progress on implementation of BPM 76 5 The University of Texas of the Permian Basin Institutional Compliance Program Quarterly Report For the Quarter Ended February 28, 2007 High-Risk Area #3: Animal and Human Subjects Research Assessment of Control Structure: Opportunity for Enhancement High Risk Area #4: Learning Environment, retention and graduation rates Assessment of Control Structure: Opportunity for Enhancement High Risk Area #5: Recruitment Assessment of Control Structure: Opportunity for Enhancement High Risk Area #6: Unsafe student behavior [including drug and alcohol use] Assessment of Control Structure: Opportunity for Enhancement High Risk Area #7: Inadequate financial information to establish current position and close out prior year; Bad financial rating status; Failure to achieve budget assumptions Assessment of Control Structure: Opportunity for Enhancement Overall, Monitoring activities have not taken place during the second quarter of FY 2007 Upon development of monitoring plans in each of the high risk areas, monitoring and assurance activities will be developed and performed. At that time significant findings will be reported and assessment of the control structure will be reported.. Section IV – General Compliance Training Activities Seven modules of training are delivered through the Training Post for all continuing faculty and staff. Five additional topics are required for new faculty and staff. Required training was expected to be completed by December 31, 2006. For FY 2007, a total of 2,392 modules are currently assigned. 93.1% were completed by February 15, 2007. Follow up is continuing. Section V – Action Plan Activities The following Action Plan items were implemented during the quarter just ended: The Committee reviewed compliance assurance reports certified by staff and issued reminders where appropriate to ensure total compliance with the System-wide compliance initiative. A campus-wide compliance awareness survey was conducted. A comparison of results with previous annual surveys was prepared. The information on the Compliance webpage was reviewed and updates are being prepared. Five new compliance issues were received by the Assistant Compliance Officer during the quarter. One was investigated and closed. The remaining issues are still under 6 The University of Texas of the Permian Basin Institutional Compliance Program Quarterly Report For the Quarter Ended February 28, 2007 investigation. In addition review was completed on one issue carried over from the previous year and two from the previous quarter, and the issues were closed. Completion of the following Action Plan items scheduled for first and second quarters FY 2007 were delayed until subsequent quarters due to required audits, an IRS audit and special projects that demanded the attention of the Assistant Compliance Officer: Training for Responsible Parties on preparation of monitoring plans for high risks. Implementation of Compliance Committee receipt and review of monitoring plans and quarterly reports for the top risks identified in the Tier One Risk Management process. The revised Standards of Conduct received final approval. A distribution notice will be sent in April 2007 and the revised standards will be posted to the UTPB website. The Committee will take the revised Compliance Manual to Administrative Council for review in May 2007. After comments are received, the revision will go to Executive staff for final approval. 7