Board of Visitors

Operations, Audit and Risk Committee Meeting February 4, 2022

The Operations, Audit and Risk Committee met on Friday, February 4, 2022 at 10:00 a.m. in the Jefferson Room of the David Student Union with Chair Terri McKnight presiding.

Present from the Committee

• Mrs. Terri M. McKnight, CPA, Chair
• The Honorable Gabriel A. Morgan, Sr.
• Dr. Ella Ward

Present from the University

• Ms. Jana Adamitis (Faculty Senate)
• Mrs. Ashleigh Andrews, Assistant Vice President for Finance and Planning
• Mrs. Faith Belote, Director of University Audit
• Mrs. Wendy Corrice, Information Security Officer
• Mr. Andrew Crawford, Chief Information Officer
• Mrs. Stephanie Hautz, Director of Human Resources
• Mrs. Sarah Herzog, Director of Budget and Planning
• Mrs. Jennifer Latour, Vice President for Finance and Planning/Chief Financial Officer
• Ms. Christine Ledford, Vice President for Administration and Auxiliary Services
• Mrs. Tammy Sommer, Director of Emergency Management
• Mrs. Adelia Thompson, Chief of Staff
• Mrs. Rhonda Wissinger, Executive Assistant

Public in attendance

• None

Chair McKnight called the meeting to order and welcomed everyone in attendance.

Approval of Minutes from the June 11, 2021 and September 24, 2021 Operations, Audit and Risk Committee Meetings

Chair McKnight asked if everyone had a chance to review the minutes from the June 11, 2021, and September 24, 2021 Operations, Audit and Risk Committee meetings and reminded everyone that we did not have a quorum at the June 11, 2021 meeting so we were unable to approve the minutes at that time. Chair McKnight asked if there were any edits needed for the minutes. No edits were needed, and a motion was put forth by Mr. Bill Ermatinger, seconded by Dr. Ella Ward with all in favor.

Chair McKnight introduced Mrs. Jennifer Latour, Vice President for Finance and Planning/CFO to provide her report. Mrs. Latour stated we would hear an Update from Information Technology Services followed by an Overview of the Office of Emergency Management. Mrs. Latour introduced Mr. Andrew Crawford, Chief Information Officer to provide the update on Information Technology Services:

Information Technology Services Update

Mr. Crawford explained that Information Technology, back in the fall of 2021, had an attack on one of the systems in the Physics, Computer Science and Engineering (PSCE) Department. This attack occurred on a server that runs independently. There was a weak password and it allowed someone to be able to access the account. The IT department worked to restore the system from back up and the issue was resolved. They are currently working with Internal Audit to initiate a review of PCSE and their systems. This particular system was a legacy system and the information on this system was non-sensitive. Also, there was a change in staffing and a new systems person started and this attack happened during this transition. Mrs. Latour reported that the new person in this position now attends all IT meetings and has a dual reporting role.

Chair McKnight asked if anything can be done to implement passwords being safer since we are changing them on a regular basis. Mr. Crawford stated that we are implementing two factor authentication and that all remote access will be protected with VPN access. Once the Internal Audit is complete it will give more detailed information on how this happened to help us prevent it from re-occurring in the future.

Mrs. Wendy Corrice, Information Security Officer, reported that they have been sending fake “phishing emails” to staff to help train them on what to look for when receiving “spam” or inappropriate emails coming into the university. She reported about half of staff are clicking on these emails and we hope to get this number down.

Mr. Crawford also reported that the university has been using Virtru, which encrypts emails to and from the email user to protect files that are sensitive in nature.

Overview of the Office of Emergency Management

Mrs. Tammy Sommer, Director of Emergency Management, gave an overview of the Office of Emergency Management explaining that there is a three step process to emergency management:

• Agency Assessment - conduct hazard and risk assessments
• Develop Plans - to address the hazards and risks
• Train, Exercise and Operate - prepare students, faculty and staff to recognize and respond

The Emergency Management Plans include the Crisis and Emergency Management Plan which is reviewed and updated yearly along with training and exercises for staff and is readopted by the Board of Visitors every four years. The Continuity of Operations Plan is also reviewed and updated yearly along with training exercises for staff. The State Managed Shelter Plan is a plan where the Commonwealth utilizes Christopher Newport University as a public shelter, holding up to 2,000 people, in the event of an emergency within the state (such as a hurricane). The Family Assistance Center Plan is held at the Yoder Barn in the event an emergency happens on campus and families need a place to go to find out if their family members are safe. Emergency Management training includes a yearly statewide tornado drill, active shooter training, building evacuation and building monitor training. There will be a discussion based exercise on February 24th to exercise the University’s annual training for the Emergency Management plans.

In addition to these items, Mrs. Sommer has most recently led the COVID Response Team to conduct community tracing, testing, vaccination clinics, and stays current on the COVID infection rates in the area.

Report from the University Internal Auditor

Mrs. Faith Belote, Director of University Audit, reported that the new IT Auditor, David Ralph, started on January 3. The Internal Audit department is now fully staffed. The Disaster Recovery audit fieldwork has begun. The IT Consultant offered to have Mr. Ralph participate in all of the IT audit meetings. The IT Consultant expects to complete the field work by the end of February. Then Mrs. Belote will incorporate the findings and recommendations into our audit report template. It is anticipated that this will be presented at the April meeting.

The Lab Safety audit is going well, and the final report should also be ready for the April meeting.

Mrs. Belote reported that the NCAA audit has nine points complete and nine points open, targeted for completion by March 15, with a system implementation by July 1. On January 17, Athletics self-reported secondary violations to the NCAA. These were clerical and administrative issues were discovered during the audit, requiring further review. A six-month gap period in which a long-term employee left and a new employee began accounted for the clerical and administrative issues. The NCAA thought these were secondary in nature, and we are waiting on a follow-up report from them. The Director of Athletics has strengthened these processes.

In the spring Mrs. Belote and her team will be working on the Maxient audit, Student Accounts audit, and Faculty Recruitment and Succession Plan audit. She is working on a What to Expect When Being Audited orientation presentation to offer departments before their audits begin.

Resolution 2: Amendment to the Audit Committee Charter

Mrs. Belote presented Resolution 2: Amendment to the Audit Committee Charter to the committee and reported that as recommended by the Operations, Audit and Risk Committee, the Audit Committee Charter should be enhanced to include the Committee’s responsibility to receive periodic reports on university management of operational, compliance, strategic and reputational risks, including Information Technology and Security, Human Resources, Title IX and Equal Opportunity, Emergency Management and Agency Risk Management and Internal Control Standards (ARMICS). A motion was put forth by Dr. Ella Ward, seconded by Mr. William Ermatinger with all in favor. This resolution was moved to the full board for approval.

There being no further discussion, the meeting was adjourned at 10:52 a.m.