The objective of this IT performance audit will be to assess CCCS’s information security program for compliance with statutory requirements under C.R.S. 24-37.5-404.5, “Institutions of higher education – information security plans.” The audit will evaluate whether CCCS has designed and implemented, and is operating an information security program effectively in order to provide adequate protection for the communication and information resources supporting its operations and assets, in accordance with Colorado statutes and other state regulations; CCCS’s adopted policies, standards, procedures, or guidelines; and other industry leading practices or standards, as applicable. This audit will include an evaluation of CCCS’ oversight of and coordination with the various community colleges within the State’s community college system to determine whether CCCS is operating in compliance with C.R.S. 24-37.5-404.5. Specifically, this will include procedures to test the design, implementation, and operating effectiveness, as applicable, of CCCS’ information security controls and determine whether CCCS—in coordination with CDHE, has effectively developed its information security program to include: a. Periodic assessments of the risk and magnitude of the harm that could result from a security incident; b. A process for providing adequate information security for the communication and information resources of the System; c. Information security awareness training to inform the employees, administrators, and users at the System about the information security risks and the responsibility of employees, administrators, and users to comply with the System’s information security program and the policies, standards, and procedures designed to reduce the security risks; d. Periodic testing and evaluation of the effectiveness of information security for the System, which shall be performed not less than annually;
