"Failing to physically secure sensitive IT areas increases risk to business operations," auditors said in the report.
Other findings criticized the university for not maintaining sufficient maintenance logs, having an incomplete emergency response plan and not providing documentation on how employees were trained on contingency plans. The scope of the audit included, but was not necessarily limited to, the university data center's general controls as of October 2023, the report said.
Ryan Quigley, the university's chief of staff to the president, said the college is making improvements to correct a variety of issues.
"Many of the findings outlined in this audit occurred prior to President Karim Ismaili's tenure," Quigley said when contacted for comment on the audit. "Since taking office on July 31, 2024, President Ismaili has made strengthening campus operations and security a priority. We take these findings seriously and have already implemented corrective actions, with additional improvements underway. Ensuring the security and integrity of our systems is critical to supporting our campus community."
ECSU is one of four higher education institutions that make up the Connecticut State University component of the Connecticut State Colleges and Universities System. The information technology group at ECSU supports and oversees the technological needs of the university, including networking and communication, computers and labs, and the school's data center.
ACCESS IS NOT CONTROLLED
The access procedures for the university's data centers did not include an appropriate approval process for granting access to IT areas, auditors said.
"Individuals with no functional necessity could be granted access to sensitive IT areas, increasing risk of unintended modification or damage to physical IT resources stored in sensitive IT areas," auditors said. "Lack of sufficient procedures appears to be due to a lack of management oversight."
The findings had not been reported in previous audits.
"Eastern Connecticut State University should update its procedures to ensure that access to sensitive information technology areas is restricted to those who require access to perform their job duties and regular access reviews," auditors said.
In its response, the university agreed with the findings and said it has "successfully implemented a new electronic door access system to enhance physical security and oversight.
"This system provides the granular control and reporting capabilities necessary to restrict access to sensitive IT areas based on job function," ECSU said.
The college added that "to ensure these controls remain effective, ECSU has established a formal review protocol requiring access lists to be audited at least three times per year (once per academic semester) by the CIO or designee. The review process ensures that permissions are kept current and that any unauthorized or obsolete access is promptly revoked."
UNSECURED IT AREA
After a walkthrough of ECSU's data center, auditors reported the university did not secure a sensitive IT area.
"Physical locks and card readers should protect sensitive IT areas from unauthorized access," auditors said. "Failing to physically secure sensitive IT areas increases risk to business operations."
Auditors said, "ECSU management indicated that a vendor performing authorized work circumvented controls over the limited access area."
The findings had not been reported in previous audits of the university and its systems.
"Eastern Connecticut State University should ensure established controls over information technology physical security are operating as intended and are not circumvented without compensating controls in place," auditors said.
In written responses included with the audit, ECSU agreed with the findings.
"'ECSU took immediate corrective action to address this concern," the university said, referring to criticism that it failed to secure an IT area.
"The vendor was notified of the requirement to follow proper data center and network closet security protocols, specifically identifying breach of physical security that occurred by propping open doors and leaving them unattended. Going forward, all new vendors who have access to secure areas are notified of our protocols," the university said.
DID NOT PROVIDE RESPONSE PLAN
The National Institute of Standards and Technology recommends developing an incident response plan to mitigate the impact of an attack, correct vulnerabilities and secure the overall organization in a coordinated manner, auditors said.
"The university could not provide complete incident response documentation for its or its third-party service provider's activities," auditors said. "We requested documentation of the university's incident response activities, such as a high-level plan or third-party assurance of their incident response vendor."
Auditors added, "Deficiencies in an incident response plan can increase risk of interruptions to business operations. Furthermore, without reviewing a vendor's SOC report, an entity could be accepting more risk that the vendor lacks adequate and sufficient internal controls."
The cause "appears to be a lack of management oversight," auditors said.
The findings had not been reported in previous audits.
"Eastern Connecticut State University should ensure it has complete incident response documentation," auditors said.
In its response, the college agreed with the findings.
"An incident response plan was created in June 2024," the college said. "We are reviewing the 2024 plan to further mature and expand our IR documentation. We are targeting October 2026 to complete the review process."
LACK OF PLANNING
The university was unable to provide documentation showing it trained IT employees on contingency planning.
"Lack of training increases the time required to recover from an incident and return to stable operation when an organization must activate a contingency plan," the audit said. "The condition appears to be due to lack of management oversight."
The findings have not been reported in previous audits.
"Eastern Connecticut State University should ensure appropriate personnel are trained on all aspects of contingency and disaster recovery," auditors said. "The university should ensure that training materials are readily available to authorized personnel in the event of a contingency plan activation."
In its response, the college agreed with the findings.
ECSU said it has "significantly expanded our disaster recovery (DR) training program," the university said. "Throughout 2025 and early 2026, key personnel participated in multiple tabletop exercises, including sessions led by ECSU Public Safety on May 5 and Oct. 10, 2025, and an exercise on March 19, 2025, held by Central Connecticut State University."
The college added, "University leadership reviewed our campus-wide emergency action plan on Feb. 4, 2026. Starting in the fall, Technology Services will be conducting internal tabletop exercises each semester specifically targeted toward testing our revised IR plan and recovery procedures."
LACK OF MAINTENANCE LOGS
Auditors noted the university could not provide appropriate IT equipment maintenance logs upon our request and did not keep current fire suppression system maintenance logs.
"We requested all relevant physical maintenance logs, which might include systems such as power, climate control and fire suppression," auditors said. "The university only provided the fire suppression system maintenance log."
Auditors added, "When an agency lacks maintenance logs, there is less assurance that it performed regular maintenance on critical IT infrastructure and devices. There is also less accountability that the university's IT employees conducted required maintenance."
The issue "appears to be due to lack of management oversight," auditors said.
The findings had not been reported in previous audits.
"Eastern Connecticut State University should strengthen internal controls by logging and reviewing its information technology maintenance activities," auditors said.
In its response, the college agreed with the findings.
"We agree with the recommendation to strengthen internal controls over information technology maintenance logging and reviews," the agency said. "While facilities was made aware of this finding at the time, leadership in Facilities and Technology Services has changed since then. The CIO and the assistant VP for facilities will meet regarding this finding and reaffirm the need for proper logging and the protocols to be followed. This meeting will happen before the end of the spring 2026 semester."
© 2026 The Middletown Press, Conn. Distributed by Tribune Content Agency, LLC.
