Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Audit Services
The Damage
5 separate systems breached 173,000 social security numbers compromised 367,000 personal files exposed (some for over 13 months) 33 reports by alumni about possible identity theft 8,000 calls to information hotline set up to field concerns 800 e-mails and complaint letters received 34,000 hits on universitys data security web site $77,000 spent to notify students and alumni of breach $750,000 in 21-day emergency response expenses for hardware and consulting $4 million allotted by board of Trustees to secure systems 2 IT administrators fired 1 CIO resigned
Source: The Chronicle of Higher Education September, 2006
The Reaction
The Cost
Audit Services
Mission
To provide independent and objective assurance and consulting services designed to add value and improve the Universitys operations;
and to help the University accomplish its objectives by bringing a systematic, disciplined approach for evaluating and improving the effectiveness of risk management, control, and governance processes.
3
Audit Services
Organization
Board of Trustees Audit Committee Board of Trustees President UofL James Ramsey
Audit Services
Annual Process Meet with President,VPs,Deans Solicit suggestions for the audit plan What do our peers audit? Results of prior audits How would it read in the paper Experience
Audit Services
Audit Services
Compliance - Regulatory
Audit Services
Information Technology
PeopleSoft Implementations Information Security (Network,Wireless,Desktop,Application) Departmental Information Systems System and Data Backup Procedures Compliance with Regulations
Audit Services
Financial/Operational
Student Retention/Graduation Rates Budgetary Advancement Health Science Center Clinics/Departments Procurement/Construction Processes
Audit Plan
Audit Name
Audit Services
2006/2007
Audit Name
Construction Contracts IT Department Athletics Capital Construction Funding Sponsored Program Accounting Equine Management Expense/Cost Transfers Ophthalmology Psychology Brown Cancer Center
Family and Community Medicine Clinics PeopleSoft Application Procurement Card Application University Reports Computer Account Management System Firewalls Institutional Compliance PeopleSoft Consulting Requested Audits
10
Audit Services
Audit Process
Planning
11
Audit Services
Audit Process
Fieldwork
12
Audit Services
Audit Process
Report
Summary of Work Performed Issues Action Plans Implementation Dates Issued to Audit Client, Directors, Deans, VPs, Provost and President
13
Audit Services
Audit Process
Follow-up
Twice Yearly Status of Open Issues Issued to VPs, Provost and President Overview of Audit Activities Summary of Audit Reports Issued
14
Audit Services
What Is IT Audit ?
Definition
An examination of the controls within an entitys information technology infrastructure
Purpose
To review and evaluate an organizations information technology availability, confidentiality and integrity
Availability Is the technology accessible at all times when required? Confidentiality Is information disclosed only to authorized users? Integrity Is the information provided by the technology complete, accurate, timely and reliable?
15
Audit Services
Types of IT Audits
Verify that systems and applications are appropriate to the entitys needs, process efficiently and are adequately controlled to ensure valid, reliable, timely and secure input, processing and output. Example: Procurement Card Application Audit
Verify that processing facilities are appropriately controlled to ensure timely, accurate and secure processing of systems and application under normal and potentially disruptive conditions. Example: Data Center Security Audit
16
Audit Services
Types of IT Audits
Verify that systems and applications are developed and maintained in accordance with established policies and procedures. Example: IT Application Change Control Audit
IT Management
Verify that management has established an effective organization structure and has implemented procedures to ensure a controlled and efficient environment for information processing. Example: IT Operations Center Audit
17
Audit Services
Types of IT Audits
Telecommunications/Networks
Verify that controls are in place to ensure that the entitys networks are properly managed and secured. Includes wireless access, web access, firewalls. Example: Wireless Network Audit
Security
Verify that systems, applications and data are properly secured against unauthorized access, disclosure and modification. May also include physical security assessments. Example: Workstation Security Audit
18
Audit Services
Family Educational Rights and Privacy Act (FERPA) Health Insurance Portability and Accountability Act (HIPAA) Graham-Leach-Bliley Act (GLBA) Sarbanes-Oxley Act (SOX) Payment Card Industry Data Security Standards
19
Audit Services
PeopleSoft Grants Application Network Security Payroll Interfaces Computer Account Management System PeopleSoft Payroll Application University Firewall System
20
Audit Services
Recent IT Audits
Assessed management and administration of selected departmental e-mail systems Evaluated security, back-up, disaster recovery Recommended formal policies be established for systems operated outside of enterprise framework
Request/approval process Security standards logical and physical System backup standards Disaster recovery planning
21
Audit Services
Recent IT Audits
Evaluated security administration for PeopleSoft financial management, student administration and human resources applications Tested selected security tables and user accesses Recommended policies and procedures be improved
Process for modifying and monitoring access for transferred and terminated employees Standardization of access request and approval process Strengthen management of user accounts and access capabilities
22
Audit Services
Recent IT Audits
Wireless Networks
Assessed the extent of wireless network deployment (both authorized and unauthorized) Evaluated the security of the wireless network connectivity process Scanned wireless network access points on Belknap and HSC campuses
Detect and identify wireless network Test for channels and Service Set Identifiers (SSID) Test for rogue access points and clients Test for wireless network encryption
23
Audit Services
Recent IT Audits
Wireless Networks
Tools
Used
Kismet wireless scanner and network sniffer for Linux NetStumber wireless scanner for Windows DeLorme Street Atlas with GPS used with NetStumbler to visualize located of access points SuperScan network TCP and UDP port scanner Ethereal packet sniffer
24
Audit Services
Recent IT Audits
Wireless Networks
Scanning
Results
25
Audit Services
Recent IT Audits
26
Audit Services
Recent IT Audits
Wireless Networks
Key
Findings
Unauthorized Wireless Access Points No Detection Process Lack of Consistent Encryption Inadequate Wireless Policy
27
Audit Services
Professional Organizations
International Standards for the Practice of Internal Auditing Certified Internal Auditor (CIA)
Louisville Chapter
www.theiia.org
28
Audit Services
Professional Organizations
Kentuckiana Chapter
www.isaca.org
29
Audit Services
QUESTIONS?
30