Audit Services

Audit Services

Security Breaches in Higher Ed

Ohio University - 2006

The Damage

5 separate systems breached 173,000 social security numbers compromised 367,000 personal files exposed (some for over 13 months) 33 reports by alumni about possible identity theft 8,000 calls to information hotline set up to field concerns 800 e-mails and complaint letters received 34,000 hits on universitys data security web site $77,000 spent to notify students and alumni of breach $750,000 in 21-day emergency response expenses for hardware and consulting $4 million allotted by board of Trustees to secure systems 2 IT administrators fired 1 CIO resigned
Source: The Chronicle of Higher Education September, 2006

The Reaction

The Cost

Audit Services

Mission

To provide independent and objective assurance and consulting services designed to add value and improve the Universitys operations;
and to help the University accomplish its objectives by bringing a systematic, disciplined approach for evaluating and improving the effectiveness of risk management, control, and governance processes.
3

Audit Services

Organization
Board of Trustees Audit Committee Board of Trustees President UofL James Ramsey

University Provost Shirley Willinganz

Vice President Finance Mike Curtin

Director Audit Services Dave Barker

Senior IS Auditor Barry Scott

Associate Director Cheri Jones

Auditor 1 Will Metcalf

Senior Auditor Jeanne Kennedy

Senior Auditor Patty Durbin

Audit Services

Risk Assessment Process

Annual Process Meet with President,VPs,Deans Solicit suggestions for the audit plan What do our peers audit? Results of prior audits How would it read in the paper Experience

Audit Services

Risk Assessment Criteria

Internal Control Structure Complexity of Activity Dollar Volume/Materiality Public Exposure/External Influences Changes in Procedures/Personnel

Audit Services

Key Risk Categories

Compliance - Regulatory

Research Grants & Contracts Human Subjects Medicare/Medicaid Billing NCAA

Audit Services

Key Risk Categories

Information Technology

PeopleSoft Implementations Information Security (Network,Wireless,Desktop,Application) Departmental Information Systems System and Data Backup Procedures Compliance with Regulations

Audit Services

Key Risk Categories

Financial/Operational

Student Retention/Graduation Rates Budgetary Advancement Health Science Center Clinics/Departments Procurement/Construction Processes

Audit Plan
Audit Name

Audit Services

2006/2007

Audit Name

Construction Contracts IT Department Athletics Capital Construction Funding Sponsored Program Accounting Equine Management Expense/Cost Transfers Ophthalmology Psychology Brown Cancer Center

Family and Community Medicine Clinics PeopleSoft Application Procurement Card Application University Reports Computer Account Management System Firewalls Institutional Compliance PeopleSoft Consulting Requested Audits

10

Audit Services

Audit Process

Planning

Budget Risk Assessment Scope and Objectives Engagement Memorandum

11

Audit Services

Audit Process

Fieldwork

Policies and Procedures Sampling Testing Assessment Exceptions Closing

12

Audit Services

Audit Process

Report

Summary of Work Performed Issues Action Plans Implementation Dates Issued to Audit Client, Directors, Deans, VPs, Provost and President

13

Audit Services

Audit Process

Follow-up

Twice Yearly Status of Open Issues Issued to VPs, Provost and President Overview of Audit Activities Summary of Audit Reports Issued

Annual Report to Audit Committee

14

Audit Services

What Is IT Audit ?

Definition
An examination of the controls within an entitys information technology infrastructure

Purpose
To review and evaluate an organizations information technology availability, confidentiality and integrity

Availability Is the technology accessible at all times when required? Confidentiality Is information disclosed only to authorized users? Integrity Is the information provided by the technology complete, accurate, timely and reliable?
15

Audit Services

Types of IT Audits

Systems and Applications

Verify that systems and applications are appropriate to the entitys needs, process efficiently and are adequately controlled to ensure valid, reliable, timely and secure input, processing and output. Example: Procurement Card Application Audit

Information Processing Facilities

Verify that processing facilities are appropriately controlled to ensure timely, accurate and secure processing of systems and application under normal and potentially disruptive conditions. Example: Data Center Security Audit

16

Audit Services

Types of IT Audits

Systems Development/Change Control

Verify that systems and applications are developed and maintained in accordance with established policies and procedures. Example: IT Application Change Control Audit

IT Management

Verify that management has established an effective organization structure and has implemented procedures to ensure a controlled and efficient environment for information processing. Example: IT Operations Center Audit
17

Audit Services

Types of IT Audits

Telecommunications/Networks

Verify that controls are in place to ensure that the entitys networks are properly managed and secured. Includes wireless access, web access, firewalls. Example: Wireless Network Audit

Security

Verify that systems, applications and data are properly secured against unauthorized access, disclosure and modification. May also include physical security assessments. Example: Workstation Security Audit
18

Audit Services

Regulations and Legislation

Family Educational Rights and Privacy Act (FERPA) Health Insurance Portability and Accountability Act (HIPAA) Graham-Leach-Bliley Act (GLBA) Sarbanes-Oxley Act (SOX) Payment Card Industry Data Security Standards

19

Audit Services

Top IT Risk Areas at U of L

2006-2007 Audit Risk Assessment

PeopleSoft Grants Application Network Security Payroll Interfaces Computer Account Management System PeopleSoft Payroll Application University Firewall System

20

Audit Services

Recent IT Audits

Departmental E-mail Systems

Assessed management and administration of selected departmental e-mail systems Evaluated security, back-up, disaster recovery Recommended formal policies be established for systems operated outside of enterprise framework

Request/approval process Security standards logical and physical System backup standards Disaster recovery planning

21

Audit Services

Recent IT Audits

PeopleSoft Application Security

Evaluated security administration for PeopleSoft financial management, student administration and human resources applications Tested selected security tables and user accesses Recommended policies and procedures be improved

Process for modifying and monitoring access for transferred and terminated employees Standardization of access request and approval process Strengthen management of user accounts and access capabilities
22

Audit Services

Recent IT Audits

Wireless Networks

Assessed the extent of wireless network deployment (both authorized and unauthorized) Evaluated the security of the wireless network connectivity process Scanned wireless network access points on Belknap and HSC campuses

Detect and identify wireless network Test for channels and Service Set Identifiers (SSID) Test for rogue access points and clients Test for wireless network encryption
23

Audit Services

Recent IT Audits

Wireless Networks
Tools

Used

Kismet wireless scanner and network sniffer for Linux NetStumber wireless scanner for Windows DeLorme Street Atlas with GPS used with NetStumbler to visualize located of access points SuperScan network TCP and UDP port scanner Ethereal packet sniffer

24

Audit Services

Recent IT Audits

Wireless Networks
Scanning

Results

40 access points detected on Belknap campus

15 authorized, 20 unauthorized, 5 undetermined origin 4 authorized, 36 undetermined origin

40 access points detected on HSC campus

25

Audit Services

Recent IT Audits

Wireless Networks Belknap Campus

26

Audit Services

Recent IT Audits

Wireless Networks
Key

Findings

Unauthorized Wireless Access Points No Detection Process Lack of Consistent Encryption Inadequate Wireless Policy

27

Audit Services

Professional Organizations

Institute of Internal Auditors (IIA)

International Standards for the Practice of Internal Auditing Certified Internal Auditor (CIA)

Successful Completion of Exam Two Years Internal Audit Experience

Student Membership Available

Louisville Chapter

www.theiia.org

28

Audit Services

Professional Organizations

Information Systems Audit and Control Association (ISACA)

IS Auditing Standards Certified Information Systems Auditor (CISA)

Successful Completion of Exam Five Years IT Audit Experience

Student Membership Available

Kentuckiana Chapter

www.isaca.org

29

Audit Services

QUESTIONS?

30