ITSS 2015

Auditing Your General Computing Environment

Bruce Tong MCTP, CISA, PMP, ITIL-RCPSr. Auditor (IT)

Ohio University Internal Audit

ITSS 2015

NIST Framework

• OIT Selected the NIST Framework• Free, Comprehensive, Required for some Federal Grants

• Approach: Identify a service, choose controls that apply• NIST 800-53 is a very large catalog of controls

• View: Your general computing environment is an IT service that you provide to your college/department/office/team

• Thus, Internal Audit uses NIST 800-53 to identify controls to evaluate as part of your general computing environment

ITSS 2015

Your General Computing Environment• Workstations• Laptops• Tablets• Shared Storage• Networking Equipment*• Software• Kiosks & Lab Computers

* OIT’s stuff is out of scope.

• Phones• Copiers• Scanners• USB Devices• Removable Media• Projectors• Web Site

ITSS 2015

Auditing – Trust But Verify

• Auditor Required to Collect Evidence• Less stringent than legal evidence• Less stringent than peer-reviewed academic research• Enough to draw a reasonable conclusion• Generally more than an interview

• Please don’t be offended by requests.

ITSS 2015

B0: Questionnaire

• Discovery of Preliminary Information• What laws, grants, contracts apply?• What policies and procedures exist?

• Policy ~= Standard or requirement• Procedures ~= Steps to accomplish something (such as meet policy)• Formal (written) vs. Informal (verbal)

• Who is responsible for what?• Are there any outsourced IT services?

ITSS 2015

B1: Policies and Procedures

• Review Policies• Do they cover everything important?• Are they too informal?

• Review and Test Procedures• Are they being followed?

ITSS 2015

B2: IT Procurement

• Review Purchases• Does everything look reasonable?• Are there outsourced services?• Are the Procurement Office’s processes being followed?• Are they buying tablets?• Are they buying Dropbox? (Or other alternatives to Box)• Are they buying printers, toner, or ink cartridges?

ITSS 2015

B3: Wireless Access Points

• Wireless Access Points• Has OIT found any rogue wireless access points?• Can I find any rogue wireless access points?• If so, can I get into them?• If so, what can I find?

ITSS 2015

B4: Web Site

• Review Departmental Web Sites• Manual Review

• Where is the site hosted?• Are there any dynamic pages?• Are there any protected pages? (Require Authentication)• Are there any web applications?• Can I safely turn Identity Finder loose?

• Identity Finder Scan for Sensitive Data

ITSS 2015

B5: Information Security Training• Review Training Records• Do employees who work with sensitive data get periodic refresher

training?

• Plug: “Securing the Human” from the Information Security Office

ITSS 2015

B6: Active Directory Access Control• Review Active Directory Groups• Do the groups contain current employees?• If somebody isn’t a current employee, who are they?• Did any of the current employees change roles?• If so, do they still need access?

ITSS 2015

B7: Group Policy Objects (GPOs)

• Review Group Policy Objects• Do they assign Administrative access?• If so, who are the Administrators?• Do they disable firewalls?• Do they poke holes in firewalls?• Do they disable Windows updates?

ITSS 2015

B8: Inventory

• Perhaps the Most Important Test• You can’t protect it if you didn’t know about it.

• Review Departmental Inventories• Are they keeping an inventory?• If so, how up-to-date is it?

• Conduct a Physical Inventory• Find and identify every computing device.• Update Active Directory (when possible).

ITSS 2015

B9: Physical Access Control

• Review Physical Access Controls• If a sign says a room should be locked, is it locked?• If a door has a special lock, why? And, is it locked?• Are there valuable things being left unattended and open to public?• Are there alternative entrances that might not get locked at night?• Are there open safes?• Are there unsecured dangerous materials?• Should there be an access log? Is there an access log?• Should there be cameras? Are there cameras?

ITSS 2015

B10: Sensitive Data Protection

• Review the Identity Finder Console• Is the client conducting scans?

• Review Shared Storage• Does Identity Finder detect anything?

• Review Workstations and Laptops?• Does Identity Finder find anything?

• Review Tablets? Someday.

ITSS 2015

B11: Software Updates

• Review Software Updates• Is the SCCM client installed? If not, why not?

• Is currently installed software up-to-date?• Adobe: Acrobat, Reader• Browsers: Chrome, Firefox• Java• Microsoft: Office, Silverlight• Sophos

• Is the operating system supported? (Windows XP)• Is the operating system up-to-date?

ITSS 2015

B11: Software Updates (cont.)

• Who is responsible for applying software updates?• OIT? Maybe.

• Do you have an MOU or SLA that says so?• Does it reside in the data center?• Otherwise, OIT says “We’ll help if you call.”• OIT doesn’t want to “break” the business.

• Users? Maybe.• RCM says “the business” is ultimately responsible for its purchases/services.• Most users aren’t adequately trained for, or committed to, the task.

• Internal Audit’s View• In the absence of some agreement, all employees with “Administrator”

access are jointly responsible and the buck stops with their managers.

ITSS 2015

B12: Software Licenses

• Review Software Licenses• Do you know what licenses you have?

• Bobcat Depot purchases are in the SoftCash system.• Purchases made via PCard?• Boxes of packaged software laying around?

• Are there licenses for all the software that is installed?• SCCM can tell what is installed.

ITSS 2015

B13: Public Computers

• Review Lab Computers and Kiosks• Can you do “nasty” things anonymously?• If you can work with sensitive data, can you store it locally?• If so, is there sensitive data laying around?• Is the computer easily accessible?• If so, could I install a keystroke recorder?• Is administrator access restricted?• Are students storing homework on it? (academic dishonesty)• Are students storing music and movies on it? (DMCA)

ITSS 2015

B14: Removable Media

• Review the Use of Removable Media(Discs, Tapes, External Drives, USB Sticks)

• Are they being used as part of some business process?• Offsite backups• Transfer data to other departments• Transfer data to other institutions

• Is sensitive data involved? Is it encrypted?

ITSS 2015

B15: Departmental Firewall

• Review Departmental Firewalls• Are there any departmental firewalls?• If firewall not present, evaluate if there should be one.• If firewall present, review the firewall rules.

ITSS 2015

B16: IT Service Level Agreements• Review IT SLAs and MOUs• Are they current?• Are the terms being met?• Are the terms adequate?

ITSS 2015

B17: Business Continuity Planning• Review the Business Continuity Plan (BCP)• Is there a BCP on file with Risk Management & Safety?• If so, has the BCP checklist been completed annually?

• For Reference:• BCP = How will we keep “the business” going during a disaster.

• Business = Admitting Students, Conducting Classes, etc.

• Disaster Recovery (DR) = How will we restore IT services.• Workstations, Printers, Network, SIS, Blackboard, Workforce, Oracle FMS,

Classroom computers, Shared Storage, etc.