Download - barkerppt743.ppt
7/28/2019 barkerppt743.ppt
http://slidepdf.com/reader/full/barkerppt743ppt 2/30
2
Security Breaches in Higher Ed
Ohio University - 2006
The Damage 5 separate systems breached 173,000 social security numbers compromised
367,000 personal files exposed (some for over 13 months) 33 reports by alumni about possible identity theft
The Reaction 8,000 calls to information hotline set up to field concerns 800 e-mails and complaint letters received 34,000 hits on university’s data security web site
The Cost
$77,000 spent to notify students and alumni of breach $750,000 in 21-day emergency response expenses for hardware and consulting $4 million allotted by board of Trustees to secure systems 2 IT administrators fired 1 CIO resigned
Source: The Chronicle of Higher Education – September, 2006
Audit Services
7/28/2019 barkerppt743.ppt
http://slidepdf.com/reader/full/barkerppt743ppt 3/30
3
Mission
To provide independent and objective assuranceand consulting services designed to add valueand improve the University’s operations;
and to help the University accomplish itsobjectives by bringing a systematic, disciplined
approach for evaluating and improving theeffectiveness of risk management, control, andgovernance processes.
Audit Services
7/28/2019 barkerppt743.ppt
http://slidepdf.com/reader/full/barkerppt743ppt 4/30
4
Board of Trustees
President UofL
James Ramsey
Audit Committee
Board of Trustees
University Provost
Shirley Willinganz
Vice President
Finance
Mike Curtin
Director Audit
Services
Dave Barker
Senior IS Auditor
Barry Scott
Associate Director
Cheri Jones
Senior Auditor
Patty Durbin
Auditor 1
Will Metcalf
Senior Auditor
Jeanne Kennedy
Organization
Audit Services
7/28/2019 barkerppt743.ppt
http://slidepdf.com/reader/full/barkerppt743ppt 5/30
5
Risk Assessment Process
Annual Process
Meet with President,VP’s,Deans
Solicit suggestions for the audit plan What do our peers audit?
Results of prior audits
“How would it read in the paper” Experience
Audit Services
7/28/2019 barkerppt743.ppt
http://slidepdf.com/reader/full/barkerppt743ppt 6/30
6
Risk Assessment Criteria
Internal Control Structure
Complexity of Activity
Dollar Volume/Materiality
Public Exposure/External Influences
Changes in Procedures/Personnel
Audit Services
7/28/2019 barkerppt743.ppt
http://slidepdf.com/reader/full/barkerppt743ppt 7/30
7
Key Risk Categories
Compliance - Regulatory
Research Grants & Contracts
Human Subjects Medicare/Medicaid Billing
NCAA
Audit Services
7/28/2019 barkerppt743.ppt
http://slidepdf.com/reader/full/barkerppt743ppt 8/30
8
Key Risk Categories Information Technology
PeopleSoft Implementations
Information Security(Network,Wireless,Desktop,Application)
Departmental Information Systems
System and Data Backup Procedures Compliance with Regulations
Audit Services
7/28/2019 barkerppt743.ppt
http://slidepdf.com/reader/full/barkerppt743ppt 9/30
9
Key Risk Categories Financial/Operational
Student Retention/Graduation Rates
Budgetary
Advancement
Health Science Center
Clinics/Departments Procurement/Construction Processes
Audit Services
7/28/2019 barkerppt743.ppt
http://slidepdf.com/reader/full/barkerppt743ppt 10/30
10
Audit Plan2006/2007
Construction Contracts
IT Department
Athletics Capital
Construction Funding Sponsored Program
Accounting
Equine Management
Expense/Cost Transfers
Ophthalmology Psychology
Brown Cancer Center
Family and Community MedicineClinics
PeopleSoft App l icat ion
Procu rement Card Appl icat ion Universi ty Reports
Computer Accou nt
Management System
Firewalls
Institutional Compliance PeopleSoft Consu lt ing
Requested Audits
Audit Name Audit Name
Audit Services
7/28/2019 barkerppt743.ppt
http://slidepdf.com/reader/full/barkerppt743ppt 11/30
11
Audit Process
Planning
Budget
Risk Assessment Scope and Objectives
Engagement Memorandum
Audit Services
7/28/2019 barkerppt743.ppt
http://slidepdf.com/reader/full/barkerppt743ppt 12/30
12
Audit Process
Fieldwork Policies and Procedures Sampling Testing Assessment Exceptions Closing
Audit Services
7/28/2019 barkerppt743.ppt
http://slidepdf.com/reader/full/barkerppt743ppt 13/30
13
Audit Process
Report
Summary of Work Performed
Issues Action Plans
Implementation Dates
Issued to Audit Client, Directors, Dean’s,VP’s, Provost and President
Audit Services
7/28/2019 barkerppt743.ppt
http://slidepdf.com/reader/full/barkerppt743ppt 15/30
15
What Is IT Audit ?
Definition An examination of the controls within anentity’s information technology infrastructure
PurposeTo review and evaluate an organization’sinformation technology availability,confidentiality and integrity
Availability – Is the technology accessible at all times when
required? Confidentiality – Is information disclosed only to authorized
users? Integrity – Is the information provided by the technology
complete, accurate, timely and reliable?
Audit Services
7/28/2019 barkerppt743.ppt
http://slidepdf.com/reader/full/barkerppt743ppt 16/30
16
Types of IT Audits Systems and Applications
Verify that systems and applications are appropriate to theentity’s needs, process efficiently and are adequately
controlled to ensure valid, reliable, timely and secure input,
processing and output. Example: Procurement Card App l icat ion Audi t
Information Processing Facilities Verify that processing facilities are appropriately controlled
to ensure timely, accurate and secure processing of systems and application under normal and potentiallydisruptive conditions.
Example: Data Center Secur i ty Au dit
Audit Services
7/28/2019 barkerppt743.ppt
http://slidepdf.com/reader/full/barkerppt743ppt 17/30
17
Types of IT Audits Systems Development/Change Control
Verify that systems and applications are developed andmaintained in accordance with established policies andprocedures.
Example: IT App l icat ion Change Contro l Au di t
IT Management Verify that management has established an effective
organization structure and has implemented procedures toensure a controlled and efficient environment for information processing.
Example: IT Operat ions Center Aud it
Audit Services
7/28/2019 barkerppt743.ppt
http://slidepdf.com/reader/full/barkerppt743ppt 19/30
19
Regulations and Legislation Family Educational Rights and Privacy Act
(FERPA)
Health Insurance Portability and Accountability
Act (HIPAA) Graham-Leach-Bliley Act (GLBA)
Sarbanes-Oxley Act (SOX)
Payment Card Industry Data SecurityStandards
Audit Services
7/28/2019 barkerppt743.ppt
http://slidepdf.com/reader/full/barkerppt743ppt 20/30
20
Top IT Risk Areas at U of L 2006-2007 Audit Risk Assessment PeopleSoft Grants Application Network Security Payroll Interfaces Computer Account Management System PeopleSoft Payroll Application University Firewall System
Audit Services
7/28/2019 barkerppt743.ppt
http://slidepdf.com/reader/full/barkerppt743ppt 21/30
21
Recent IT Audits Departmental E-mail Systems
Assessed management and administration of selecteddepartmental e-mail systems
Evaluated security, back-up, disaster recovery Recommended formal policies be established for
systems operated outside of enterprise framework Request/approval process
Security standards – logical and physical
System backup standards
Disaster recovery planning
Audit Services
7/28/2019 barkerppt743.ppt
http://slidepdf.com/reader/full/barkerppt743ppt 22/30
22
Recent IT Audits PeopleSoft Application Security
Evaluated security administration for PeopleSoftfinancial management, student administration andhuman resources applications
Tested selected security tables and user accesses
Recommended policies and procedures be improved Process for modifying and monitoring access for transferred
and terminated employees
Standardization of access request and approval process
Strengthen management of user accounts and accesscapabilities
Audit Services
7/28/2019 barkerppt743.ppt
http://slidepdf.com/reader/full/barkerppt743ppt 23/30
23
Recent IT Audits Wireless Networks
Assessed the extent of wireless network deployment(both authorized and unauthorized)
Evaluated the security of the wireless networkconnectivity process
Scanned wireless network access points on Belknapand HSC campuses Detect and identify wireless network
Test for channels and Service Set Identifiers (SSID)
Test for rogue access points and clients
Test for wireless network encryption
Audit Services
7/28/2019 barkerppt743.ppt
http://slidepdf.com/reader/full/barkerppt743ppt 24/30
24
Recent IT Audits Wireless Networks
Tools Used
Kismet – wireless scanner and network sniffer for
Linux NetStumber – wireless scanner for Windows
DeLorme Street Atlas with GPS – used withNetStumbler to visualize located of access points
SuperScan – network TCP and UDP port scanner
Ethereal – packet sniffer
Audit Services
7/28/2019 barkerppt743.ppt
http://slidepdf.com/reader/full/barkerppt743ppt 25/30
25
Recent IT Audits Wireless Networks
Scanning Results
40 access points detected on Belknap campus 15 authorized, 20 unauthorized, 5 undetermined origin
40 access points detected on HSC campus 4 authorized, 36 undetermined origin
Audit Services
7/28/2019 barkerppt743.ppt
http://slidepdf.com/reader/full/barkerppt743ppt 27/30
27
Recent IT Audits Wireless Networks
Key Findings
Unauthorized Wireless Access Points
No Detection Process
Lack of Consistent Encryption
Inadequate Wireless Policy
Audit Services
7/28/2019 barkerppt743.ppt
http://slidepdf.com/reader/full/barkerppt743ppt 28/30
28
Professional Organizations
Institute of Internal Auditors (IIA)
International Standards for the Practice of Internal Auditing
Certified Internal Auditor (CIA) Successful Completion of Exam
Two Years Internal Audit Experience
Louisville Chapter
Student Membership Available www.theiia.org
Audit Services
7/28/2019 barkerppt743.ppt
http://slidepdf.com/reader/full/barkerppt743ppt 29/30
29
Professional Organizations
Information Systems Audit and Control Association (ISACA)
IS Auditing Standards
Certified Information Systems Auditor (CISA) Successful Completion of Exam
Five Years IT Audit Experience
Kentuckiana Chapter Student Membership Available
www.isaca.org
Audit Services