Getting Ahead and Staying Ahead of the Auditors

NetPeoples Meeting

July 2009

Audit department’s responsibility

• Independent Score Keeper

• Catalyst for positive change

Audit wants to be a partner in your success

What do we fear most?

The Unknown

The Blair Witch Project

What are the trends in IT findings?

•Application Review •Change Management •Disaster Recovery •Data Center/Physical Security •Equipment Security•Service Management •Staffing •PCIDSS•IS Other

What are the emerging IT audit findings/concerns?

• Log management for servers

• Management of outsourced services – cloud technology

• Interdependence of systems and the impact on system availability

• Testing of recovery files

What tools are providing substantial leverage for

improving our risk profile?• Use and expansion of AD• Consolidation and securing of the most important servers

into central data centers• SLAs• System status page and continued work on better

communication about system outages

• Mike Balak • Connie Buechele • Brad Bostrom • Ed Clark • Ed Deegan • Paul Dokas • Ruth Dodson• David Ernst• John Grosen• Jamey Hansen

Who’s helping you get ahead of us?• Mark Hove• Jim Hugo• Steve Levin • Diane Kleinman • Jim Nichols• Scott Tisinger • John Sonnack• Lois Stark • John Snider• Steve Winckelman

Tools – Developed By IT collegiate directors and OIT

• Risk evaluation tool- template

• Disaster recovery preparation tool-template

• Securing private data tool-template

Tools – Being developed By IT collegiate directors and OIT

• Physical security assessment matrix

• Code change management tool-template

What does audit hear from the Board of Regents and senior

management about technology?

1. Effective technology is a key lever for the University accomplishing its goal of becoming one of the top three public research institutions in the world

2.Technology is very expensive and we need to effective manage those expenses

3. Management wants to shift the IT investment focus from administrative support to support of teaching and research

4. Management wants to leverage IT processes which do not provide a strategic advantage and put IT processes on the edge which are key to addressing education and research goals

What are some of the University IT actions that am I most proud?

• Collaboration and leadership between collegiate IT directors and central IT

• IT staff sharing knowledge and skills from across the University to better manage risk (e.g. groups like NetPeoples)

• The University’s IT standards

• The self assessment and peer reviews performed on OIT

What’s the bottom line?

1. The work you do is really important to the University accomplishing its goals

2. The work you do often directly impacts the University risk profile/control environment.

Audit wants to partner with you for success

Questions?Feedback?