oiac it audit wo cartoons

Office of Internal Audit and Compliance

IT Auditing Overview

CIO Advisory Counsel MeetingSpring 2011 - Savannah, Ga.


Session Guide

• Erwin (Chris) L. Carrow IT Audit Director; M.Div., MSIS, CISSP, INFOSEC, CCAI, CCNP, CCSP, CQS, CCNA, LCP,

LCI, OCM, MCSE, MCP+I, LSS Green Belt, etc. (Alphabet soup – who cares?!)Board of Regents, University System of Georgia Office of Internal Audit and Compliance270 Washington Street S.W., Ste. 7087 Atlanta, GA 30334(404)657-9890 Office, (678)644-3526 Cell, (404)463-0699 FaxEmail: [email protected] [email protected] [email protected] http://www.linkedin.com/in/thebishop Twitter: @ecarrowSkype: erwin.louis.carrow

2

mailto:[email protected]



http://www.linkedin.com/in/thebishop


Session Agenda(22 Slides – unless additional needs for clarity)

Quick Overview – Audit Methodology (slides 1-15) Assessment Lifecycle & Applying Controls (slides 16-18) Overview & Summary (slides 19-22)______________________________________________________________ Terminology & Context of Security Implementation (slides 23-27)

Securing Business Functions Governance Business Function Characteristics Vertical (B2S) and Horizontal (B2B) Relationship

Risk Identification & Reconciliation (slides 28-34) Business Impact Analysis Risk Assessment Process Risk Analysis Methodology

Categories and Types (slides 35-37) Risk – Enterprise Risk Management (BIA, RA, ERM) Information, Information Systems, & Users

Controls Framework (slides 38-44) Types of Controls, Skill Sets, and Resources Criteria Maturity of Controls to Support Outcomes Procedures Operational Tasks to Implement and Support Controls (low-level)

Example: Identity Management (COBIT, CMMI, & NIST) (slides 45-55) 3


Key Takeaways

Understand OIAC requirements how IT audit function applies their framework for assessing controls to compensate for high impact/probability risks.

Provide a high-level overview of how the framework applies to institutional and agency audits / consulting.

Provide a resources for review & dialogue

4


Quick Overview – Audit Methodology

5


Why We Audit – Mission & Charter

• “Internal auditing provides independent and objective assurance and consulting services to the Board of Regents (Board), the Chancellor, and institution leadership in order to add value and improve operations. The internal audit activity helps the University System Office (USO) and USG institutions accomplish their objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of governance, risk management, compliance, and internal control processes.”- Internal Audit Charter approved by the Board of Regents

*(underline added )

6


Types of Audits – Federal, State, Campus, and Board of Regents

• Federal Auditors– Rely on work of state auditors– May focus on federal compliance (FISMA, FERPA, HIPAA, etc.),

financial aid, and federal grants management• State Auditors – Financial and Performance

– Financial / Operational auditors - external auditors validating internal controls and the AFR

– Performance auditors – external auditors focused on specific system-wide process or policy issue

• Campus Auditors– Varies by campus– Generally focused on departmental reviews– Report to institution President and USO Chief Audit Officer

• Board of Regents Auditors– Shoot the gaps that other agencies do not address and engage with

specific BOR or Legislative concerns


The Audits Selection Process: OIAC Risk Assessment & Planning Process

(The “Why Us Syndrome and What We Audit?”)

• OIAC’s Risk Assessment process– Quantitative Data: previous findings,

financials, etc.– Qualitative Data: surveys, interviews,

trends, etc.– Quarterly review and assessment

versus annual approach to be proactive• Rolling Audit Plan

– Designed to ensure coverage of institutions with high risk

– Also designed to ensure OIAC coverage at all USG institutions at least once every 3-4 years

– Specifies institution and broad categories in which to audit

– May also incorporate consulting engagements and other special projects


Overall Engagement PlanSummary of Process

• Top Down methodology for the auditing assessment– Risk based: High Impact / High Probability – 32 different influencers– Business Goals to Standards and Practices– Business Function critical component identification– Leadership (administrator) to Technician or Staff member (end user)– Assess Requirements, Resources, and Processes

• The approach focused on key business functions and their associated Business Goals and Objectives as it relates to the assessed entities.

• Once identified and agreed upon for each business function, the key associated requirements, resources, and processes were identified and assessed to determine if high or critical risk is being managed.

• Focus was upon Control Practices and Responsibility / Accountability associated with key activities with an expected CMMI level 3 criteria for High Risk Critical processes.

9


Methodology, Scope, & Criteria

• Standards for the Methodology– Institute of Internal Auditor (IIA - www.theiia.org)– Information System Audit & Control Association (ISACA - www.isaca.org)

• Scope of Application: Area of Emphasis (Entity or Process)– Usually focused on institution-wide processes, e.g., data classification, IT

services, NOC, incident response / emergency planning, strategic planning, change management, etc.

• Determine what areas of High Risk or Critical Systems exist for the assessed entities at the institution?– Risk Analysis (OIAC) & Preliminary Assessment with Institution– Prior Coordination / Business Impact Analysis / Risk Assessment - Information request list, based

upon audited entities

– Analysis of information provided from pre-audit phase• Scope of Execution: Area of Emphasis (Entity or Process)

– Business Functions (High Critical Risk)• Examples: IAM: Identity and Access Control Management & NETSEC: Perimeter & Network Security

– Will incorporate recommended focus areas from institutional leadership– Scope can change during the course of an audit if warranted

• CMMI Criteria level 3: Process is Defined & Documented and periodically Evaluated

10

http://www.theiia.org/

http://www.isaca.org/


Those Involved in Areas Reviewed & Priority of Emphasis (# Personnel – # Meetings)

Information TechnologyDepartment(High)

Auxiliaries(Low)

Academic Units(Limited)

Administrative Units (Medium)

11


Summary for Plan of Action

During the engagement we …• Gather Information / Evidence - related to

implementation of controls to address High Impact / High Probability risk– Interviews with key personnel (Business Owner,

Trustees, & Stewards)– Test and Validate Objectives

• Information - Information systems• Direct observation & dialogue

• Document initial analysis (informal)• Dialogue and gain Confirmation of Observations

(validation)• Dialogue and gain Common Understanding of

Exceptions and Issues• Identify to Key Shareholders / Leadership Issues

and discuss Solutions• Up until the final report is completed, dialogue will

continue with audited entity regarding issues (objections are welcome – it is your right!)

12


The Process We Follow – From Notification to Reporting

• 1st Phase: Pre-Campus Work (Preparatory Efforts)– Announcement / Notification Letter, sent to President upon rolling audit plan approval

(specific 5-month period during which the audit will be conducted)– Preliminary Survey- Brief visit on campus, approx. 60 prior to start of audit– Engagement Letter – Sent to President approx. 30 days prior to start of audit– Data Collection – Initial interviews, data requests, network scans may take place prior to

arrival on campus – the more we get ahead of time the less time we have to spend onsite

• 2nd Phase: On-Campus Fieldwork (Evidence Gathering Phase)– Initiated with Entrance Conference (“Line in the Sand”)– Scope of work may expand / contract– Campus POC kept informed on audit progress and issues (daily)– End of field work review, a meeting conducted at close of work summarizing initial

results and implications• 3rd Phase: Post-Campus Work (Documentation & Publication Phase)

– Draft Report prepared and sent as discussion document– Exit Conference held either in person or via phone / video conference– Official Draft Report sent requiring response from institution– Institution’s response incorporated in report– Report published and distributed

13


Summary of Engagement Flow Timeframes

Audit Letter with data request sent – preliminary assessment

Entrance meeting & field work

Discussion Draft

Report Sent

Final Report with

responses issued

Draft with responses

returned

30 Days

1-2 Wks

2 to 4 Wks

Exit Conference w/

Key Leadership

Action items

reviewed quarterly

4-6 Wks

Preliminary Survey onsite with Senior Leadership60 Days

End of field work meeting w/ Key Shareholders

Rolling Risk Assessment & Notification – three times per year

End of field

work

1Wk

Official D

raft Sent

30 Days 1Wk 90 Days

1

2

3

14


Assessment Results / Reporting

15


Assessment Lifecycle & Applying of Controls

16


Assessment Life Cycle?

17


“Life Cycle” of Security & Process Provisioning

18


Overview & Summary

19


Putting it all together…

20


Thank You for Your Patience & Participation - Any Questions?

Understand OIAC requirements and the IT audit function applies their framework for assessing controls to compensate for high impact/probability risks.

Provide a high-level overview of how the framework applies to institutional and agency audits / consulting.

Provide a resources for review & dialogue

21


Helpful Resources

CIS Benchmarks - http://www.cisecurity.org/benchmarks.html IIA - www.theiia.org ISACA - www.isaca.org ISC(2) - www.isc2.org ISO - www.iso.org ITGI - www.itgi.org NIST - csrc.nist.gov NSA - www.nsa.gov IASE - iase.disa.mil Web App Consortium - www.webappsec.org EDUCAUSE - educause.edu/security Univ. Austin Texas Sec. - security.utexas.edu Univ. Cornell Sec. - www.cit.cornell.edu/security Virginia Tech Sec. - security.vt.edu Ga. Tech Info Sec. Center - www.gtisc.gatech.edu

22


Terminology & Context of the Audit Implementation

23


Securing Business Events

• It still comes down to …, Business event Needs and Outcomes– Goals or Objectives – Vision, Mission, & Operations– Rules and Requirements

• Identifying critical business functions– Support Infrastructure: Finance and Accounting, Human Resources, Facilities, Services, other

administrative functions or departments– Production Infrastructure: those folks who actually make the widgets (Instruction)!

• Identify the departments and who are the key personnel, e.g., Business owners, Trustees and Stewards?

• Identify the vertical (B2S - dependent) and horizontal (B2B - interdependent) relationships that potentially introduce risk (IT Governance)

• Identify the systems that support business functions• Categories and type of information and information systems• Answer the question … “How are the people and systems integrated into the

business process?”• Answer the question … “What internal controls exist or need to be implemented

to mitigate risk?”

24


Governance Interdependencies & Value Drivers

Control Objectives for Information and related Technology (COBIT®)

25


Control Objectives for Information and related Technology (COBIT®)

Business Functions and Characteristics

26


Governance: Business to Stewardship (B2S) versus Business to Business (B2B)

27


Risk Identification & Reconciliation

28


Audit Risk Life Cycle Variables

29


Standards of Application

• Industry Standards / Frameworks– COBiT 4.1 (Control Objectives for Information Technology)– NIST (National Institute of Standards and Technology)– ISO 17799/27001 (International Organization for Standardization)– ITIL (Information Technology Infrastructure Library)

• Compliance and Regulatory Requirements (FISMA, FERPA, HIPAA, PCI, SOX, SCADA, etc.)

• Board of Regents Standards– Board of Regents Policy– ITS Security Guidelines– Business Process Manual

• Institutions’ Local Policies and ProceduresNOT PERSONAL OPINION OR PREFERENCES!!!!!

30


Business Impact Analysis

Must understand … Business goals and requirements Internal and external relationships What resources are involved Who is in charge and what

interdependencies exist Vision (Strategic) Mission (Tactical)

Objectives (Operational) factors for success

KPI’s What are the Key Performance / Process Indicators? What distinctions and outcomes exist for

each stage What is the scope of probability / impact

(Beware “Chicken Little” effect) What expectations exist for each key

shareholderCertified Information Systems Auditor (Study Guide) Cannon, Bergmann, & Pamplin

31


Assessing for Risk …

Risk assessment evaluates components of information, information system security and compliance as it relates to the business function

Assess Mitigate / Monitor Re-Assess Ongoing risk management program must be

in place Business owner or key shareholder must

own the process Establish a standard for considering and

negotiating risk Annual (periodic) risk assessment

deliverable with recommendations for corrective action

Clearly define and document accepted risk – someone needs to sign off on the responsibility

32


Risk Mitigation

Once risks are identified, they must be mitigated via internal controls

Internal Controls: a practice approved by management to mitigate risk or produce a desired outcome in a business process for implementing and enforcing information security and compliance

Design Document Implement Document and retain artifacts. Test the controls prior to implementation

to validate expectations Monitor results Re-test controls periodically

33


Re-Assess Risks

Risk Assessments are an on-going exercise;

Track mitigation strategies, did they work? What “Framework(s)” are being applied? Is there an identifiable “Structure” in place e.g., risk

management program? Is the “Methodology” recognizable, e.g., documented and

not arbitrary? Are you using tools to monitor, manage, and validate the

associated processes?

Test re-test controls (design and effectiveness)

Document test results, corrective actions, changes in business needs / requirements.

Certified Information Systems Auditor (Study Guide) Cannon, Bergmann, & Pamplin

34


Categories and Types

35


Risk Categories and Types?

Determined how the categories of risk may or may not apply: Risk Types

Strategic: Affects the entities’ ability to achieve goals and objectives

Compliance: Affects compliance with laws and regulations, safety and environmental issues, litigation, conflicts of interest, etc.

Reputational: Affects reputation, public perception, political issues, etc.

Financial: Affects loss of assets, technology, etc. Operational: Affects on-going management processes

and procedures Risk Management Process

Agreed upon methodology to assess priorities (BIA, RA, ERM)

Consistency and agreement in identification of risks Focus upon high probability / high impact risk

Types and classification – Information, Systems, & People

36


Information & Information System Users (Internal & External) Categories and Types?

37

What type of information, on which systems, are being accessed by which users?

Public, administrative, sensitive, confidential Internal: Administrative, Managerial,

Informational External: General Public or Specific Target

group What level of access and authorization

of the information is being provided to those types of users?

Is the risk being managed with effective controls?

People who use or interact with the Information include:

Share Holders / Owners / Management Employees & Business Partners Service providers / Contractors / Customers / Clients Regulators etc…


Controls Framework

38


Control Objectives for Information and related Technology (COBIT)

• Developed by the ITGI (Current v4.1 5.0)– https://www.isaca.org/

• Value of IT, Risk, and Control• Links IT service delivery to business requirements

(already defined, right?)• A lifecycle; constantly adapting, improving, re-adapting• Four Responsibility Domains:– Plan and Organize (PO)– Acquire and Implement (AI)– Deliver and Support (DS)– Monitor and Evaluate (ME)

• Make a grocery list of needs and then go shopping 39

https://www.isaca.org/Pages/default.aspx


Audit Program Design

40


Audit Controls Definition

Audit Controls & Assessment• Provides roadmap to auditor on which areas to focus audit

steps (assess controls)– Preventive: controls to stop the problem from occurring– Detective: controls to find the problem– Corrective: controls to repair the problem after detection– Administrative: policies, standards, guidelines, &

procedures – Technical: controls using hardware or software for

processing & analysis– Physical: controls to implement barriers or deterrents

• Based upon industry standards, requirements, & practices• Build list of high level objectives and outcomes to address risks

associated with audited entity 41


Common Maturity Model Integrated (CMMI)

– Variants of the CMMI: CMM & ISO 15504– Identifies WHERE you are at in the application of IT risk

mitigation controls and HOW to get to the next level– Levels of Application

• Level 0: No Recognizable Process, though one is needed• Level 1: Process is Ad-hoc and perform by key individuals• Level 2: Process is Repeatable , but not controlled• Level 3: Process is Defined & Documented and

periodically Evaluated• Level 4: Managed & Measurable; effective Internal

Controls with Risk Management• Level 5: Optimized Enterprise wide risk and control

program 42


Engagement: Application of Standards

• Assessment Standards & Identification – Create assessment program (pre-engagement)

• Identify risk & criteria• Identify audit resources, skill sets, & personnel• Develop information requirements for requests

– Share expectations and objectives with institution• Gather Information / Evidence

– Assess Controls: Strengths / Weaknesses (during engagement) [validate assurance or identify vulnerabilities / exploitation]

– Calculate Level of Control criteria being applied (CMMI)• Analysis to Determine if Compliant with Standards• Document Variances or Exceptions / Issues [potential issues]

• Report Per Charter Requirements (Ratings)

43


Controls Development & Implementation

44


Example: Controls Mapping

04/08/2023

45Framework for Information & System

Security


IAM Example: Entity to be Assessed for Risk

• IAM: Identity and Access Control Management– Identity Management; the management of user

credentials and the means by which users might log onto and use various systems or resources, e.g., the provisioning and de-provisioning of student, faculty, staff, and outside agencies identities

– Access Control; the mechanisms in place to permit or deny the use of a particular resource by a particular entity, e.g., technical or administrative controls to allow or deny access to file shares

46


Users Involved in Business Functions and Types of Information and Systems?

(Provisioning of High Risk or Critical Information)

Business Functional responsibility for assigning “Rights & Permissions” to various roles within the organization Business Owner: Responsible for the provisioning and delegation of the processes or functions and associated

privileges, e.g., Payroll, Finance, HR, etc. Trustees: Responsible to maintain trust granted by Business owner, e.g., “Worker Bees” in the associated

departments that conduct day to day operations Stewards: Responsible to service and support the business function, typically provide a technical system or

infrastructure to facilitate business needs, e.g., Information Technology Services, etc. Audience: What / Who is the use of the information intended. B2S versus B2B: Vertical and horizontal relationships (IT Governance)

Types of Information (classification) per organization or agency Unrestricted / Public: No consequence typically general information Sensitive: typically references’ legal or externally imposed constraints that requires this restriction Confidential: highest level of restriction, applies to the risk or harm that may result from disclosure or

inappropriate use, e.g., FERPA, HIPAA, etc.

Types of Information Systems to support information exchange Infrastructure and architecture to support business driven events Classification and type (comparable to the information being managed) Supply Chain Management (SCM), Enterprise Resource Planning (ERP), Customer Resource Management (CRM),

Business Intelligence (BI), basic communications, etc.

Determine scope of assessment and entities (people, application systems, & information) to be assessed

47


Example associated Key Process – Ecommerce e.g., One Card System

• COBIT high level framework for controls relating to the Ecommerce systems– Plan and Organize (PO) — Provides direction to solution delivery(AI) and

service delivery (DS): PO1, PO4, PO5, PO6, PO8, PO9, PO10, and PO11– Acquire and Implement (AI) —Provides the solutions and passes them to

be turned into services AI5 and AI4– Deliver and Support (DS) —Receives the solutions and makes them usable

for end users: DS1, DS5 and DS11

• Map the requirements to your preferred checklist, e.g. NIST or ISO• Requirements for Ecommerce Compliment other Processes

– Less work required for other system implementations– No duplication of effort if requirements are properly addressed

• Identity Management applies to many different other process requirements, e.g., Applications, Operating Systems, and Databases

48


Example: Identity and Access Control Management (IAM)

COBIT 4.1 DS5.3 Identity Management• Ensure that all users (internal, external and temporary) and their activity

on IT systems (business application, IT environment, system operations, development and maintenance) are uniquely identifiable. Enable user identities via authentication mechanisms.

• Confirm that user access rights to systems and data are in line with defined and documented business needs and that job requirements are attached to user identities.

• Ensure that user access rights are requested by user management, approved by system owners and implemented by the security-responsible person.

• Maintain user identities and access rights in a central repository. • Deploy cost-effective technical and procedural measures, and keep them

current to establish user identification, implement authentication and enforce access rights.

49


Example: Identity and Access Control Management (IAM)

Logical Didactic Approach - DS5.3 Identity Management (How it is Evaluated)

• Control over the IT process of Ensure systems security that satisfies the business requirement for IT of maintaining the integrity of information and processing infrastructure and minimizing the impact of security vulnerabilities and incidents

• By focusing on – defining IT security policies, plans and procedures, and monitoring, detecting,

reporting and resolving security vulnerabilities and incidents• Is achieved by

– Understanding security requirements, vulnerabilities and threats– Managing user identities and authorizations in a standardized manner– Testing security regularly

• And is measured by– Number of incidents damaging the organization's reputation with the public– Number of systems where security requirements are not met– Number of violations in segregation of duties

50


How to Measure Success? Maturity Model – CMMI DS5 Snapshot (Criteria)

DS5 Ensure Systems Security - Management of the process of Ensure systems security that satisfies the business requirements for IT of maintaining the integrity of information and processing infrastructure and minimizing the impact of security vulnerabilities and incidents is:

0 Non-existent when The organization does not recognize the need for IT security. Responsibilities and accountabilities are not assigned … There is a complete lack of a recognizable system security administration process.

1 Initial/Ad Hoc when The organization recognizes the need for IT security. Awareness of the need for security depends primarily on the individual. IT security is addressed on a reactive basis. IT security is not measured. Detected IT security breaches invoke finger-pointing responses, … to IT security breaches are unpredictable.

2 Repeatable but Intuitive when Responsibilities and accountabilities for IT security are assigned to an IT security …, although the management authority ... Awareness of the need for security is fragmented and limited. Although security-relevant information …, it is not analyzed. IT security is seen primarily as the responsibility and domain of IT and the business does not see IT security as within its domain.

3 Defined when Security awareness exists and is promoted by management. IT security procedures are defined and aligned with IT security policy. Responsibilities for IT security are assigned and understood, but not consistently enforced. An IT security plan and security solutions exist as driven by risk analysis. Reporting on security does not contain a clear business focus. Ad hoc security testing (e.g., intrusion testing) is performed. Security training is available for IT and the business, but is only informally scheduled and managed.

4 Managed and Measurable when Responsibilities for IT security are clearly assigned, managed and enforced. IT security risk and impact analysis is consistently performed. Security policies and procedures are completed with specific security baselines. .... User identification, authentication and authorization are standardized. Security certification is pursued for staff members ... . Security testing is completed using standard and formalized processes, leading to improvements of security levels. …. IT security reporting is linked to business objectives. IT security training is conducted …. IT security training is planned and managed in a manner that responds to business needs and defined security risk profiles. Goals and metrics for security management have been defined but are not yet measured.

5 Optimized when IT security is a joint responsibility of business and IT management and is integrated with corporate security business objectives. IT security requirements are clearly defined, optimized and included in an approved security plan. Users and customers are increasingly accountable for defining security requirements, and security functions are integrated with applications at the design stage. Security incidents are promptly addressed with formalized incident response procedures supported by automated tools. Periodic security assessments are conducted to evaluate the effectiveness of the implementation of the security plan. Information on threats and vulnerabilities is systematically collected and analyzed. Adequate controls to mitigate risks are promptly communicated ….

51


COBIT 4.01 Standards to NIST Mapping –Integration with other Standards (Alignment of IT Controls to Mitigate Risk)

52


NIST 800-53, Revision 1 StandardsTerminology and Application

53


Audit Program Development Life-Cycle

54


COBIT Mappings

Others besides NIST are currently posted at www.isaca.org/downloads:Aligning COBIT, ITIL and ISO 17799 for Business BenefitCOBIT® Mapping: Mapping of CMMI for DevelopmentCOBIT® Mapping: Mapping of ISO/IEC 17799:2000COBIT® Mapping: Mapping of ISO/IEC 17799:2005COBIT® Mapping: Mapping of ITIL COBIT® Mapping: Mapping of PMBOK COBIT® Mapping: Mapping of PRINCE2 COBIT® Mapping: Mapping of SEI’s CMM for Software COBIT® Mapping: Mapping of TOGAF 8.1 COBIT® Mapping: Overview of International IT Guidance

55

oiac it audit wo cartoons

Documents