CIO IT Audit Survival TNS07


Published on

Presentation on IT audits presented at the 2007 Tennessee Summit on Administrative Computing.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

CIO IT Audit Survival TNS07

  1. 1. A CIO’s Survival Guide for f an IT Audit A di Thomas Danford CIO, Tennessee Board of Regents C, ss o do gs
  2. 2. Background & Objectives … State Audit chose the TBR office as its “pilot” for developing IT Audit plans and procedures for Banner. Brief discussion of the various types of audits and how they relate to IT Audits. Share with the audience what’s investigated in an IT Audit and how it’s conducted. Relay some findings to date. Provide some guidance & suggestions for when your institution has its IT Audit.
  3. 3. Types of Audits Operational Audits examine the use of unit resources to evaluate whether those resources are b being used in the most d effective and efficient way. They include elements of the other audit types listed below. Financial A di examine accounting and reporting of financial Fi i l Audits i i d i f fi il transactions. Compliance Audits examine adherence to laws, regulations, policies and procedures. li i d d Internal Control Reviews focus on the components of major business activities such as payroll and benefits, and their physical security. security Information Technology (IT) Audits examine internal control environment of automated information processing systems and how people use those systems. systems
  4. 4. The IT Audit Evaluates … System(s) input, output, and processing controls input output Backup & media storage (off-site) (off- Disaster preparedness plan ( d if it has been Di d l (and i h b tested!) System(s) security Computer facilities p
  5. 5. How does the IT Audit Work? Kick- Kick-off Meeting to discuss g audit objectives with delivery of extensive questionnaires. Interview & investigative phase based upon responses to questionnaires. Exit interview with Q&A on any discovered weaknesses or findings. Published A di Report with P bli h d Audit R ih weaknesses and/or findings. Management response. g p
  6. 6. What Are Auditors Looking For? Reportable conditions – are matters that represent a significant deficiency in the d d design or operation of the internal control structure which could adversely affect the organization's ability to record, process, summarize, and report financial data consistent with the assertions of management in the financial statements. Material Weaknesses – are significant deficiencies, or combination of significant deficiencies, that results in more than deficiencies a remote likelihood that a material control process could be obverted or bypassed. Findings – conditions that do adversely affect the institution and may include conditions dealing with irregularities, illegal acts, errors, inefficiency, waste, ineffectiveness, conflicts of interest, and for our purposes control weaknesses. pp
  7. 7. Interview & Investigation Areas Infrastructure Security & Control Application Security & Control Disaster Preparedness Plan Di P d Pl
  8. 8. INFRASTRUCTURE SECURITY & CONTROL: Relates to the d i of the campus network system and i l d the h design f h k d includes h backbones, routers, switches, wireless access points, access methods and protocols used. Of special interest are the filters p used. p & protective measures that govern (1) Internet open access (2) Intranet controlled access and (3) Secured Access. Particular areas of interest include: Physical security of computer center – Environmental controls, locks, cameras & authorizations to enter. Network configuration – Fil & firewall rule-sets and their change processes. N k fi i Filter fi ll rule- l d hi h ID and password rule-sets – Length, character requirements, aging, etc. rule- Operating System – File & directory permissions. Patch management – Remediation of known exploits. Segregation of duties of IT staff.
  9. 9. APPLICATION SECURITY & CONTROL: Relates to the design of the administrative system and includes additional server operating system issues as well as the DBMS and the application that sits on top of both. Heavily scrutinized are users, both functional and technical and their roles. Particular areas of interest include: Default users and their passwords Role based security – Especially as it is setup in the application itself and access to the native DBMS or OS. OS User accounts and password management – Procedures & signoff for account holders, length, character requirements, aging, etc. Software modification – Procedures and segregation of duties in their gg implementation. Patch management – Remediation of known exploits across multiple instances. Segregation of duties of IT and functional users. users
  10. 10. APPLICATION SECURITY & CONTROL (Top 5 Issues) (T I ) Improper account p pp provisioning with segregation of duties g gg Insufficient controls for change management A general lack of understanding around key system configurations Audit logs not being reviewed (or that review itself not being logged) Abnormal transactions not identified in a timely manner
  11. 11. DISASTER PREPAREDNESS PLAN: The state in which an institution is i i i i prepared f di d for disaster. P Preparedness i d involves a l plan for avoiding and recovering from a disaster with preservation and retrieval of records lost by an unexpected catastrophic occurrence. Particular areas of interest include: Backup of critical data – Including frequency, media, where and how far away. Printed plans – Kept off site by plan principles with contact lists. Recovery processes – Includes not only IT operations but facilities (hot & yp y p ( cold sites). Business continuity while IT functions are restored. Actual testing of the plan.
  12. 12. Banner Issues Discovered Di d As of 10/12/2007
  13. 13. Y10K Compliance Banner cannot handle the switch from the year 9999 to 10000
  14. 14. Tips to Make the Audit Go Smoothly Avoid making it an “adversarial” engagement adversarial Provide what’s asked of you Document & diagram D di
  15. 15. For Additional Information: Wikipedia has a g p good overview of IT auditing at: g Control Objectives for Information and related Technology (COBIT) is a set of best practices (framework) for information technology (IT) management created by the Information Systems Audit and Control Association (ISACA), (ISACA) and the IT Governance Institute (ITGI) in 1992. Page/TaggedPageDisplay.cfm&TPLID=55&ContentID=7981
  16. 16. Thank You Please share your comments, ideas, suggestions, questions . . . Thomas Danford 615-366- 615-366-4451