Unraveling Multimodality with Large Language Models.pdf
IT AUDIT
1. IT AUDIT
A Case of Group8_Health Care System
14 December 2016 1
Arun Kumar, Emenike Henry and Ibrahim Apena
2. Executive summary
Group8_Health Care is a Medical Center that
provides medical aids to patients from
different part of the world. The company was
established in 1999 with the objective of
saving lives at all possible cost. Currently , Its
has 3,423 staffs working in its head office is
situated in Lagos and its branch in Abuja,
Nigeria. The use of sophisticated technology
for operations and adoption of information
and Communication Technology solutions
(Electronic Protected health Information
System (ePHIS)) has given the organisation a
competitive edge while serving customers
effectively and efficiently.
14 December 2016 2
3. Why IT Audit for Group8_Health Care (ePHIS)
14 December 2016 3
• Fully automated medical organisation ,
• Assurance of information system Security
• Possible Target of Attackers.
4. What is IT audit
The process of collecting and evaluating evidence to determine
weather a company’s system safeguards asset, maintain data integrity,
allows organisational goals to be achieved effectively and use of
resources efficiently.
14 December 2016 4
5. • Compliance with Laws and
Regulations
• Security (Access Control and
Physical security)
• Organisational continuity
• Internal policies and procedures
• Worries and interest of
Management
• Other Identified Risk
14 December 2016 5
Scope
Audit
6. IT Audit
To ensure assets are safeguarded , to ensure business
continuity and achievement of organisational goals
effectively and efficiently. Considerations Includes ;
• Data Security (Availability , non repudiation , integrity ,
confidentiality and consistency )
• Application system functionality
• People management
• Technology, IT Infrastructure and Facility management
14 December 2016 6
7. Audit Process
• Planning
• Audit Activities and Testing
• Reporting
• Follow up
• Conclusion
14 December 2016 7
9. Planning
14 December 2016 9
NIST FUNCTIONS
Identify
What to protect ? Vs What they protect .
Protect
How to protect ? Vs How to protect .
Detect
Are we attacked ? Vs Are they attack.
Respond
How to mitigate the impact ? Vs How they
mitigate the Impact
Recover
How to return to business as usual ? Vs
How they Recover to Business
Observation
Interview
Test specific documents E.t.c
14. Documentation of findings and Reporting
The findings are documented in a report which includes
1. An introduction to the report, audit objectives, scope and time
2. Overall Conclusion and summary of Finding (The Healthcare centre is Security
conscious to an extent but needs to improve on shortfalls mentioned in the
findings, more attention should be paid to critical ones)
3. Statement on the regulations: Standards and audit guidelines followed
(ISO/IEC 27002 For audit)
4. Findings :
• Employees stay too long before going for leave (Max stay without mandatory leave was 3 years),
• Most compliance standard are stated in IT documents but not fully complied to,
• Less attention is paid to sources downloading information from Network,
• Vulnerability of remote network because employees connect to unnecessary website through secured
network,
• There is no proper provision of reporting IT abnormality,
• Password are kept for too long without changing and
• Unclear IT contingencies and Disaster Recovery plan, unclearly defined back up recovery time
• No Segregation of duties
• Improved Control System.
14 December 2016 14
High
Moderate
Low
http://www.slideshare.net/jkyriazoglou/published-audit-report-model-and-sample-2
15. Recommendations
• Access control
Cryptography (Availability ,
Confidentiality , Integrity, non-
repudiation)
Remote Vulnerability Scan
Periodic change of password
Abnormal Packet downloads
Scrutiny of Suppliers or partners
14 December 2016 15
16. Recommendations Cont’d
Back up
• Backups and Recovery
• Effectiveness of back ups
14 December 2016 16
Physical Control
• Door locks
• Security officer shifts
• Compulsory annual leave
• Installations of camera
• Segregation of Dities
Resource Management
• IT Budget Scrutiny
• Quality of IT Infrastructure
• Asset Maintenance
• Cost benefit analysis
Compliance to Standards
• NIST, ISO for Internal Audit
17. Post Audit Activity (Follow Up)
Reviewing of findings and recommendation alongside previous findings
to determine if appropriate actions are implemented in timely basis
14 December 2016 17