2011-2012 2011-2012 IT Audit SummaryIT Audit Summary

Bruce PatrouChief Information and Technology OfficerSt. Johns County School DistrictEmail: patroub@stjohns.k12.fl.us

Rick LaneauData Center Manager, Information ServicesSchool District of Hillsborough CountyEmail: rick.laneau@sdhc.k12.fl.us

User Account MgtUser Account Mgt Develop system to provision user accountsDevelop system to provision user accounts

Document your methodsDocument your methods Ensure your system handles account revocationEnsure your system handles account revocation Link accounts to your Directory System (if able)Link accounts to your Directory System (if able) Project at St. Johns:Project at St. Johns:

• Working to employ Microsoft FIM (for employees)Working to employ Microsoft FIM (for employees)• Auto Provision accounts when new/changed in HR SystemAuto Provision accounts when new/changed in HR System• Auto account rights revocation/lockoutAuto account rights revocation/lockout• Groups and rights tied to roleGroups and rights tied to role• Accounts cross multiple systemsAccounts cross multiple systems• Accounts tied to MS Active DirectoryAccounts tied to MS Active Directory

User Access RightsUser Access Rights

Limit Users to Role based system rightsLimit Users to Role based system rights Review Users rightsReview Users rights

• Document ResultsDocument Results• Make changes from findingsMake changes from findings• Perform as often as practicalPerform as often as practical

Document Account approval proceduresDocument Account approval procedures Avoid exceptions to your rulesAvoid exceptions to your rules

Data Loss PreventionData Loss Prevention

School Districts handle lots of sensitive dataSchool Districts handle lots of sensitive data• Student Academic Records (many elements)Student Academic Records (many elements)• Staff sensitive data (SSN, Medical, etc.)Staff sensitive data (SSN, Medical, etc.)

Loss or unauthorized disclosure can be damagingLoss or unauthorized disclosure can be damaging• Identify what is sensitive and where it’s locatedIdentify what is sensitive and where it’s located• Identify how it is accessed and via what systemsIdentify how it is accessed and via what systems• Identify how to control its transmissionIdentify how to control its transmission

Policies, ProceduresPolicies, Procedures MonitoringMonitoring EncryptionEncryption

• User Awareness and TrainingUser Awareness and Training

Data Loss PreventionData Loss Prevention

Supported by multiple Documents:Supported by multiple Documents:• Employee Acceptable Use PolicyEmployee Acceptable Use Policy• Procedures for Handling Student Directory InformationProcedures for Handling Student Directory Information• IT Procedures HandbookIT Procedures Handbook• Procedures for handling and transmitting sensitive dataProcedures for handling and transmitting sensitive data• Location and security of sensitive/critical dataLocation and security of sensitive/critical data

Data InventoryData Inventory Data BackupData Backup

• Training and awarenessTraining and awareness

Disaster Recovery and TestingDisaster Recovery and Testing Identify critical processesIdentify critical processes

Identify key staff to participateIdentify key staff to participate

Cold or Hot remote siteCold or Hot remote site

Annual testingAnnual testing

Daily log file updatesDaily log file updates

Dedicated connection preferredDedicated connection preferred

User Authentication Security SettingsUser Authentication Security Settings

Password length (minimum 8)Password length (minimum 8)

Password complexity enabledPassword complexity enabled

Password history Password history

Password lockout after x number of attemptsPassword lockout after x number of attempts

Password expiration (60 days)Password expiration (60 days)

Document your settingsDocument your settings

Incident Response ProceduresIncident Response Procedures

• Procedures for reporting the Procedures for reporting the unauthorized release of sensitive unauthorized release of sensitive Student or Staff dataStudent or Staff data

• Include who will do what and whenInclude who will do what and when

IT Procedures ManualIT Procedures Manual• Mission/GoalMission/Goal• DefinitionsDefinitions• Documentation StandardsDocumentation Standards• Org Chart (IT Dept) (include roles)Org Chart (IT Dept) (include roles)• Major Software Acquisition Major Software Acquisition • Project approval, selection and monitoringProject approval, selection and monitoring• Operational ProceduresOperational Procedures• Security Awareness ProgramSecurity Awareness Program• Security and AccessSecurity and Access• System BackupsSystem Backups

Security Risk AssessmentSecurity Risk Assessment

• Security Risk Assessment Survey and Security Risk Assessment Survey and Mitigation Plan (see template)Mitigation Plan (see template)

• External/Internal penetration assessmentExternal/Internal penetration assessment• Helpful links to NIST and Florida AEITHelpful links to NIST and Florida AEIT

https://aeit.myflorida.com/sites/default/files/files/https://aeit.myflorida.com/sites/default/files/files/Security/2011FloridaITRiskAssessmentFinal.pdfSecurity/2011FloridaITRiskAssessmentFinal.pdf

NIST SP800-30 Revision 1 (Sept 2011 Draft)NIST SP800-30 Revision 1 (Sept 2011 Draft)

http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html

• Security Awareness ProgramSecurity Awareness Program

• Publish SA notes for employeesPublish SA notes for employees• Publish notice of changesPublish notice of changes• Provide training to staff on changesProvide training to staff on changes• Security Training (log via PD system)Security Training (log via PD system)• ExampleExample

QuestionsQuestions