2011-2012 it audit summary bruce patrou chief information and technology officer st. johns county...
TRANSCRIPT
2011-2012 2011-2012 IT Audit SummaryIT Audit Summary
Bruce PatrouChief Information and Technology OfficerSt. Johns County School DistrictEmail: [email protected]
Rick LaneauData Center Manager, Information ServicesSchool District of Hillsborough CountyEmail: [email protected]
User Account MgtUser Account Mgt Develop system to provision user accountsDevelop system to provision user accounts
Document your methodsDocument your methods Ensure your system handles account revocationEnsure your system handles account revocation Link accounts to your Directory System (if able)Link accounts to your Directory System (if able) Project at St. Johns:Project at St. Johns:
• Working to employ Microsoft FIM (for employees)Working to employ Microsoft FIM (for employees)• Auto Provision accounts when new/changed in HR SystemAuto Provision accounts when new/changed in HR System• Auto account rights revocation/lockoutAuto account rights revocation/lockout• Groups and rights tied to roleGroups and rights tied to role• Accounts cross multiple systemsAccounts cross multiple systems• Accounts tied to MS Active DirectoryAccounts tied to MS Active Directory
User Access RightsUser Access Rights
Limit Users to Role based system rightsLimit Users to Role based system rights Review Users rightsReview Users rights
• Document ResultsDocument Results• Make changes from findingsMake changes from findings• Perform as often as practicalPerform as often as practical
Document Account approval proceduresDocument Account approval procedures Avoid exceptions to your rulesAvoid exceptions to your rules
Data Loss PreventionData Loss Prevention
School Districts handle lots of sensitive dataSchool Districts handle lots of sensitive data• Student Academic Records (many elements)Student Academic Records (many elements)• Staff sensitive data (SSN, Medical, etc.)Staff sensitive data (SSN, Medical, etc.)
Loss or unauthorized disclosure can be damagingLoss or unauthorized disclosure can be damaging• Identify what is sensitive and where it’s locatedIdentify what is sensitive and where it’s located• Identify how it is accessed and via what systemsIdentify how it is accessed and via what systems• Identify how to control its transmissionIdentify how to control its transmission
Policies, ProceduresPolicies, Procedures MonitoringMonitoring EncryptionEncryption
• User Awareness and TrainingUser Awareness and Training
Data Loss PreventionData Loss Prevention
Supported by multiple Documents:Supported by multiple Documents:• Employee Acceptable Use PolicyEmployee Acceptable Use Policy• Procedures for Handling Student Directory InformationProcedures for Handling Student Directory Information• IT Procedures HandbookIT Procedures Handbook• Procedures for handling and transmitting sensitive dataProcedures for handling and transmitting sensitive data• Location and security of sensitive/critical dataLocation and security of sensitive/critical data
Data InventoryData Inventory Data BackupData Backup
• Training and awarenessTraining and awareness
Disaster Recovery and TestingDisaster Recovery and Testing Identify critical processesIdentify critical processes
Identify key staff to participateIdentify key staff to participate
Cold or Hot remote siteCold or Hot remote site
Annual testingAnnual testing
Daily log file updatesDaily log file updates
Dedicated connection preferredDedicated connection preferred
User Authentication Security SettingsUser Authentication Security Settings
Password length (minimum 8)Password length (minimum 8)
Password complexity enabledPassword complexity enabled
Password history Password history
Password lockout after x number of attemptsPassword lockout after x number of attempts
Password expiration (60 days)Password expiration (60 days)
Document your settingsDocument your settings
Incident Response ProceduresIncident Response Procedures
• Procedures for reporting the Procedures for reporting the unauthorized release of sensitive unauthorized release of sensitive Student or Staff dataStudent or Staff data
• Include who will do what and whenInclude who will do what and when
IT Procedures ManualIT Procedures Manual• Mission/GoalMission/Goal• DefinitionsDefinitions• Documentation StandardsDocumentation Standards• Org Chart (IT Dept) (include roles)Org Chart (IT Dept) (include roles)• Major Software Acquisition Major Software Acquisition • Project approval, selection and monitoringProject approval, selection and monitoring• Operational ProceduresOperational Procedures• Security Awareness ProgramSecurity Awareness Program• Security and AccessSecurity and Access• System BackupsSystem Backups
Security Risk AssessmentSecurity Risk Assessment
• Security Risk Assessment Survey and Security Risk Assessment Survey and Mitigation Plan (see template)Mitigation Plan (see template)
• External/Internal penetration assessmentExternal/Internal penetration assessment• Helpful links to NIST and Florida AEITHelpful links to NIST and Florida AEIT
https://aeit.myflorida.com/sites/default/files/files/https://aeit.myflorida.com/sites/default/files/files/Security/2011FloridaITRiskAssessmentFinal.pdfSecurity/2011FloridaITRiskAssessmentFinal.pdf
NIST SP800-30 Revision 1 (Sept 2011 Draft)NIST SP800-30 Revision 1 (Sept 2011 Draft)
http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html
• Security Awareness ProgramSecurity Awareness Program
• Publish SA notes for employeesPublish SA notes for employees• Publish notice of changesPublish notice of changes• Provide training to staff on changesProvide training to staff on changes• Security Training (log via PD system)Security Training (log via PD system)• ExampleExample