an audit a year, keeps you in the clear
TRANSCRIPT
-
8/18/2019 An Audit a Year, Keeps You in the Clear
1/24
AN AUDIT A YEAR
WILL KEEP YOU IN
THE CLEAR IT Summit
November 4th, 2009
Presented by: IT Internal Audit Team
Leroy Amos
Sue Ann Lipinsi
Su!anne Lope!
"ani#e Shelton
-
8/18/2019 An Audit a Year, Keeps You in the Clear
2/24
WHY WE’RE HERE…
• $e%re here to provide a broad ran&e o' audit
servi#es desi&ned to help our or&ani!ation meet
its ob(e#tives) *ne o' our ey roles is to monitor
riss and ensure that the #ontrols in pla#e are
ade+uate to miti&ate those riss)
• $e #an help you #omply ith le&islation and
'ederal re&ulations ithin your a&en#y)
-
8/18/2019 An Audit a Year, Keeps You in the Clear
3/24
HOW WE CAN HELP YOU…
• $e%ll mae an ob(e#tive assessment o' your
operations, and share ideas 'or best pra#ti#es)
• $e%ll provide #ounsel 'or improvin& #ontrols,
pro#esses and pro#edures, per'orman#e, and
ris mana&ement)
• $e%ll deliver #ompetent #onsultin&, assuran#e,
and 'a#ilitation servi#es)
-
8/18/2019 An Audit a Year, Keeps You in the Clear
4/24
AUDIT ENGAGEMENTS
Three Types o' Audits:
-) Internal• .lient /e+uest
•
andatory2) Sel' Assessment
1) Third Party 3ternal5• A&en#y must #onta#t *IS. prior to audit en&a&ement
•
*IS. ill #oordinate ith third6party auditors
-
8/18/2019 An Audit a Year, Keeps You in the Clear
5/24
WHAT WE AUDIT
• Netors
• 7estop Pra#ti#es
• Servers
• obile 7evi#es and edia
• 7ata .enters8a#ilities
• usiness and Te#hni#al Pro#esses
•
Appli#ation .ontrols• Poli#y and Pro#edure .omplian#e
• *ther
-
8/18/2019 An Audit a Year, Keeps You in the Clear
6/24
INFORMATION SECURITY AUDIT PHASES
;
In
R e p o
r t i
!
R e p o
r t i
!
F i e " # $
o r %
F i e " # $
o r %
A & " '
( i (
A & " '
( i (
F o " " o
$ ) u p
F o " " o
$ ) u p
I i t i & t i o
*
P " &
i !
I i t i & t i o
*
P " &
i !
• Risk Assessment• Research• PreliminaryReview• Audit Objectives• Formal
Agreement• EntranceConference
• Interview• Insection• Observation• Re!erformance• "esting
• Con#rmation• $eri#cation• Reconciliation• E%it Conference
• Findings• Recommendations• ClientResonses
• &raft Reorts• Final Reort• 'chedule ClientCorrective ActionReort• Plan for Follow!u Engagement
• Con#rmCorrective Action• AddressChallenges• Reeat Phases
(as necessary)
-
8/18/2019 An Audit a Year, Keeps You in the Clear
7/24
COMMON FINDINGS•
-
8/18/2019 An Audit a Year, Keeps You in the Clear
8/24
AUDIT POLICY
• $=*T6P*-00> 6 In'ormation Se#urity Audit
Pro&ram poli#y 6 issued: Au&ust -, 2009• http:88)te#hnolo&y)v)&ov8Site.olle#tion7o#uments8ISAP)pd'
http://www.technology.wv.gov/SiteCollectionDocuments/ISAP.pdfhttp://www.technology.wv.gov/SiteCollectionDocuments/ISAP.pdf
-
8/18/2019 An Audit a Year, Keeps You in the Clear
9/24
CONFIDENTIALITY
• ?All $=*T IT Auditors are bound by
#on'identiality standards and are re+uired to si&n
the 7*A .on'identiality Statement annually)@
•
?In'ormation #olle#ted durin& an audit ill only
be used 'or o''i#ial purposes) This in#ludes the
proper handlin& o' sensitive or #lassi'ied
in'ormation or resour#es)@
WVOT-PO1008, Information Security Audit Program)
-
8/18/2019 An Audit a Year, Keeps You in the Clear
10/24
CONFIDENTIALITY (COTI!"#)
• ?7elivery o' en&a&ement 'indin&s and
re#ommendations ill be limited to the .T*, the
.IS*, the #lient 7ire#tor, and other parties as
authori!ed)@
• ?The In'ormation Se#urity Audit Pro&ram ill
only release en&a&ement 'indin&s and
re#ommendations to additional entities under
the 'olloin& #ir#umstan#es: by re+uest 'rom the
audit #lient, 'or peer revie, and8or under ordero' subpoena)@
WVOT-PO1008, Information Security Audit Program)
-
8/18/2019 An Audit a Year, Keeps You in the Clear
11/24
TEAMMATE SOFTWARE• $hat is it
• System that maintains audit or papers,
templates, reports, and other arti'a#ts)
•
Ne#essary to a#hieve IT audit a##reditation)• Bo ill it bene'it the #lient
• 3nable auditors to share in'ormation ith the
#lient in a se#ure manner)
•
a#ilitate the tra#in& o' 'ollo6up a#tions)• Belp auditors to identi'y #ommon hi&h ris
'indin&s)
• aintain an ele#troni# #lient audit history
-
8/18/2019 An Audit a Year, Keeps You in the Clear
12/24
AUDIT WE+SITE• So't Laun#h 7ate C *#tober 2;, 2009
• .ontent• 3planation o' the audit pro#ess
•
Audit Types• Audit Phases
• Auditor and .lient /esponsibilities
• AD
•
.ode o' Pro'essional 3thi#s8.on'identiality• Audit team #onta#t in'ormation• http:88)te#hnolo&y)v)&ov8se#urity8ITAudit8Pa&es8de'ault)asp
http://www.technology.wv.gov/security/ITAudit/Pages/default.aspxhttp://www.technology.wv.gov/security/ITAudit/Pages/default.aspx
-
8/18/2019 An Audit a Year, Keeps You in the Clear
13/24
-
8/18/2019 An Audit a Year, Keeps You in the Clear
14/24
AUDIT PLAN
• SAS E0
• A##ount ana&ement
• 7ata .enter Audit
• 3nd o' Li'e 3+uipment Pro#edures• ollo6
-
8/18/2019 An Audit a Year, Keeps You in the Clear
15/24
WHAT YOU CAN E,PECT…
• .larity
• .ourtesy
• .redibility
•
.onsisten#y• .ompeten#y
• .omprehension
• .ommuni#ation
-
8/18/2019 An Audit a Year, Keeps You in the Clear
16/24
WHAT THIS MEANS TO YOU…
• Fou have, at your 'in&ertips:
• A #oa#h
• An advo#ate
• A ris mana&er
• A #ontrols epert
• An e''i#ien#y spe#ialist
•
A problem6solvin& partner
-
8/18/2019 An Audit a Year, Keeps You in the Clear
17/24
WHAT THIS MEANS TO YOU…
•
A sa'ety net
-
8/18/2019 An Audit a Year, Keeps You in the Clear
18/24
HOW YOU CAN HELP US…
• .ontrols are everybody%s business) This
means e all need to or toðer toard
mutual a##ountability 'or internal #ontrol) I'
you are aare o' a #ontrol that%s not
orin&, let%s put our heads toðer and
#ome up ith a ay to mae it better)
-
8/18/2019 An Audit a Year, Keeps You in the Clear
19/24
SCHEDULING AN AUDIT
• *n an ad6ho# basis
• Post in#ident
• As a ris assessment
• All #lient re+uested en&a&ements must bes#heduled three 15 to si ;5 months in
advan#e
-
8/18/2019 An Audit a Year, Keeps You in the Clear
20/24
RISK ASSESSMENT E,ERCISE• A--e(( Cotro"( C en'or#ement o' spe#i'ied
authori!ation rules based on positive identi'i#ation o'
users)
• Se-urit' o. A((et( C physi#al and lo&i#al #ontrols to
prote#t data and te#hnolo&y resour#es 'romunauthori!ed use, modi'i#ation, or dis#losure)
• Miim&" Ne-e((&r' &# Limite# I.orm&tio Ru"e C
#olle#tion, use, and dis#losure o' in'ormation should
be limited to an entity%s le&al authority and purpose)
-
8/18/2019 An Audit a Year, Keeps You in the Clear
21/24
RISK ASSESSMENT E,ERCISE• Anser Duestions
• .he# Four Ansers
• 7etermine Four /is Level
-
8/18/2019 An Audit a Year, Keeps You in the Clear
22/24
RISK ASSESSMENT E,ERCISE
• Duestion -: A
• Duestion 2:
• Duestion 1: A or
• Duestion 4: .• Duestion H: .
• Duestion ;: A
•
Duestion E: .• 3a#h #orre#t anser is orth - point
• S#ore o' H or above is lo ris
-
8/18/2019 An Audit a Year, Keeps You in the Clear
23/24
/UESTIONS0
-
8/18/2019 An Audit a Year, Keeps You in the Clear
24/24
AUDITOR CONTACT
INFORMATION