an audit a year, keeps you in the clear

8/18/2019 An Audit a Year, Keeps You in the Clear

1/24

AN AUDIT A YEAR

WILL KEEP YOU IN

THE CLEAR IT Summit

November 4th, 2009

Presented by: IT Internal Audit Team

Leroy Amos

Sue Ann Lipinsi

Su!anne Lope!

"ani#e Shelton


2/24

WHY WE’RE HERE…

• $e%re here to provide a broad ran&e o' audit

servi#es desi&ned to help our or&ani!ation meet

its ob(e#tives) *ne o' our ey roles is to monitor

riss and ensure that the #ontrols in pla#e are

ade+uate to miti&ate those riss)

• $e #an help you #omply ith le&islation and

'ederal re&ulations ithin your a&en#y)


3/24

HOW WE CAN HELP YOU…

• $e%ll mae an ob(e#tive assessment o' your

operations, and share ideas 'or best pra#ti#es)

• $e%ll provide #ounsel 'or improvin& #ontrols,

pro#esses and pro#edures, per'orman#e, and

ris mana&ement)

• $e%ll deliver #ompetent #onsultin&, assuran#e,

and 'a#ilitation servi#es)


4/24

AUDIT ENGAGEMENTS

Three Types o' Audits:

-) Internal• .lient /e+uest

•

andatory2) Sel' Assessment

1) Third Party 3ternal5• A&en#y must #onta#t *IS. prior to audit en&a&ement

•

*IS. ill #oordinate ith third6party auditors


5/24

WHAT WE AUDIT

• Netors

• 7estop Pra#ti#es

• Servers

• obile 7evi#es and edia

• 7ata .enters8a#ilities

• usiness and Te#hni#al Pro#esses

•

Appli#ation .ontrols• Poli#y and Pro#edure .omplian#e

• *ther


6/24

INFORMATION SECURITY AUDIT PHASES

;

In

R e p o

r t i

!

R e p o

r t i

!

F i e " # $

o r %

F i e " # $

o r %

A & " '

( i (

A & " '

( i (

F o " " o

$ ) u p

F o " " o

$ ) u p

I i t i & t i o

*

P " &

i !

I i t i & t i o

*

P " &

i !

• Risk Assessment• Research• PreliminaryReview• Audit Objectives• Formal

Agreement• EntranceConference

• Interview• Insection• Observation• Re!erformance• "esting

• Con#rmation• $eri#cation• Reconciliation• E%it Conference

• Findings• Recommendations• ClientResonses

• &raft Reorts• Final Reort• 'chedule ClientCorrective ActionReort• Plan for Follow!u Engagement

• Con#rmCorrective Action• AddressChallenges• Reeat Phases

(as necessary)


7/24

COMMON FINDINGS•


8/24

AUDIT POLICY

• $=*T6P*-00> 6 In'ormation Se#urity Audit

Pro&ram poli#y 6 issued: Au&ust -, 2009• http:88)te#hnolo&y)v)&ov8Site.olle#tion7o#uments8ISAP)pd'

http://www.technology.wv.gov/SiteCollectionDocuments/ISAP.pdfhttp://www.technology.wv.gov/SiteCollectionDocuments/ISAP.pdf


9/24

CONFIDENTIALITY

• ?All $=*T IT Auditors are bound by

#on'identiality standards and are re+uired to si&n

the 7*A .on'identiality Statement annually)@

•

?In'ormation #olle#ted durin& an audit ill only

be used 'or o''i#ial purposes) This in#ludes the

proper handlin& o' sensitive or #lassi'ied

in'ormation or resour#es)@

WVOT-PO1008, Information Security Audit Program)


10/24

CONFIDENTIALITY (COTI!"#)

• ?7elivery o' en&a&ement 'indin&s and

re#ommendations ill be limited to the .T*, the

.IS*, the #lient 7ire#tor, and other parties as

authori!ed)@

• ?The In'ormation Se#urity Audit Pro&ram ill

only release en&a&ement 'indin&s and

re#ommendations to additional entities under

the 'olloin& #ir#umstan#es: by re+uest 'rom the

audit #lient, 'or peer revie, and8or under ordero' subpoena)@

WVOT-PO1008, Information Security Audit Program)


11/24

TEAMMATE SOFTWARE• $hat is it

• System that maintains audit or papers,

templates, reports, and other arti'a#ts)

•

Ne#essary to a#hieve IT audit a##reditation)• Bo ill it bene'it the #lient

• 3nable auditors to share in'ormation ith the

#lient in a se#ure manner)

•

a#ilitate the tra#in& o' 'ollo6up a#tions)• Belp auditors to identi'y #ommon hi&h ris

'indin&s)

• aintain an ele#troni# #lient audit history


12/24

AUDIT WE+SITE• So't Laun#h 7ate C *#tober 2;, 2009

• .ontent• 3planation o' the audit pro#ess

•

Audit Types• Audit Phases

• Auditor and .lient /esponsibilities

• AD

•

.ode o' Pro'essional 3thi#s8.on'identiality• Audit team #onta#t in'ormation• http:88)te#hnolo&y)v)&ov8se#urity8ITAudit8Pa&es8de'ault)asp

http://www.technology.wv.gov/security/ITAudit/Pages/default.aspxhttp://www.technology.wv.gov/security/ITAudit/Pages/default.aspx


13/24


14/24

AUDIT PLAN

• SAS E0

• A##ount ana&ement

• 7ata .enter Audit

• 3nd o' Li'e 3+uipment Pro#edures• ollo6


15/24

WHAT YOU CAN E,PECT…

• .larity

• .ourtesy

• .redibility

•

.onsisten#y• .ompeten#y

• .omprehension

• .ommuni#ation


16/24

WHAT THIS MEANS TO YOU…

• Fou have, at your 'in&ertips:

• A #oa#h

• An advo#ate

• A ris mana&er

• A #ontrols epert

• An e''i#ien#y spe#ialist

•

A problem6solvin& partner


17/24

WHAT THIS MEANS TO YOU…

•

A sa'ety net


18/24

HOW YOU CAN HELP US…

• .ontrols are everybody%s business) This

means e all need to or to&ether toard

mutual a##ountability 'or internal #ontrol) I'

you are aare o' a #ontrol that%s not

orin&, let%s put our heads to&ether and

#ome up ith a ay to mae it better)


19/24

SCHEDULING AN AUDIT

• *n an ad6ho# basis

• Post in#ident

• As a ris assessment

• All #lient re+uested en&a&ements must bes#heduled three 15 to si ;5 months in

advan#e


20/24

RISK ASSESSMENT E,ERCISE• A--e(( Cotro"( C en'or#ement o' spe#i'ied

authori!ation rules based on positive identi'i#ation o'

users)

• Se-urit' o. A((et( C physi#al and lo&i#al #ontrols to

prote#t data and te#hnolo&y resour#es 'romunauthori!ed use, modi'i#ation, or dis#losure)

• Miim&" Ne-e((&r' &# Limite# I.orm&tio Ru"e C

#olle#tion, use, and dis#losure o' in'ormation should

be limited to an entity%s le&al authority and purpose)


21/24

RISK ASSESSMENT E,ERCISE• Anser Duestions

• .he# Four Ansers

• 7etermine Four /is Level


22/24

RISK ASSESSMENT E,ERCISE

• Duestion -: A

• Duestion 2:

• Duestion 1: A or

• Duestion 4: .• Duestion H: .

• Duestion ;: A

•

Duestion E: .• 3a#h #orre#t anser is orth - point

• S#ore o' H or above is lo ris


23/24

/UESTIONS0


24/24

AUDITOR CONTACT

INFORMATION