auditor of public accounts1 how safe is your state’s data? virginia’s common-sense approach to...
TRANSCRIPT
Auditor of Public Accounts 1
How Safe is Your State’s Data?
Virginia’s
Common-Sense
approach to
Assessing Security
Auditor of Public Accounts
2
Virginia’s Common-Sense Approach to Assessing Security
• Why did we choose to assess the Commonwealth of Virginia’s systems and data security?
• What was the timeframe from inception to completion?
• What approach did we use to gather the data?
• How did we evaluate the data?
Auditor of Public Accounts
3
Virginia’s Common-Sense Approach to Assessing Security
• How did we report the results?
• What were the lessons learned and what would we have done differently?
• What was the response to the report we issued?
Auditor of Public Accounts
4
Virginia’s IT Governance
• Virginia has had information technology security standards since 1990
• Creation of Virginia Information Technologies Agency (VITA) in 2003
• Commonwealth’s Chief Information Officer is responsible for information technology security
Auditor of Public Accounts
5
Virginia’s IT Governance
• VITA is responsible for information technology security audits, however they had not been doing them!– Funding issues– Efforts focused on Northrop Grumman public
private partnership for IT infrastructure
Auditor of Public Accounts
6
Why did we choose to assess the Commonwealth of Virginia’s systems and data security?
• Security Breaches• Virginia Organization• Jan. 10, 2005 – George Mason University (Fairfax, VA) Names, photos, and
Social Security numbers of 32,000 students and staff were compromised because of a hacker attack on the university’s main ID server.
• Public Organization• On May 22, 2006, the U.S. Department of Veterans Affairs issued a statement
that one of their analyst’s laptops was stolen containing 26.5 million names, social security numbers, dates of birth, and health records of active and retired veterans and spouses.
• Private Organization• Financial services company ING had a laptop stolen from the Washington
home of one of its employees on June 12, 2006 containing sensitive data, such as social security numbers, of 13,000 District of Columbia employees and retirees.
Auditor of Public Accounts
7
Why did we choose to assess the Commonwealth of Virginia’s systems and data security?
• Virginia General Assembly passed Senate Joint Resolution 51 (SJR51)
• Which basically said “APA you will assess the health of the security of the Commonwealth’s data.”
Auditor of Public Accounts
8
APA Audits
• We had been covering IT security related to our financial and performance audits for some time
• We had been issuing findings related to IT security in individual audit reports
• Interpretation of SJR 51 was that we would review security of all data (not just financial or data that resides in a database)
Auditor of Public Accounts
9
What was the timeframe from inception to completion?
• Senate Joint Resolution 51 passed by House on March 9, 2006
• Checklist developed July 18, 2006• Pilot study completed August 10, 2006• Final agency checklist received October 23,
2006• Report issued December 1, 2006
Auditor of Public Accounts
10
What approach did we use to gather the data?
• We developed a Checklist/Questionnaire based on four criteria:– Commonwealth of Virginia Security Standards– International Standards (ISO 17799)– Federal Government Standards
(FISCAM/NIST)– Private Sector Standards (CobiT)
Auditor of Public Accounts
11
Our ChecklistAn example from APA Auditor Core Checklist
• Has the agency completed and documented a Risk Assessment (RA) relating to its IT infrastructure?
• Is the RA reviewed at least annually to check compliance with the Commonwealth of Virginia security standard?
• Is the RA updated at least every three years?• Does the agency require all components of its
IT infrastructure to be rated in the RA?
Auditor of Public Accounts
12
What approach did we use to gather the data?
• Checklist/Questionnaire addressed four major areas:– Security Management Structure– Data protection, integrity, availability and
confidentiality– IT System Configuration and change
management– Monitoring and Logging
Auditor of Public Accounts
13
What approach did we use to gather the data?
• Checklist/Questionnaire was distributed to a select (pilot) group of nine state agencies and institutions:– Based on diversity in terms of number of staff
and size of budget (included both large and small agencies and higher education institutions)
Auditor of Public Accounts
14
What approach did we use to gather the data?
• A core group of Audit Directors and Senior Audit staff members were identified and trained on the checklist and how to interpret/evaluate results
• This included staff from non-IT related teams within the office
Auditor of Public Accounts
15
What approach did we use to gather the data?
• Approach was to test for the existence of IT policies and procedures
• IT related teams developed the checklist (identifying best practices)
• Do not need to be an IT expert to evaluate the existence of policies and procedures identified in the checklist
Auditor of Public Accounts
16
What approach did we use to gather the data?
• After the pilot group responded to the checklist:– Checklist/Questionnaire was revised to ensure
clarity– An APA audit staff member was assigned to
each agency– Mass distribution to all agencies/institutions
(104 agencies including judicial and legislative branch)
Auditor of Public Accounts
17
What approach did we use to gather the data?
• Agencies were given five business days to complete the checklist/questionnaire and supply supporting documentation
• Once the documentation was received by APA, two reviews were done one by the assigned auditor second by an a member of the Information
Systems Security Team
Auditor of Public Accounts
18
What approach did we use to gather the data?
• Once the initial review was completed – Agency was given two additional days to
respond to those questions where the APA determined the documentation to be inadequate
– Mandatory participation was assured by legislative order (SJR51)
Auditor of Public Accounts
19
What approach did we use to gather the data?
• Security was achieved by either hand delivery of the checklist to/from the agency
• Or, the APA provided a secure FTP site which could be used by the agencies to upload/download the checklist and supporting documentation
Auditor of Public Accounts
20
How did APA evaluate the data?
• Eleven topics were identified as key evaluation criteria
• Four of the eleven we titled the Big Four and included:– Business Impact Analysis
– Risk Assessment
– Business Continuity Plan
– Disaster Recovery Plan
Auditor of Public Accounts
21
How did APA evaluate the data?
The Questions that APA considered as Key Performance Indicators (KPIs)
1. Does the organizational structure include the assignment of an Information Security Officer (ISO)?
2. Does the agency have a Security Awareness Training program?
3. Has the agency completed and documented a Risk Assessment relating to its IT infrastructure?
4. Does the agency have a documented Business Impact Analysis?
Auditor of Public Accounts
22
How did APA evaluate the data?
The Questions that APA considered as Key Performance Indicators (KPIs)
1. Does the organizational structure include the assignment of an Information Security Officer (ISO)?
2. Does the agency have a Security Awareness Training program?
3. Has the agency completed and documented a Risk Assessment relating to its IT infrastructure?
4. Does the agency have a documented Business Impact Analysis?
Auditor of Public Accounts
23
How did APA evaluate the data?
The Questions that APA considered as Key Performance Indicators (KPIs)
1. Does the organizational structure include the assignment of an Information Security Officer (ISO)?
2. Does the agency have a Security Awareness Training program?
3. Has the agency completed and documented a Risk Assessment relating to its IT infrastructure?
4. Does the agency have a documented Business Impact Analysis?
Auditor of Public Accounts
24
How did APA evaluate the data?
The Questions that APA considered as Key Performance Indicators (KPIs)
1. Does the organizational structure include the assignment of an Information Security Officer (ISO)?
2. Does the agency have a Security Awareness Training program?
3. Has the agency completed and documented a Risk Assessment relating to its IT infrastructure?
4. Does the agency have a documented Business Impact Analysis?
Auditor of Public Accounts
25
How did APA evaluate the data?
• The Questions that APA considered as KPIs5. Does the agency have a documented Business
Continuity Plan? 6. Does the agency have a documented Disaster
Recovery Plan?7. Does the agency have policies and procedures for
approving logical access? 8. Are users required to be authenticated for access to
all systems and are exceptions approved by management and have risks of those exceptions been evaluated and accepted?
Auditor of Public Accounts
26
How did APA evaluate the data?
• The Questions that APA considered as KPIs5. Does the agency have a documented Business
Continuity Plan? 6. Does the agency have a documented Disaster
Recovery Plan?7. Does the agency have policies and procedures for
approving logical access? 8. Are users required to be authenticated for access to
all systems and are exceptions approved by management and have risks of those exceptions been evaluated and accepted?
Auditor of Public Accounts
27
How did APA evaluate the data?
• The Questions that APA considered as KPIs5. Does the agency have a documented Business
Continuity Plan? 6. Does the agency have a documented Disaster
Recovery Plan?7. Does the agency have policies and procedures for
approving logical access? 8. Are users required to be authenticated for access to
all systems and are exceptions approved by management and have risks of those exceptions been evaluated and accepted?
Auditor of Public Accounts
28
How did APA evaluate the data?
• The Questions that APA considered as KPIs5. Does the agency have a documented Business
Continuity Plan? 6. Does the agency have a documented Disaster
Recovery Plan?7. Does the agency have policies and procedures for
approving logical access? 8. Are users required to be authenticated for access
to all systems and are exceptions approved by management and have risks of those exceptions been evaluated and accepted?
Auditor of Public Accounts
29
How did APA evaluate the data?
• The Questions that APA considered as KPIs 9. Are there policies and procedures regarding
password controls?
10. Does all the critical and sensitive assets have the appropriate physical safe guards in place to protect against unauthorized access and is it documented who approves these controls?
11. Does the Agency monitor their systems, applications and databases?
Auditor of Public Accounts
30
How did APA evaluate the data?
• The Questions that APA considered as KPIs 9. Are there policies and procedures regarding password
controls?
10. Does all the critical and sensitive assets have the appropriate physical safe guards in place to protect against unauthorized access and is it documented who approves these controls?
11. Does the Agency monitor their systems, applications and databases?
Auditor of Public Accounts
31
How did APA evaluate the data?
• The Questions that APA considered as KPIs 9. Are there policies and procedures regarding password
controls?
10. Does all the critical and sensitive assets have the appropriate physical safe guards in place to protect against unauthorized access and is it documented who approves these controls?
11. Does the Agency monitor their systems, applications and databases?
Auditor of Public Accounts
32
How did APA evaluate the data?
• Final evaluation categories were:– Non-Existent (did not have any of the Big Four
checked as yes)– Inadequate (had at least one of the Big Four but
did not have all eleven checked as yes)– Adequate (had all eleven checked yes)
Auditor of Public Accounts
33
How did APA report the results?
• Formal report to the General Assembly and to the Governor
• Posted to the Auditor of Public Accounts website http://www.apa.virginia.gov/
• We structured the report to reflect history, current practices, best practices and recommendations
Auditor of Public Accounts
34
How did APA report the results?
• APA made four recommendations:1) VITA should develop a plan to communicate
infrastructure information and standards to agencies that it supports Provide assistance and expertise to agencies Assume responsibility for ensuring IT
infrastructure meets agencies’ needs and is secure
Auditor of Public Accounts
35
How did APA report the results?
• APA made four recommendations:2) The General Assembly may wish to consider
granting the Commonwealth’s Chief Information Officer authority over the judicial and legislative information security programs
Auditor of Public Accounts
36
How did APA report the results?
• APA made four recommendations:3) The CIO and Information Technology
Investment Board should consider supplementing the Commonwealth’s security standard with the additional processes (industry best practices) identified in this report
Auditor of Public Accounts
37
How did APA report the results?
• APA made four recommendations:4) The Commonwealth needs to adopt a strategy
to provide sufficient resources to develop a proper information security plan Need to utilize a central resource such as VITA to
assist small to medium sized agencies that do not have sufficient internal resources to develop a plan
Auditor of Public Accounts
38
How did APA report the results?
• Then of course we added in all of the graphics which showed how many were adequate (21), inadequate (66), and non-existent (17)
• We added the checklist in its entirety
• We added the Best Practice Comparisons
Auditor of Public Accounts
39
What were the lessons learned and what would we have done
differently?• Checklist questions should all be phrased so
that a positive answer is always “YES”• We focused on the existence of policies and
procedures, to follow up we would expand this to include implementation
• We learned that our approach “to not identify the critical questions in advance” was a crucial decision and the right one
Auditor of Public Accounts
40
How have we used the report?
• Using results as a baseline in audit planning
• Where adequate, we are incorporating tests to ensure policies and procedures have been implemented
• Where inadequate, we are following up on agencies efforts to address issues
• Currently performing follow-up review
Auditor of Public Accounts
41
What was the response to the report we issued?
• New Legislation
• New Executive Orders
• Improved Commonwealth Standards, Policies and Procedures
• Increased awareness
Auditor of Public Accounts
42
Va. report: Sensitive data put at riskAuditor says most state agencies have inadequate, porous security programsBY PETER BACQUE, TIMES-DISPATCH STAFF WRITER, Dec 13, 2006
• The majority of Virginia government agencies are doing an unacceptable job of protecting the huge amounts of sensitive information entrusted to them, according to a state report.
• Of 104 state agencies and institutions surveyed by the Auditor of Public Accounts, 80 percent had inadequate security programs, the report said.
Auditor of Public Accounts
43
Virginia Bill Would Require Notice When Personal Data Is Lost or Stolen
By Larry O'Dell January 16, 2007
• Two Virginia lawmakers said this week that they will introduce legislation requiring government agencies and businesses to notify Virginians if their personal information is lost or stolen.
• Brink also noted that an investigation by Virginia's Auditor of Public Accounts last year found that a majority of state agencies are doing an unacceptable job protecting citizens' private information.
Auditor of Public Accounts
44
Virginia Governor Signs Consumer Privacy, Security OrdersJan 09, 2007 News Release
• Governor Kaine signed Executive Order 43 (2007) directing Virginia's Secretary of Technology, Aneesh Chopra, to oversee efforts to examine state government data security policies and to ensure that they are enforced. The Executive Order follows a recent report from the Virginia Auditor of Public Accounts that concluded a majority of state government agencies in Virginia could do more to protect personal consumer information.
Auditor of Public Accounts
45
Contact Information
J Kenneth Magee (804) 225-3350 Ext [email protected]
Staci Henshaw (804) 225-3350 Ext [email protected]
If you want a copy of the checklist please leave me a business card and write CHECKLIST on the back of it.
Auditor of Public Accounts
46
LINKS
• National Institute of Standards and Technology http://www.nist.gov/
• Federal Information System Controls and Audit Manual http://www.gao.gov/
• CobiT http://www.isaca.org/
• ISO1779 http://www.ansi.org/
• Virginia Standards http://www.vita.virginia.gov/