Transcript INTRODUCTION
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
INTRODUCTION
Michael Burch, IS Audit Supervisor Lisa Outlaw, IS Audit Supervisor Michelle Wicker, IS Auditor - Team Leader IIPS Fall Conference 2007
1
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
Summary of Community College Audits 2002/2003 Audits and Follow Ups 2006 and 2007 Limited General Controls Fiscal Year 2007 Financial Audit Files
2
IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
Community College Audits for 2008
Shift of Focus From Limited General Controls To Penetration and Vulnerability Assessments Assistance to Financial Audits Financial Audit File Datatel Colleague Access File Random General Controls if Needed IIPS Fall Conference 2007
3
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
IT GOVERNANCE
Every organization has some form of IT Governance by default Good IT Governance Ensures IT investments are optimized and aligned with business strategy.
Delivers value within acceptable risk boundaries
4
IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
IT GOVERNANCE
What is Definition of IT Governance?
IIPS Fall Conference 2007
5
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
IT GOVERNANCE
What is Definition of IT Governance?
No Standard Definition!
IIPS Fall Conference 2007
6
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
IT GOVERNANCE
Evolved from “corporate governance” Which define proper management of business Compliance with regulatory requirements Has gained prominence from recent events IT Governance applies to organization’s IT environment IIPS Fall Conference 2007
7
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
IT GOVERNANCE
Specifies the decision rights and accountability framework to encourage and force desirable behavior in the use of IT for the organization Is the strategic alignment of IT with the business’ goals such that maximum value is achieved through the development and maintenance of effective IT controls and accountability, performance management, and risk management
8
IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
IT GOVERNANCE
Involves management, processes, and resources Aligns IT goals and objectives with those of the business as a whole Purpose is to ensure optimum and uninterrupted service delivery IIPS Fall Conference 2007
9
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
IT GOVERNANCE Methodologies
COBIT (Controls Objectives for Information Technology) ITIL (Information Technology Infrastructure Library) ISO Standards ISO 17799 (renamed 27002 July 2007) ISO 27001
10
IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
IT GOVERNANCE Information System Security
Security is about managing risks Risk management covers opportunity and asset protection Provides value in providing Business Enablement Asset Protection IIPS Fall Conference 2007
11
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
IT GOVERNANCE
IT GOVERNANCE IS ABOUT: Control Accountability Responsibility Authority Who defines the rules and who is responsible for compliance and monitoring of the rules IIPS Fall Conference 2007
12
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
IT GOVERNANCE Often Confused with IT Management
IT Governance: Who makes the decisions Getting right people involved with IT decisions Not leaving it to IT IT Management: Making and implementation of decisions consistent with the governance framework IIPS Fall Conference 2007
13
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
IT GOVERNANCE Four Objectives
IT VALUE and ALIGNMENT Creates necessary structure and processes around IT to ensure that IT projects are aligned with the business goals and objectives
14
IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
IT GOVERNANCE Four Objectives
RISK MANAGEMENT IT risks often same as business risk for organization Therefore managing IT risks is paramount for the organization as a whole
15
IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
IT GOVERNANCE Four Objectives
IT RISKS include:
Security risks arising from hackers and insiders
Denial of service attacks Privacy risks from Identity Theft
Recovery from disasters Resiliency of systems from outages and project failures IIPS Fall Conference 2007
16
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
IT GOVERNANCE Four Objectives
ACCOUNTABILITY At end of day, governance is about accountability. Current legislation is holding senior management accountable for the integrity and credibility of financial system and controls.
IT management is held accountable for return of investment in IT as well as the credibility of IT’s controls IIPS Fall Conference 2007
17
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
IT GOVERNANCE FRAMEWORK
Formal methodology of establishing a corporate model for setting and delivery business strategy, measuring performance, managing risk, and establishing a corporate culture with ethical standards To fit within the governance framework, IS security must be aligned to deliver on the business strategy
18
IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
IT GOVERNANCE Four Objectives
PERFORMANCE MEASUREMENT Accountability requires score keeping to measure how well the organization is doing IIPS Fall Conference 2007
19
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
IT GOVERNANCE IS Security Policy
Must clearly define roles and responsibilities for security, including owners, custodians, and managers Define the owners of business processes and data Define acceptable parameters for IT operations Define communications between owners and IT Define monitoring for compliance
20
IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
IT GOVERNANCE IS Security Policy
Polices must have effective processes (procedures) for implementation and compliance Require knowledge and support for maintenance (must change as requirements change) Security issues often arise from deficiencies in the procedures and people area Awareness of individuals’ responsibilities for security must be embedded within the culture of the organization from induction to exit
21
IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
IT GOVERNANCE IS Security
Needs to be integrated into the enterprise risk management framework.
Covers the whole enterprise Security awareness and responsibility must apply to those with external or temporary access rights to information systems as well as permanent staff Must become part of the organization’s culture, not an afterthought
22
IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
IT GOVERNANCE Methodologies
COBIT (Controls Objectives for Information Technology) and ISO 27001 and 27002 Defines what should be done ITIL (Information Technology Infrastructure Library) Provides the “how” from a service management perspective
23
IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
IT GOVERNANCE Methodologies
These “best” practices have been significant not from the AUDIT perspective but from management’s for defining IT governance for the organization In private industry there is now regulatory requirements for effective information system controls Sarbanes Oxley HIPPA
24
IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
IT GOVERNANCE Methodologies
It’s only matter of time before the shareholders of government (taxpayers) demand the same of governmental agencies.
IIPS Fall Conference 2007
25
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
IT GOVERNANCE
It’s not a question of IF but rather the question is WHEN.
Government will be forced to implement IT governance, whether by legislation or good management practices.
The time is start implementation of IT governance for the community colleges, is NOW rather than LATER.
26
IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
IT GOVERNANCE
Who is Responsible?
The Board of Directors/Executive Management Business Processes and Data Owners IT Auditors The Board of Director and Executive Management must take ownership of IT Governance and set its direction
27
IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
COBIT
IT Governance in simple terms is management’s policy for controlling IT’s strategic impact and value for the organization Structure and set of processes and related procedures to aid in providing effective IT services to the organization and the monitoring of the IT process
28
IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
COBIT
COBIT is the most recognized framework for support of IT governance Office of State Auditor has selected COBIT as the framework for IS Audits of state agencies.
29
IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
COBIT
Based on best practices Focuses on the processes of the IT Provides for IT performance assessment and monitoring IIPS Fall Conference 2007
30
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
COBIT
Effective IT governance would actually build a framework using all three of the above methodologies For our discuss today, we will focus on COBIT since it provides the best overall control practices and framework. COBIT provides move detail than ITIL and ISO standards for developing IT governance
31
IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
COBIT
ITIL Provides best practice for service management and delivery Does not cover strategic impact of IT and relation between IT and business processes ISO 17799 (27002) and 27001 Focus is on security and does not provide for planning and delivery of IT services
32
IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
COBIT
COBIT 4.0 released in 2005 COBIT 4.1 released May 2007 Downloadable from ISACA website ( www.isaca.org
) Set of 34 high-level control objectives containing 215 detail control objectives. Reduced from 314 in previous versions
33
IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
COBIT
Control objectives are grouped into four main domains Planning and Organizing Acquisition and Implementation Delivery and Support Monitoring IIPS Fall Conference 2007
34
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
COBIT
Planning and Organizing Strategy Planning Communications Strategy Management Risk Management Resource Management IIPS Fall Conference 2007
35
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
COBIT
Acquisition and Implementation Identify, develop, or acquire and implementation solutions to business processes Management of the life cycle of systems through maintenance, enhancements, and retirement
36
IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
COBIT
Delivery and Support Service and support including Performance and Security Training IIPS Fall Conference 2007
37
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
COBIT
Monitoring All processes needed to regularly assess for compliance with control requirements Addresses management’s oversight of the organization control processes Self-Assessments, Internal and External Audit
38
IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
COBIT
Provides management and business processes owners with an IT governance model that helps in delivering value from IT and understanding and managing the risks associated with IT Helps bridge the gaps between business requirements, control needs, and technical issues IIPS Fall Conference 2007
39
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
COBIT
Is a control model to meet the needs of IT governance and ensure the integrity of information systems and data
40
IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
COBIT Who Uses IT?
Those who have primary responsibilities for business processes and technology.
Those who depends on technology for relevant and reliable information Those who provide quality, reliability, and control of information technology
41
IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
COBIT Who Uses IT?
COBIT is not only used by the IT department, but by the organization as a whole, including business processes and data owners Provides business processes owners with a framework to control activities for IT Provides management with a set of tools for self assessment and monitoring of IT function
42
IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
COBIT Why Use IT?
COBIT is business oriented, therefore using it to understand IT control objectives to deliver IT value and manage IT related business risks is straight forward
43
IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
COBIT Management Guidelines
Provide tools for management to perform self assessments to make choices for control implementation and improvement over the organization’s information and related technology.
Guidelines are provided for each of the 34 IT Processes, with a management and performance measurement perspective IIPS Fall Conference 2007
44
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
COBIT Management Guidelines
Tools are provided by the guidelines to support management decision making process COBIT 4.0 and 4.1 integrates the management guidelines with the control objectives in one publication IIPS Fall Conference 2007
45
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
COBIT
Overall COBIT is a management tool for IT controls Not necessarily just an audit tool COBIT provides management, auditors, users with a set of generally accepted measures, indicators, processes and best practices to assist the organization in maximizing the benefits derived through the use of information technology and development of IT governance and controls
46
IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
COBIT
Helps management, auditors, and users understand the organization’s IT systems and decide the level of security and controls that is necessary to protect the organization’s assets through the development of an effective IT governance model.
47
IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
COBIT Product Family
The complete COBIT package is a set of six publications Executive Summary Framework Control Objectives Audit Guidelines Implementation Tool Set Management Guidelines IIPS Fall Conference 2007
48
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
COBIT Product Family
Executive Summary Consists of an Executive Overview which provides a thorough awareness and understanding of COBIT’s key concepts and principles IIPS Fall Conference 2007
49
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
COBIT Product Family
Framework Explains how IT processes deliver the information that the business needs to achieve its objectives Delivered through the 34 high-level control objectives, one for each IT process, contained in the four domains IIPS Fall Conference 2007
50
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
COBIT Product Family
Framework Identifies which of the seven information criteria (effectiveness, efficiency, confidentiality, integrity, availability, compliance, and reliability), as well as which IT resources (people, applications, information, and infrastructure) are important for the IT processes to fully support business
51
IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
COBIT Product Family
Control Objectives Statements of desired results or purposes to be achieved by implementing the 214 specific, detailed control objectives throughout the 34 IT processes
52
IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
COBIT Product Family
Audit Guidelines Outlines and suggest actual activities to be performed for each of the 34 high-level IT control objectives, while substantiating the risk of control objectives not being met.
IIPS Fall Conference 2007
53
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
COBIT Security Baseline
Information security is a key aspect of IT governance COBIT covers security in addition to other risk that can occur with the use of IT The COBIT-based security baseline provides key controls for security The COBIT Security Baseline, 2 nd Edition has been updated and aligned with COBIT 4.1
54
IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
COBIT Security Baseline
Gaps in Security usually caused by: Lack of a comprehensive and maintainable risk and threat management process New vulnerabilities resulting from the widespread use of new technologies Lack of maintenance to assure all patches are promptly made
55
IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
COBIT Security Baseline
Gaps in Security usually caused by: Increased networking and mobile working Lack of security awareness Insufficient discipline when applying controls New and determined efforts of hackers, fraudsters, criminals, and terrorists
56
IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
COBIT Security Baseline
Gaps in Security usually caused by: Changing legislative, legal and regulatory security requirements Anyone doubting the significant of information security should take a moment to consider the potential impact of a security incident personally or on the organization or working environment
57
IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
COBIT Security Baseline
Impact of a security incident Availability – Information is no longer available when and where required Integrity - Information is corrupt and incomplete Confidentiality – Information is exposed to unauthorized individuals
58
IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
COBIT Security Baseline
There is no such thing as 100% security, but by following the advice suggested in the COBIT security baseline and maintain an awareness of security related risks and vulnerabilities, an effective level of security can be achieved.
Security is NOT a one-time effort, IT environment keep changing, and new security risks can occur at any time
59
IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
COBIT Security Baseline
Good security does not necessarily mean large amount of time or expense. By raising awareness, recognizing the risks that can occur and taking sensible precautions when using IT, security can be achieved with little effort.
60
IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
COBIT Security Baseline
Good security will improve an organization’s reputation, build its confidence and increase the trust from others with whom business is conducted, and even improve efficiency by making it possible to avoid wasted time and effort recovering from a security incident
61
IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
COBIT Security Baseline
Reference also to the ISO 27002 standards to show that the baseline aligns with the standard and also provide links to further guidance The cross-referencing to COBIT provides links to more detailed generic guidance on each of the 44 key control objectives that can be tailored for IT security
62
IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
COBIT Security Baseline
Focus on the most essential information security steps The 44 most important security-related objectives have been extracted from the COBIT framework and are presented in this guide Provides key control objectives and suggested minimum control steps, cross-referenced to the COBIT processes and control objectives
63
IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
INFORMATION SECURITY
Security relates to the protection of valuable assets against unavailability, loss, misuse, disclosure or damage Information must be protected against harm from threats leading to different types of impacts, such as loss, inaccessibility, alteration or wrongful disclosure.
Threats include errors and omissions, fraud, accidents, and intentional damage
64
IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
INFORMATION SECURITY
The objective of information security is protecting the interests of those relying on information and the systems and communications that deliver the information from harm resulting from failures of availability, confidentiality, and integrity The amount of protection required depends on how likely a security risk is to occur and how big an impact it would have if it did occur (Risk Assessment)
65
IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
INFORMATION SECURITY
Information security provides the management processes, technology and assurance to allow businesses’ management to ensure business transactions can be trusted; ensure IT services are usable and can appropriately resist and recover from failures due to error, deliberate attacks or disaster; ensure critical confidential information is withheld from those who should not have access to it.
Dr. Paul Dorsey, Director, Digital Business Security, BP PLC, UK
66
IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
INFORMATION SECURITY
COMPUTER SECURITY A Computer is Secured if you can depend on it and its software to behave as you expect Dr. Eugene Spafford, Professor and Executive Director, Purdue University Center for Education and Research in Information Assurance and Security
67
IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor
IIPS FALL CONFERENCE 2007
QUESTIONS?
IIPS Fall Conference 2007
68