Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 INTRODUCTION Michael Burch, IS Audit Supervisor Lisa Outlaw, IS Audit Supervisor Michelle Wicker, IS Auditor - Team Leader IIPS Fall Conference 2007.

Similar presentations


Presentation on theme: "1 INTRODUCTION Michael Burch, IS Audit Supervisor Lisa Outlaw, IS Audit Supervisor Michelle Wicker, IS Auditor - Team Leader IIPS Fall Conference 2007."— Presentation transcript:

1 1 INTRODUCTION Michael Burch, IS Audit Supervisor Lisa Outlaw, IS Audit Supervisor Michelle Wicker, IS Auditor - Team Leader IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor

2 2 Summary of Community College Audits 2002/2003 Audits and Follow Ups 2006 and 2007 Limited General Controls Fiscal Year 2007 Financial Audit Files IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor

3 3 Community College Audits for 2008 Shift of Focus From Limited General Controls To Penetration and Vulnerability Assessments Assistance to Financial Audits Financial Audit File Datatel Colleague Access File Random General Controls if Needed IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor

4 4 IT GOVERNANCE Every organization has some form of IT Governance by default Good IT Governance Ensures IT investments are optimized and aligned with business strategy. Delivers value within acceptable risk boundaries IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor

5 5 IT GOVERNANCE What is Definition of IT Governance? IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor

6 6 IT GOVERNANCE What is Definition of IT Governance? No Standard Definition! IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor

7 7 IT GOVERNANCE Evolved from “corporate governance” Which define proper management of business Compliance with regulatory requirements Has gained prominence from recent events IT Governance applies to organization’s IT environment IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor

8 8 IT GOVERNANCE Specifies the decision rights and accountability framework to encourage and force desirable behavior in the use of IT for the organization Is the strategic alignment of IT with the business’ goals such that maximum value is achieved through the development and maintenance of effective IT controls and accountability, performance management, and risk management IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor

9 9 IT GOVERNANCE Involves management, processes, and resources Aligns IT goals and objectives with those of the business as a whole Purpose is to ensure optimum and uninterrupted service delivery IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor

10 10 IT GOVERNANCE Methodologies COBIT (Controls Objectives for Information Technology) ITIL (Information Technology Infrastructure Library) ISO Standards ISO (renamed July 2007) ISO IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor

11 11 IT GOVERNANCE Information System Security Security is about managing risks Risk management covers opportunity and asset protection Provides value in providing Business Enablement Asset Protection IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor

12 12 IT GOVERNANCE IT GOVERNANCE IS ABOUT: ControlAccountabilityResponsibilityAuthority Who defines the rules and who is responsible for compliance and monitoring of the rules IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor

13 13 IT GOVERNANCE Often Confused with IT Management IT Governance: Who makes the decisions Getting right people involved with IT decisions Not leaving it to IT IT Management: Making and implementation of decisions consistent with the governance framework IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor

14 14 IT GOVERNANCE Four Objectives IT VALUE and ALIGNMENT Creates necessary structure and processes around IT to ensure that IT projects are aligned with the business goals and objectives IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor

15 15 IT GOVERNANCE Four Objectives RISK MANAGEMENT IT risks often same as business risk for organization Therefore managing IT risks is paramount for the organization as a whole IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor

16 16 IT GOVERNANCE Four Objectives IT RISKS include: Security risks arising from hackers and insiders Security risks arising from hackers and insiders Denial of service attacks Denial of service attacks Privacy risks from Identity Theft Privacy risks from Identity Theft Recovery from disasters Recovery from disasters Resiliency of systems from outages Resiliency of systems from outages and project failures IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor

17 17 IT GOVERNANCE Four Objectives ACCOUNTABILITY At end of day, governance is about accountability. Current legislation is holding senior management accountable for the integrity and credibility of financial system and controls. IT management is held accountable for return of investment in IT as well as the credibility of IT’s controls IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor

18 18 IT GOVERNANCE FRAMEWORK Formal methodology of establishing a corporate model for setting and delivery business strategy, measuring performance, managing risk, and establishing a corporate culture with ethical standards To fit within the governance framework, IS security must be aligned to deliver on the business strategy IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor

19 19 IT GOVERNANCE Four Objectives PERFORMANCE MEASUREMENT Accountability requires score keeping to measure how well the organization is doing IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor

20 20 IT GOVERNANCE IS Security Policy Must clearly define roles and responsibilities for security, including owners, custodians, and managers Define the owners of business processes and data Define acceptable parameters for IT operations Define communications between owners and IT Define monitoring for compliance IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor

21 21 IT GOVERNANCE IS Security Policy Polices must have effective processes (procedures) for implementation and compliance Require knowledge and support for maintenance (must change as requirements change) Security issues often arise from deficiencies in the procedures and people area Awareness of individuals’ responsibilities for security must be embedded within the culture of the organization from induction to exit IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor

22 22 IT GOVERNANCE IS Security Needs to be integrated into the enterprise risk management framework. Covers the whole enterprise Security awareness and responsibility must apply to those with external or temporary access rights to information systems as well as permanent staff Must become part of the organization’s culture, not an afterthought IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor

23 23 IT GOVERNANCE Methodologies COBIT (Controls Objectives for Information Technology) and ISO and Defines what should be done ITIL (Information Technology Infrastructure Library) Provides the “how” from a service management perspective IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor

24 24 IT GOVERNANCE Methodologies These “best” practices have been significant not from the AUDIT perspective but from management’s for defining IT governance for the organization In private industry there is now regulatory requirements for effective information system controls Sarbanes Oxley HIPPA IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor

25 25 IT GOVERNANCE Methodologies It’s only matter of time before the shareholders of government (taxpayers) demand the same of governmental agencies. IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor

26 26 IT GOVERNANCE It’s not a question of IF but rather the question is WHEN. Government will be forced to implement IT governance, whether by legislation or good management practices. The time is start implementation of IT governance for the community colleges, is NOW rather than LATER. IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor

27 27 IT GOVERNANCE Who is Responsible? The Board of Directors/Executive Management Business Processes and Data Owners ITAuditors The Board of Director and Executive Management must take ownership of IT Governance and set its direction IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor

28 28 COBIT IT Governance in simple terms is management’s policy for controlling IT’s strategic impact and value for the organization Structure and set of processes and related procedures to aid in providing effective IT services to the organization and the monitoring of the IT process IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor

29 29 COBIT COBIT is the most recognized framework for support of IT governance Office of State Auditor has selected COBIT as the framework for IS Audits of state agencies. IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor

30 30 COBIT Based on best practices Focuses on the processes of the IT Provides for IT performance assessment and monitoring IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor

31 31 COBIT Effective IT governance would actually build a framework using all three of the above methodologies For our discuss today, we will focus on COBIT since it provides the best overall control practices and framework. COBIT provides move detail than ITIL and ISO standards for developing IT governance IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor

32 32 COBIT ITIL Provides best practice for service management and delivery Does not cover strategic impact of IT and relation between IT and business processes ISO (27002) and Focus is on security and does not provide for planning and delivery of IT services IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor

33 33 COBIT COBIT 4.0 released in 2005 COBIT 4.1 released May 2007 Downloadable from ISACA website (www.isaca.org) Set of 34 high-level control objectives containing 215 detail control objectives. Reduced from 314 in previous versions IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor

34 34 COBIT Control objectives are grouped into four main domains Planning and Organizing Acquisition and Implementation Delivery and Support Monitoring IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor

35 35 COBIT Planning and Organizing Strategy Planning Communications Strategy Management Risk Management Resource Management IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor

36 36 COBIT Acquisition and Implementation Identify, develop, or acquire and implementation solutions to business processes Management of the life cycle of systems through maintenance, enhancements, and retirement IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor

37 37 COBIT Delivery and Support Service and support including Performance and Security Training IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor

38 38 COBIT Monitoring All processes needed to regularly assess for compliance with control requirements Addresses management’s oversight of the organization control processes Self-Assessments, Internal and External Audit IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor

39 39 COBIT Provides management and business processes owners with an IT governance model that helps in delivering value from IT and understanding and managing the risks associated with IT Helps bridge the gaps between business requirements, control needs, and technical issues IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor

40 40 COBIT Is a control model to meet the needs of IT governance and ensure the integrity of information systems and data IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor

41 41 COBIT Who Uses IT? Those who have primary responsibilities for business processes and technology. Those who depends on technology for relevant and reliable information Those who provide quality, reliability, and control of information technology IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor

42 42 COBIT Who Uses IT? COBIT is not only used by the IT department, but by the organization as a whole, including business processes and data owners Provides business processes owners with a framework to control activities for IT Provides management with a set of tools for self- assessment and monitoring of IT function IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor

43 43 COBIT Why Use IT? COBIT is business oriented, therefore using it to understand IT control objectives to deliver IT value and manage IT related business risks is straight forward IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor

44 44 COBIT Management Guidelines Provide tools for management to perform self- assessments to make choices for control implementation and improvement over the organization’s information and related technology. Guidelines are provided for each of the 34 IT Processes, with a management and performance measurement perspective IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor

45 45 COBIT Management Guidelines Tools are provided by the guidelines to support management decision making process COBIT 4.0 and 4.1 integrates the management guidelines with the control objectives in one publication IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor

46 46 COBIT Overall COBIT is a management tool for IT controls Not necessarily just an audit tool COBIT provides management, auditors, users with a set of generally accepted measures, indicators, processes and best practices to assist the organization in maximizing the benefits derived through the use of information technology and development of IT governance and controls IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor

47 47 COBIT Helps management, auditors, and users understand the organization’s IT systems and decide the level of security and controls that is necessary to protect the organization’s assets through the development of an effective IT governance model. IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor

48 48 COBIT Product Family The complete COBIT package is a set of six publications Executive Summary Framework Control Objectives Audit Guidelines Implementation Tool Set Management Guidelines IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor

49 49 COBIT Product Family Executive Summary Consists of an Executive Overview which provides a thorough awareness and understanding of COBIT’s key concepts and principles IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor

50 50 COBIT Product Family Framework Explains how IT processes deliver the information that the business needs to achieve its objectives Delivered through the 34 high-level control objectives, one for each IT process, contained in the four domains IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor

51 51 COBIT Product Family Framework Identifies which of the seven information criteria (effectiveness, efficiency, confidentiality, integrity, availability, compliance, and reliability), as well as which IT resources (people, applications, information, and infrastructure) are important for the IT processes to fully support business IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor

52 52 COBIT Product Family Control Objectives Statements of desired results or purposes to be achieved by implementing the 214 specific, detailed control objectives throughout the 34 IT processes IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor

53 53 COBIT Product Family Audit Guidelines Outlines and suggest actual activities to be performed for each of the 34 high-level IT control objectives, while substantiating the risk of control objectives not being met. IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor

54 54 COBIT Security Baseline Information security is a key aspect of IT governance COBIT covers security in addition to other risk that can occur with the use of IT The COBIT-based security baseline provides key controls for security The COBIT Security Baseline, 2 nd Edition has been updated and aligned with COBIT 4.1 IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor

55 55 COBIT Security Baseline Gaps in Security usually caused by: Lack of a comprehensive and maintainable risk and threat management process New vulnerabilities resulting from the widespread use of new technologies Lack of maintenance to assure all patches are promptly made IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor

56 56 COBIT Security Baseline Gaps in Security usually caused by: Increased networking and mobile working Lack of security awareness Insufficient discipline when applying controls New and determined efforts of hackers, fraudsters, criminals, and terrorists IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor

57 57 COBIT Security Baseline Gaps in Security usually caused by: Changing legislative, legal and regulatory security requirements Anyone doubting the significant of information security should take a moment to consider the potential impact of a security incident personally or on the organization or working environment IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor

58 58 COBIT Security Baseline Impact of a security incident Availability – Information is no longer available when and where required Integrity -Information is corrupt and incomplete Confidentiality – Information is exposed to unauthorized individuals IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor

59 59 COBIT Security Baseline There is no such thing as 100% security, but by following the advice suggested in the COBIT security baseline and maintain an awareness of security related risks and vulnerabilities, an effective level of security can be achieved. Security is NOT a one-time effort, IT environment keep changing, and new security risks can occur at any time IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor

60 60 COBIT Security Baseline Good security does not necessarily mean large amount of time or expense. By raising awareness, recognizing the risks that can occur and taking sensible precautions when using IT, security can be achieved with little effort. IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor

61 61 COBIT Security Baseline Good security will improve an organization’s reputation, build its confidence and increase the trust from others with whom business is conducted, and even improve efficiency by making it possible to avoid wasted time and effort recovering from a security incident IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor

62 62 COBIT Security Baseline Reference also to the ISO standards to show that the baseline aligns with the standard and also provide links to further guidance The cross-referencing to COBIT provides links to more detailed generic guidance on each of the 44 key control objectives that can be tailored for IT security IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor

63 63 COBIT Security Baseline Focus on the most essential information security steps The 44 most important security-related objectives have been extracted from the COBIT framework and are presented in this guide Provides key control objectives and suggested minimum control steps, cross-referenced to the COBIT processes and control objectives IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor

64 64 INFORMATION SECURITY Security relates to the protection of valuable assets against unavailability, loss, misuse, disclosure or damage Information must be protected against harm from threats leading to different types of impacts, such as loss, inaccessibility, alteration or wrongful disclosure. Threats include errors and omissions, fraud, accidents, and intentional damage IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor

65 65 INFORMATION SECURITY The objective of information security is protecting the interests of those relying on information and the systems and communications that deliver the information from harm resulting from failures of availability, confidentiality, and integrity The amount of protection required depends on how likely a security risk is to occur and how big an impact it would have if it did occur (Risk Assessment) IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor

66 66 INFORMATION SECURITY Information security provides the management processes, technology and assurance to allow businesses’ management to ensure business transactions can be trusted; ensure IT services are usable and can appropriately resist and recover from failures due to error, deliberate attacks or disaster; ensure critical confidential information is withheld from those who should not have access to it. Dr. Paul Dorsey, Director, Digital Business Security, BP PLC, UK IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor

67 67 INFORMATION SECURITY COMPUTER SECURITY A Computer is Secured if you can depend on it and its software to behave as you expect Dr. Eugene Spafford, Professor and Executive Director, Purdue University Center for Education and Research in Information Assurance and Security IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor

68 68 IIPS FALL CONFERENCE 2007 QUESTIONS? IIPS Fall Conference 2007 Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor


Download ppt "1 INTRODUCTION Michael Burch, IS Audit Supervisor Lisa Outlaw, IS Audit Supervisor Michelle Wicker, IS Auditor - Team Leader IIPS Fall Conference 2007."

Similar presentations


Ads by Google