Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Technology Audit Process Business Practices Seminar Paul Toffenetti, CISA Internal Audit 29 February 2008.

Published byOwen Sherman Modified over 8 years ago

Similar presentations

Presentation on theme: "Information Technology Audit Process Business Practices Seminar Paul Toffenetti, CISA Internal Audit 29 February 2008."— Presentation transcript:

1 Information Technology Audit Process Business Practices Seminar Paul Toffenetti, CISA Internal Audit 29 February 2008

2 Overview What is Internal Audit IT Audit Process Common IT Audit Observations So What Should We Do Questions

3 Authority and Policies What is Internal Audit? Internal auditing is an independent, objective assurance and advisory activity designed to add value and improve an organization’s operations. Internal Audit helps organizations accomplish their objectives by evaluating business risk and controls and where appropriate, offer recommendations to improve risk management and governance processes.

4 Audit Process Planning Testing Reporting Follow-up

5 Planning Annual Risk Assessment Annual Risk Assessment Preliminary Audit Plan Preliminary Audit Plan Board of Visitors Approval Board of Visitors Approval Notification and Request for Information Notification and Request for Information Understand Your Risks and Controls Understand Your Risks and Controls Opening Conference Opening Conference

6 Testing Security Security Backup & Recovery Backup & Recovery Resource Management Resource Management Web Site Web Site

7 Security Testing Remote Vulnerability Scans Servers Printers Routers Workstations Laptops If it’s on the network we scan it! Nmap & Nessus

8 Security Testing On-Site, Follow-up Vulnerability Tests Workstations LaptopsServers We Test Computers That May Have Security Vulnerabilities! WinAudit MSBA CIS Tools & Benchmarks

9 Backup & Recovery Testing You Must Have Effective Controls to Backup & Recover “Critical Data”

10 Resource Management Testing Computer Hardware & Software Procurement through Surplus

11 Web Site Testing University Relations Web Guidelines & Procedures Web Development Best Practices Content Recommendations Templates Privacy Statement (Policy 7030) Web Server & Application Security

12 Reporting Observations When Unexpected Results are Noted We Solicit Your Comments

13 Reporting Recommendations We May Recommend Opportunities To Improve Your Controls

14 Reporting Management Action Plans You Develop Plans, Schedules, and Priorities To Implement Solutions

15 Reporting A Final Report is Sent to The Board of Visitors

16 Follow-Up Follow-Up Actions are Based on Your “Management Action Plan” Follow-Up Actions are Based on Your “Management Action Plan” Progress is Monitored Progress is Monitored Some Re-Testing May be Necessary Some Re-Testing May be Necessary Board of Visitors is Updated Board of Visitors is Updated Audit is closed Audit is closed

17 Common Audit Observations Weak Security Settings Windows Operating System

18 Common Audit Observations Missing Security Patches Operating Systems ApplicationsDatabases

19 Common Audit Observations Misconfigured Anti-Malware Tools Out-of-Date Threat Signatures Scans Not Scheduled

20 Common Audit Observations Inadequate Access Controls Weak Passwords & File Permissions

21 Common Audit Observations Open Communication Ports The Hacker’s Point of Entry

22 Common Audit Observations “The System Administrator’s Dilemma” How Much Risk is Senior Management Willing to Accept? SecurityConvenience

23 So What Should We Do? Harden Security Settings Keep Everything Patched Install and Use Anti-Malware Tools Enforce Strong Passwords Close or Filter Communication Ports Test Your Systems Support Your System Administrator!

24 Questions “Success Redefined”

Download ppt "Information Technology Audit Process Business Practices Seminar Paul Toffenetti, CISA Internal Audit 29 February 2008."

Similar presentations

IT Web Application Audit Principles Presented by: James Ritchie, CISA, CISSP….

IT Web Application Audit Principles Presented by: James Ritchie, CISA, CISSP….
All Rights Reserved, Duke Medicine 2007 IT Security Presented by: Trisha Craig and Don Elsner Principal Auditors – IT Audit Duke University 1.

All Rights Reserved, Duke Medicine 2007 IT Security Presented by: Trisha Craig and Don Elsner Principal Auditors – IT Audit Duke University 1.
Computer Security II Lecturer – Lynn Ackler – Office – CSC 222 – Office Hours 9:00 – 10:00 M,W Course – CS 457 – CS 557.

Computer Security II Lecturer – Lynn Ackler – Office – CSC 222 – Office Hours 9:00 – 10:00 M,W Course – CS 457 – CS 557.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
1 Figure 6-16: Advanced Server Hardening Techniques Reading Event Logs (Chapter 10)  The importance of logging to diagnose problems Failed logins, changing.

1 Figure 6-16: Advanced Server Hardening Techniques Reading Event Logs (Chapter 10)  The importance of logging to diagnose problems Failed logins, changing.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Group Presentation Design and Implementation of a company- wide networking & communication technologies strategy 9 th December 2003 Prepared By: …………

Group Presentation Design and Implementation of a company- wide networking & communication technologies strategy 9 th December 2003 Prepared By: …………
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
YNG Solutions Website Usability Review Prepared by Josepha Rood December 19, 2008.

YNG Solutions Website Usability Review Prepared by Josepha Rood December 19, 2008.
1 Secure Your Business PATCH MANAGEMENT STRATEGY.

1 Secure Your Business PATCH MANAGEMENT STRATEGY.
1 Pertemuan 9 Network Security and E-Commerce Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi: >

1 Pertemuan 9 Network Security and E-Commerce Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi: >
Patching MIT SUS Services IS&T Network Infrastructure Services Team.

Patching MIT SUS Services IS&T Network Infrastructure Services Team.
External Quality Assessments

External Quality Assessments
1 USAID/Peru Risk Assessment In-Briefing February 19, 1999 PRIME Principal Resource for Information Management Enterprise-wide USAID PRIME.

1 USAID/Peru Risk Assessment In-Briefing February 19, 1999 PRIME Principal Resource for Information Management Enterprise-wide USAID PRIME.
A Feature-Based Analysis & Comparison of IT Automation Tools: Comparing Kaseya to Developed By: & Advisor : Dr. S. Masoud Sadjadi School of Computing and.

A Feature-Based Analysis & Comparison of IT Automation Tools: Comparing Kaseya to Developed By: & Advisor : Dr. S. Masoud Sadjadi School of Computing and.
University of Missouri System 1 Security – Defending your Customers from Themselves StateNets Annual Meeting February, 2004.

University of Missouri System 1 Security – Defending your Customers from Themselves StateNets Annual Meeting February, 2004.
Ensuring Information Security

Ensuring Information Security
Communication is Between People. The Rest is Technology. How to Prepare for and Survive an IT Audit.

Communication is Between People. The Rest is Technology. How to Prepare for and Survive an IT Audit.
School Technology Solutions, LLC 2009 1 Technology Audits What's in it for you? 4 th Annual SW/WC Technology Conference March 11, 2010 Presenter: Lee Whitcraft.

School Technology Solutions, LLC Technology Audits What's in it for you? 4 th Annual SW/WC Technology Conference March 11, 2010 Presenter: Lee Whitcraft.

Similar presentations

Ads by Google