Audit on IT System Management -Focusing on how to audit IT systems -

Slides:

Advertisements

Similar presentations

WV High Quality Standards for Schools

Advertisements

Secure Systems Research Group - FAU Process Standards (and Process Improvement)

1 Guidance for the American Recovery and Reinvestment Act of 2009 By David G. Bullock, Partner Macias Gini & O’Connell LLP.

 Capacity Development; National Systems / Global Fund Summary of the implementation capacities for National Programs and Global Fund Grants For HIV /TB.

1  AGA-DC and GWSPCA 6 th ANNUAL CONFERENCE OMB Circular A-123, Appendix A Internal Control Over Financial Reporting Innovative Approaches Jerome A. Vaiana.

Commonwealth of Dominica Presenter: Yvonne Alexander Assistant Superintendent of Police.

Managing the Information Technology Resource Jerry N. Luftman

Cyberspace and the Police Mamoru TAKAHASHI Head of Computer Forensic Center, Hi-tech Crime Technology Division National Police Agency, Japan.

Quality evaluation and improvement for Internal Audit

Stephen S. Yau CSE , Fall Security Strategies.

Cloud Computing Guide & Handbook SAI USA Madhav Panwar.

Information Technology Service Management

1 BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING Reducing your Risk Profile MIDWEST DATA RECOVERY INC.

Overview of Systems Audit

“Building sustainable capabilities across all phases of Emergency Management in Kansas through selfless service” KDEM EMPG 2012 OVERVIEW 13 September 2011.

ISA 562 Internet Security Theory & Practice

Workshop on Programming in support of Anti-Corruption Agencies Bratislava, 30 June - 1 July 2009 A methodology for capacity assessment of AC agencies:

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Consultant Advance Research Team. Outline UNDERSTANDING M&E DATA NEEDS PEOPLE, PARTNERSHIP AND PLANNING 1.Organizational structures with HIV M&E functions.

Recreation & Security HPR 413. General Security Must encompass all operations of the organization Should be written into management plans – Plans include.

Disaster Recovery Planning (DRP) DRP: The definition of business processes, their infrastructure supports and tolerances to interruptions, and formulation.

Internal Audit Agency Integrity + Professionalism INTERNAL AUDIT AGENCY ISACA Presentation 15 July, 2013 Alisa Hotel, ACCRA.

EECS David C. Chan1 Computer Security Management Session 1 How IT Affects Risks and Assurance.

Islamic Republic of IRAN’s Training Course: Waste Management Auditing Based on INTOSAI Working Group on Environmental Auditing Handbook: Towards Auditing.

SAI - JAPAN SAI-Japan's Recent Trends in IT Audit Mt. FUJI Hideki F U J I Senior Deputy Director, Water Resources Audit Division / IT Audit Counsellor.

Donald JG Chiarella, PhD, CISM, CDMP, PEM, CHS-CIA, MBA.

Cyber Security Phillip Davies Head of Content, Cyber and Investigations.

25th Meeting of the INTOSAI Working Group on IT Audit Brasilia, Brazil, April 25 – 26, 2016 Madhav Panwar - US, GAO Report on WGITA IDI Handbook on IT.

Community Health Centers of Arkansas Hazard Vulnerability Assessment Workshop August 11, 2017 Mark Fuller.

IT Service Transition – purpose and processes

Internal Control Principles

Presenter: Mohammed Jalaluddin

CPA Gilberto Rivera, VP Compliance and Operational Risk

Project Management Body of Knowledge PMBOK

MANAGEMENT of INFORMATION SECURITY, Fifth Edition

Information Technology (IT) Audits

By The Department of Import and Export

Review of proposed outline for handbook

Cisco Data Virtualization

Integrated Management System and Certification

Duncanville ISD Curriculum Update

Project Integration Management

Michigan Department of Education

Project Management and Information Security

Organization and Knowledge Management

Introduction to the Federal Defense Acquisition Regulation

Self Identified Issues

Information Technology Service Management

I have many checklists: how do I get started with cyber security?

Internal control - the IA perspective

Mary W. Anaya Stephanie R. Gallegos November 19, 2008

Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.

As we reflect on policies and practices for expanding and improving early identification and early intervention for youth, I would like to tie together.

Safety Management System Implementation

IT Audit Capacity Building

Introduction to: National Response Plan (NRP)

QUALITY ASSURANCE AND IMPROVEMENT PROGRAM

Planning for IT Audit Session 4.

Comptroller and Auditor General of India

Developing and testing the Plan

Assessment of Service Outcomes

INPUT OUTPUT ASSURANCE

Roles of District Community-Directed Intervention (CDI) Team Members

IT OPERATIONS Session 7.

Manage Business Continuity Introductory Brief

The Survival Plan.

SAI Japan's audit results on leaks of individual information

ECA Quality Control Arrangements

Presentation transcript:

Audit on IT System Management -Focusing on how to audit IT systems - Workshop Paper on The 13th Working-level Meeting for the SAIs of China, Japan, and Korea July 10-12, 2017

A recent trend of Japanese IT audit cases ---Angles and Areas--- For 27th WGITA meeting at Sydney SAI-JAPAN Board of Audit of Japan Daisuke Sakuraba Auditor Agricultural Infrastructure Audit Division, ASTRA

Before starting Daisuke Sakuraba means “Minister of Cherry garden” From ASTRA Means “IT Audit Skill-up TRAining team” Has educated 46 members in 1,244 staffs Have attended WGITA meetings since 2006 You may know Eri, Kae, Michiko, Shimon, Fujii and Tommy →　Remember ASTRA please !!

Today’s goal Sharing our characteristic IT audit results from recent special reports Showing our angles for IT audit with mapping on WGITA’s context

Contents Recent large scale of IT projects and incidents in Japanese Gov. Our special audit reports Recent trend of SAI-Japan’s audit results -Comparisons with WGITA–IDI handbook on IT audit for SAIs- Conclusion

Recent large scale of IT projects and incidents in Japanese Gov.

1. Recent large scale of IT projects and incidents of Japanese gov. New Social Security and Tax Number System (2017) Leaks of personal information from the Japan Pension Service (2015)

New Social Security and Tax Number System(SSTNs) 【Context】 Before this system, different ID numbers for social security and tax were given and operated by different agencies and their own systems. Key tags were only address and name, accordingly IDs were not perfectly coordinated Creating brand new system would cost too huge money because more than 5000 entities should renew the systems Accordingly, decided to build a only coordinating system with creating new common ID number tying both of the social security data and tax information

【New System】 Budget : 420 million $(2014) 570 million $(2015) 460 million $(2016) 　　　total 1.45 billion $ By 2017, they were building cooperating system among 190 systems of 170 organizations Issuing ID card with the photo if you want

Structure of SSTNS Complicated cooperation among huge number of stake holders Portal Site Internet storage Connecting by codes IT System of inter-LGs. Codes My Numbers Identification System system Number, personal data… Number, personal data,… Server Number Data Welfare Data Tax Data Address Data Citizen Core System Notification Entity A Entity B Local Governments Gov. Shared System

Leaks of personal information from the Japan Pension Service In May 2015, personal information of about 1,250,000 people related to the National Pension was leaked by the attack of Advanced Persistent Threats The Japan Pension Service has already given new numbers to the people and several improvement plans were conducted The restoration of the reliability on the system and the foundation itself should be needed

We conducted special audits on these special project and incident !!

2. Our special audit reports

2. Our special audit reports New Social Security and Tax Number System(SSTNs) SSTNs operations in local entities Reports on the IT projects in local areas funded by the grants related to the introduction of The Social Security and Tax Number System (Special report to the Diet and the Cabinet, FY2017) SSTNs coordination in central government Reports on the progress of the arrangement of relevant IT systems related to the introduction of The Social Security and Tax Number System (Special report to the Diet and the Cabinet, FY2017)

Leaks of personal information from the Japan Pension Service After the information leak Reports on the state of implementation of information security policies concerning the personal information within the National Pension System and the impacts on the operations of the Foundation of the Japan Pension Service made by the information leaks (Special report to the Diet and the Cabinet, FY2016)

SSTNs operations in local entities Reports on the IT projects in local areas funded by the grants related to the introduction of The Social Security and Tax Number System (Special report to the Diet and the Cabinet, FY2017) 【Audit findings (Excerpt) 】 Too tight schedules and less know-how tended to cause operational delays The specification sheets for 1,173 systems (28.0%) in MIC and 3,201 systems (27.9%) in MHLW totally lacked the the requirements for results

【Recommendations(excerpt)】 More guidance concerning specification sheet, estimate sheet, and schedule planning know-how for system tests should be provided with the staffs of local governments To prevent occurrence of delay, more careful supports and supervisions to the local government staffs by relevant ministries are needed

SSTNs coordination in central government Reports on the progress of the arrangement of relevant IT systems related to the introduction of The Social Security and Tax Number System (Special report to the Diet and the Cabinet, FY2017) 【Audit findings (Excerpt) 】 Time-lag in data synchronization and insufficient utilization of intermediate servers were likely to reduce the effectiveness of SSTNs Lack of the necessary data item for coordination in the guidance caused and 1 year delay of start in 127/190 systems of 127/170 entities Lack of identification of necessary data caused 1 year delay of cooperation starting in 127/190 systems

【Recommendations(excerpt)】 More careful reviews on operation process, more correct requirement definition, and more appropriate information sharing procedures with contractors should be required. The directing ministries must instruct more communication and more information sharing among relevant entities.

After the information leak Reports on the state of implementation of information security policies concerning the personal information within the National Pension System and the impacts on the operations of the Foundation of the Japan Pension Service made by the information leaks (Special report to the Diet and the Cabinet, FY2016) 【Audit findings (Excerpt) 】 Security polices were not updated in appropriate timing before the incident Meaningful information collected in the recovering process was not properly utilized in the amendment of data Personal data which should be stored in the secured server was found in the HDD even after the incident

【Recommendations(excerpt)】 Quick synchronization of security policies and better way of operations should be discussed Effectiveness of information security audits, supervising, and internal audits should be improved

---Comparisons with WGITA–IDI handbook on IT audit for SAIs--- 3. Recent trend of SAI-Japan’s audit results ---Comparisons with WGITA–IDI handbook on IT audit for SAIs---

---Comparisons with WGITA–IDI handbook on IT audit for SAIs--- 3. Recent trend of SAI-Japan’s audit results ---Comparisons with WGITA–IDI handbook on IT audit for SAIs--- Auditable IT areas suggested in the handbook IT Governance Development & Acquisition IT Operations Outsourcing Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) Information Security Application Controls Additional Topics of Interest

Audit viewpoints in each area suggested in the handbook IT Governance Business Needs Identification, Direction & Monitoring IT Strategy Organizational Structures, Policy, & Procedures People & Resources Risk Assessment and Compliance mechanisms Development & Acquisition Requirements Development & Management Project Management & Control Quality Assurance & Testing Solicitation Configuration Management IT Operations Service Management Capacity Management Problem & Incident Management Change Management

Outsourcing Outsourcing Policy Solicitation Vendor or Contractor Monitoring Data Rights Overseas Service Provider Retaining Business Knowledge/ Ownership of business process Cost control and management Service Level Agreement Security Back-up and disaster recovery for outsourced services Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) Business Continuity Policy Organization of Business Continuity Function Business Impact Assessment Disaster Recovery Plan Environment Control Documentation Testing the BCP/DRP

Information Security Risk Assessment Information Security Policy Organization of IT Security Communications & Operations Management Assets Management Human Resources Security Physical Security Access Control Application Controls Input Processing Output Application Security Additional Topics of Interest Websites/portals Mobile computing Forensics Audit (or Computer Forensics) e-Gov E-commerce

Almost all of these aspects are covered in our IT audit process, but… →　From which areas are the findings mostly found in our recent audit special reports ?

SSSTNs operations in local entities Cooperation with and within SSTNs Comparisons with WGITA–IDI handbook on IT audit for SAIs Auditable areas SSSTNs operations in local entities (FY2017) Cooperation with and within SSTNs After the incident (FY2016) IT Governance ○ ◎ Development & Acquisition IT Operations Outsourcing Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) Information Security Application Controls Additional Topics of Interest

4. Conclusion Our recent special IT audits reported findings in Development & Acquisition, IT operations , Outsourcing, and Information Security areas Particularly, problems related to cooperation failures in aligning behavior systems