USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC

Topic Introduction  This presentation will highlight areas of focus for the upcoming USG Information Security Program Audit that will be conducted at the University System Office.  OIAC will be working closely with the USO and the USG CISO  Some Institutional involvement will be essential during the course of this audit  Expectations of the audit and examples of artifacts (to drive successful audit outcomes) are derived from the IT Handbook Sections 3 & 5 and the Audit Expectations Workbook. IT Handbook Sections 3 & 5 Audit Expectations Workbook.

Topic Objectives  Objective 1: Awareness of the audit as Institutional involvement may be required.  Objective 2: To Provide a Sneak Preview as the procedures are still in development … more soon  Objective 3: Final plan will be distributed accordingly upon its completion

Background Information Board of Regents: 11.3 Information Security Policy  General Policy  System-Level Activities  Institutional Responsibilities

General Policy  The USO, all USG institutions, and the GPLS shall create and maintain an internal information security technology infrastructure consisting of an information security organization and program that ensures the confidentiality, availability, and integrity of all USG information assets.

System-Level Activities  The USG CISO shall:  develop and maintain an information security organization and architecture for support of information security across the USG and support of activities between institutions.  maintain information security implementation guidelines that the USO, all USG institutions, and the GPLS should consider in the development of their individualized information security plans.

Institutional Responsibilities  ensure appropriate and auditable information security controls are in place.  develop, implement, and maintain an individualized information security plan and submit for periodic review  methods for ensuring that information regarding the applicable laws, regulations, guidelines, and policies is distributed and readily available to its user community shall be included in the individualized information security plan.  clear procedures for reporting and handling of information security incidents shall be followed. These procedures shall include reporting of incidents to the USO in a timely manner, and shall be documented in the individualized information security plan. BOR Policy Manual

Background Information Board of Regents: 11.3 Information Security Policy  We all play respective roles in 11.3 policy adherence  One step toward adherence is the upcoming USG Information Security Program Audit

USG Information Security Program Audit Timeline:  Planning phase: In progress  Field work: Will begin Summer 2014 Areas of Focus:  Information Security Management  Information Security Operations

Areas of Focus: Information Security Management 1. Governance 2. Risk Assessment (Procedures Still Being Developed) 3. Policies 4. IT Security Plan

1. Governance  Objective: Processes are in practice to assure applicable management oversight of the information security function.  Purpose: The information security governance is to ensure that the USO, SSC, USG, Georgia Archives and GPLS are proactively implementing appropriate information security controls to support their mission in an effective manner, while managing evolving information security risks.

1. Governance  Expectations for Audit: security governance committee/security steering committee exists security steering committee includes representation from key functional areas committee members regularly attend committee meetings security management communication process exists and reporting lines are clearly established

1. Governance: Example Artifacts: security governance committee/security steering committee charter charter membership list meeting schedule minutes of selected committee meetings verification of communication process

2. Risk Assessment Expectations for Audit: Risk Assessments are regularly conducted to prioritize information security initiatives and ensure alignment with business risks. Example Artifacts : Recent risk assessment documents

3. Policies  Objective: Policies are created according to a defined format and are distributed following a distribution list based on subject matter and relevance, and the scope of the policies are appropriate to ensure that the information security is adequate to address the risk tolerance.

3. Policies  Expectations for Audit  Information security policies are adequate and complete.  There is adequacy of communication practices related to the dissemination of information security policies.

3. Policies  Example Artifacts  Security policies documents An agreement to comply with Information Security policies (internal to IT/external to IT) Appropriate Use Policy Laptop/desktop computer security policy Internet usage policy Firewall policy security policy  Proof of policy awareness/communications  Location/site of the readily available policies

4. IT Security Plan  Objective:  Translate business, risk and compliance requirements into an overall IT security plan: Taking into consideration the IT infrastructure and the security culture Ensure that the plan is implemented in security policies and procedures, together with appropriate investments in services, personnel, software and hardware. Communicate security policies and procedures to stakeholders and users.  The security plan is reviewed on a regular basis to determine that it is updated to reflect changes to the operating environment and new threats.

4. IT Security Plan:  Expectations for Audit:  There exists a Security Plan, by which the security strategic plan is operationalized or implemented.  Adequacy and completeness of the Security Plan.  The Security Plan is reviewed on a regular basis to determine that it is updated to reflect changes to the operating environment and new threats.

4. IT Security Plan:  Example Artifact  A copy of the IT security plan including version history

Areas of Focus: Information Security Operations 1. Security Testing and Monitoring (Procedures Still Being Developed) 2. Incident Management (Procedures Still Being Developed)  Response and Monitoring 3. Endpoint Security Management (Procedures Still Being Developed) 1. *Procedures will be developed in accordance with IT HB Sect 5 update as it is published. 4. Security Awareness, Training, and Education

 Objective:  One of the objectives/goals of the ITS Information Technology Strategic Plan 2010 is to increase the awareness of the workforce through a security awareness program. The USG cannot protect the confidentiality, integrity, and availability of information and information systems in today’s highly networked environment without ensuring that each person involved understands their roles and responsibilities and is adequately trained to perform them. (IT Handbook Section )

4. Security Awareness, Training, and Education  Expectations for Audit  There is a strong Security Awareness, Training, and Education program Training is conducted annually and attendance is mandatory Role-based security education and awareness needs have been identified and provided to those individuals within the organization that have unique or specific information security responsibilities There is record of completed and needed security training maintained

4. Security Awareness, Training, and Education  Example Artifacts  Copy of the Security Awareness, Training, and Education program  Documented record of completed and needed security training

SUMMARY EXAMPLE ARTIFACTS, THUS FAR: 1. Security governance committee/security steering committee charter 2. Charter membership list 3. Meeting schedule 4. Minutes of selected committee meetings 5. Verification of communication process 6. Recent risk assessment documents 7. Security policies documents 8. Proof of policy awareness/communications 9. Location/site of the readily available policies 10. A copy of the IT security plan including version history 11. Copy of the Security Awareness, Training, and Education program 12. Documented record of completed and needed security training

Points of Contact Kenyatta Morrison Director of Information Technology Audit Office: Cara King Senior IT Auditor Office:

Thank You