August 9, 2005UCCSC Converting Policy to Reality Building Campus Security Programs Karl Heins -- Director of IT Audit Services Office of the University Auditor UC Office of the President

August 9, 2005UCCSC Converting Policy to Reality Building Campus Security Programs Why Security Programs Are Important New Legal Requirements –CA Privacy Law -- SB1386 –HIPAA –SOX Increasing Threats Trends –Automation; speed of attack tools –Increasing sophistication of attack tools –Faster discovery of vulnerabilities –Increasing permeability of firewalls –Increasing asymmetric threat –Increasing threat from infrastructure attacks Increasing Use of Technology

August 9, 2005UCCSC Converting Policy to Reality Building Campus Security Programs COSO Components for Governance Control Environment –Board, Management and Employee commitment to internal controls Risk Assessment –Identification and analysis of risk exposures Control Activities –Detective Controls –Preventive Controls Information and Communication –Information is captured and reported timely Monitoring –Oversight and evaluation of control effectiveness –Reporting and acting on deficiencies

August 9, 2005UCCSC Converting Policy to Reality Building Campus Security Programs Audit’s Role -- Security’s Role Auditors – Evaluating the effectiveness of control systems, and contribute to ongoing effectiveness. Often a significant monitoring role. Chartered by Board Management, including Security Professionals are responsible for the system of internal controls. As delegated by Board

August 9, 2005UCCSC Converting Policy to Reality Building Campus Security Programs Work of Auditors Focus on Controls –Financial Controls –Compliance with Laws, Regulations and Policy –Efficiency and Effectiveness Types of Work –Audits –Investigations –Advice and Consultation

August 9, 2005UCCSC Converting Policy to Reality Building Campus Security Programs Where you do not have Authority, tips to Influence Standing Logic Outside Expert Passion