Presentation is loading. Please wait.

Presentation is loading. Please wait.

Auditing Your General Computing Environment Bruce Tong MCTP, CISA, PMP, ITIL-RCP Sr. Auditor (IT) Ohio University Internal Audit.

Published byCameron Greene Modified over 9 years ago

Similar presentations

Presentation on theme: "Auditing Your General Computing Environment Bruce Tong MCTP, CISA, PMP, ITIL-RCP Sr. Auditor (IT) Ohio University Internal Audit."— Presentation transcript:

1 Auditing Your General Computing Environment Bruce Tong MCTP, CISA, PMP, ITIL-RCP Sr. Auditor (IT) Ohio University Internal Audit

2 NIST Framework OIT Selected the NIST Framework Free, Comprehensive, Required for some Federal Grants Approach: Identify a service, choose controls that apply NIST 800-53 is a very large catalog of controls View: Your general computing environment is an IT service that you provide to your college/department/office/team Thus, Internal Audit uses NIST 800-53 to identify controls to evaluate as part of your general computing environment

3 Your General Computing Environment Workstations Laptops Tablets Shared Storage Networking Equipment* Software Kiosks & Lab Computers * OIT’s stuff is out of scope. Phones Copiers Scanners USB Devices Removable Media Projectors Web Site

4 Auditing – Trust But Verify Auditor Required to Collect Evidence Less stringent than legal evidence Less stringent than peer-reviewed academic research Enough to draw a reasonable conclusion Generally more than an interview Please don’t be offended by requests.

5 B0: Questionnaire Discovery of Preliminary Information What laws, grants, contracts apply? What policies and procedures exist? Policy ~= Standard or requirement Procedures ~= Steps to accomplish something (such as meet policy) Formal (written) vs. Informal (verbal) Who is responsible for what? Are there any outsourced IT services?

6 B1: Policies and Procedures Review Policies Do they cover everything important? Are they too informal? Review and Test Procedures Are they being followed?

7 B2: IT Procurement Review Purchases Does everything look reasonable? Are there outsourced services? Are the Procurement Office’s processes being followed? Are they buying tablets? Are they buying Dropbox? (Or other alternatives to Box) Are they buying printers, toner, or ink cartridges?

8 B3: Wireless Access Points Wireless Access Points Has OIT found any rogue wireless access points? Can I find any rogue wireless access points? If so, can I get into them? If so, what can I find?

9 B4: Web Site Review Departmental Web Sites Manual Review Where is the site hosted? Are there any dynamic pages? Are there any protected pages? (Require Authentication) Are there any web applications? Can I safely turn Identity Finder loose? Identity Finder Scan for Sensitive Data

10 B5: Information Security Training Review Training Records Do employees who work with sensitive data get periodic refresher training? Plug: “Securing the Human” from the Information Security Office

11 B6: Active Directory Access Control Review Active Directory Groups Do the groups contain current employees? If somebody isn’t a current employee, who are they? Did any of the current employees change roles? If so, do they still need access?

12 B7: Group Policy Objects (GPOs) Review Group Policy Objects Do they assign Administrative access? If so, who are the Administrators? Do they disable firewalls? Do they poke holes in firewalls? Do they disable Windows updates?

13 B8: Inventory Perhaps the Most Important Test You can’t protect it if you didn’t know about it. Review Departmental Inventories Are they keeping an inventory? If so, how up-to-date is it? Conduct a Physical Inventory Find and identify every computing device. Update Active Directory (when possible).

14 B9: Physical Access Control Review Physical Access Controls If a sign says a room should be locked, is it locked? If a door has a special lock, why? And, is it locked? Are there valuable things being left unattended and open to public? Are there alternative entrances that might not get locked at night? Are there open safes? Are there unsecured dangerous materials? Should there be an access log? Is there an access log? Should there be cameras? Are there cameras?

15 B10: Sensitive Data Protection Review the Identity Finder Console Is the client conducting scans? Review Shared Storage Does Identity Finder detect anything? Review Workstations and Laptops? Does Identity Finder find anything? Review Tablets? Someday.

16 B11: Software Updates Review Software Updates Is the SCCM client installed? If not, why not? Is currently installed software up-to-date? Adobe: Acrobat, Reader Browsers: Chrome, Firefox Java Microsoft: Office, Silverlight Sophos Is the operating system supported? (Windows XP) Is the operating system up-to-date?

17 B11: Software Updates (cont.) Who is responsible for applying software updates? OIT? Maybe. Do you have an MOU or SLA that says so? Does it reside in the data center? Otherwise, OIT says “We’ll help if you call.” OIT doesn’t want to “break” the business. Users? Maybe. RCM says “the business” is ultimately responsible for its purchases/services. Most users aren’t adequately trained for, or committed to, the task. Internal Audit’s View In the absence of some agreement, all employees with “Administrator” access are jointly responsible and the buck stops with their managers.

18 B12: Software Licenses Review Software Licenses Do you know what licenses you have? Bobcat Depot purchases are in the SoftCash system. Purchases made via PCard? Boxes of packaged software laying around? Are there licenses for all the software that is installed? SCCM can tell what is installed.

19 B13: Public Computers Review Lab Computers and Kiosks Can you do “nasty” things anonymously? If you can work with sensitive data, can you store it locally? If so, is there sensitive data laying around? Is the computer easily accessible? If so, could I install a keystroke recorder? Is administrator access restricted? Are students storing homework on it? (academic dishonesty) Are students storing music and movies on it? (DMCA)

20 B14: Removable Media Review the Use of Removable Media (Discs, Tapes, External Drives, USB Sticks) Are they being used as part of some business process? Offsite backups Transfer data to other departments Transfer data to other institutions Is sensitive data involved? Is it encrypted?

21 B15: Departmental Firewall Review Departmental Firewalls Are there any departmental firewalls? If firewall not present, evaluate if there should be one. If firewall present, review the firewall rules.

22 B16: IT Service Level Agreements Review IT SLAs and MOUs Are they current? Are the terms being met? Are the terms adequate?

23 B17: Business Continuity Planning Review the Business Continuity Plan (BCP) Is there a BCP on file with Risk Management & Safety? If so, has the BCP checklist been completed annually? For Reference: BCP = How will we keep “the business” going during a disaster. Business = Admitting Students, Conducting Classes, etc. Disaster Recovery (DR) = How will we restore IT services. Workstations, Printers, Network, SIS, Blackboard, Workforce, Oracle FMS, Classroom computers, Shared Storage, etc.

Download ppt "Auditing Your General Computing Environment Bruce Tong MCTP, CISA, PMP, ITIL-RCP Sr. Auditor (IT) Ohio University Internal Audit."

Similar presentations

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
ControlSphere is a computer security and automation solution designed to protect user data and automate most of authentication tasks for the user at work.

ControlSphere is a computer security and automation solution designed to protect user data and automate most of authentication tasks for the user at work.
K eep I t C onfidential Prepared by: Security Architecture Collaboration Team.

K eep I t C onfidential Prepared by: Security Architecture Collaboration Team.
IT Information for Graduate Students. IT Department Personnel – Dennis Brown (1113 Fifield, M-F, 8am until 5pm, other times via

IT Information for Graduate Students. IT Department Personnel – Dennis Brown (1113 Fifield, M-F, 8am until 5pm, other times via
Safeguarding Data to Ensure Effective Data Use Paige Kowalski |Director| State Policy & Advocacy July 2014.

Safeguarding Data to Ensure Effective Data Use Paige Kowalski |Director| State Policy & Advocacy July 2014.
1 Electronic Information Security – What Researchers Need to Know University of California Office of the President Office of Research May 2005.

1 Electronic Information Security – What Researchers Need to Know University of California Office of the President Office of Research May 2005.
Part 2 of Evil Lurking in Websites Data Security at the University of Wisconsin Oshkosh.

Part 2 of Evil Lurking in Websites Data Security at the University of Wisconsin Oshkosh.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
24/7/365 Remote Computer Support. Program Overview.

24/7/365 Remote Computer Support. Program Overview.
Data Security Issues in IR Eileen Driscoll Institutional Planning and Research Cornell University

Data Security Issues in IR Eileen Driscoll Institutional Planning and Research Cornell University
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,

DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Pertemuan 20 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Pertemuan 20 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
October is National Cyber Security Month OIT and IT providers are launching an awareness campaign to provide tips and resources to help you stay safe online.

October is National Cyber Security Month OIT and IT providers are launching an awareness campaign to provide tips and resources to help you stay safe online.
Factors to be taken into account when designing ICT Security Policies

Factors to be taken into account when designing ICT Security Policies
NDSU RECORDS MANAGEMENT INITIATIVE December 2007 PowerPoint.

NDSU RECORDS MANAGEMENT INITIATIVE December 2007 PowerPoint.
Penn State University College Of Education Understanding College of Education Resources.

Penn State University College Of Education Understanding College of Education Resources.
New Data Regulation Law 201 CMR 17.00. TJX Video.

New Data Regulation Law 201 CMR TJX Video.
Security Squad Keeping your Equipment and Information Safe Security Squad Keeping your Equipment and Information Safe Security Squad Video Series, Part.

Security Squad Keeping your Equipment and Information Safe Security Squad Keeping your Equipment and Information Safe Security Squad Video Series, Part.

Similar presentations

Ads by Google