SlideShare ist ein Scribd-Unternehmen logo

Oiac It Audit Wo Cartoons

Als PPTX, PDF herunterladen
E
ecarrow

Risk Management / Audit LifeCycle

1 von 55
Office of Internal Audit and Compliance IT Auditing Overview CIO Advisory Counsel Meeting Spring 2011 - Savannah, Ga.
Session Guide Office of Internal Audit and Compliance • Erwin (Chris) L. Carrow IT Audit Director; M.Div., MSIS, CISSP, INFOSEC, CCAI, CCNP, CCSP, CQS, CCNA, LCP, LCI, OCM, MCSE, MCP+I, LSS Green Belt, etc. (Alphabet soup – who cares?!) Board of Regents, University System of Georgia Office of Internal Audit and Compliance 270 Washington Street S.W., Ste. 7087 Atlanta, GA 30334 (404)657-9890 Office, (678)644-3526 Cell, (404)463-0699 Fax Email: erwin.carrow@usg.edu ecarrow@gmail.com ecarrow@google.com http://www.linkedin.com/in/thebishop Twitter: @ecarrow Skype: erwin.louis.carrow 2
Session Agenda (22 Slides – unless additional needs for clarity) Office of Internal Audit and Compliance  Quick Overview – Audit Methodology (slides 1-15)  Assessment Lifecycle & Applying Controls (slides 16-18)  Overview & Summary (slides 19-22) ______________________________________________________________  Terminology & Context of Security Implementation (slides 23-27)  Securing Business Functions  Governance  Business Function Characteristics  Vertical (B2S) and Horizontal (B2B) Relationship  Risk Identification & Reconciliation (slides 28-34)  Business Impact Analysis  Risk Assessment Process  Risk Analysis Methodology  Categories and Types (slides 35-37)  Risk – Enterprise Risk Management (BIA, RA, ERM)  Information, Information Systems, & Users  Controls Framework (slides 38-44)  Types of Controls, Skill Sets, and Resources  Criteria  Maturity of Controls to Support Outcomes  Procedures  Operational Tasks to Implement and Support Controls (low-level)  Example: Identity Management (COBIT, CMMI, & NIST) (slides 45-55) 3
Key Takeaways Office of Internal Audit and Compliance  Understand OIAC requirements how IT audit function applies their framework for assessing controls to compensate for high impact/probability risks.  Provide a high-level overview of how the framework applies to institutional and agency audits / consulting.  Provide a resources for review & dialogue 4
Office of Internal Audit and Compliance Quick Overview – Audit Methodology 5
Why We Audit – Mission & Charter Office of Internal Audit and Compliance • “Internal auditing provides independent and objective assurance and consulting services to the Board of Regents (Board), the Chancellor, and institution leadership in order to add value and improve operations. The internal audit activity helps the University System Office (USO) and USG institutions accomplish their objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of governance, risk management, compliance, and internal control processes.” - Internal Audit Charter approved by the Board of Regents *(underline added ) 6
Types of Audits – Federal, State, Office of Internal Audit Campus, and Board of Regents and Compliance • Federal Auditors – Rely on work of state auditors – May focus on federal compliance (FISMA, FERPA, HIPAA, etc.), financial aid, and federal grants management • State Auditors – Financial and Performance – Financial / Operational auditors - external auditors validating internal controls and the AFR – Performance auditors – external auditors focused on specific system-wide process or policy issue • Campus Auditors – Varies by campus – Generally focused on departmental reviews – Report to institution President and USO Chief Audit Officer • Board of Regents Auditors – Shoot the gaps that other agencies do not address and engage with specific BOR or Legislative concerns
The Audits Selection Process: OIAC Risk Assessment & Planning Process Office of Internal Audit and Compliance (The “Why Us Syndrome and What We Audit?”) • OIAC’s Risk Assessment process – Quantitative Data: previous findings, financials, etc. – Qualitative Data: surveys, interviews, trends, etc. – Quarterly review and assessment versus annual approach to be proactive • Rolling Audit Plan – Designed to ensure coverage of institutions with high risk – Also designed to ensure OIAC coverage at all USG institutions at least once every 3-4 years – Specifies institution and broad categories in which to audit – May also incorporate consulting engagements and other special projects
Overall Engagement Plan Summary of Process Office of Internal Audit and Compliance • Top Down methodology for the auditing assessment – Risk based: High Impact / High Probability – 32 different influencers – Business Goals to Standards and Practices – Business Function critical component identification – Leadership (administrator) to Technician or Staff member (end user) – Assess Requirements, Resources, and Processes • The approach focused on key business functions and their associated Business Goals and Objectives as it relates to the assessed entities. • Once identified and agreed upon for each business function, the key associated requirements, resources, and processes were identified and assessed to determine if high or critical risk is being managed. • Focus was upon Control Practices and Responsibility / Accountability associated with key activities with an expected CMMI level 3 criteria for High Risk Critical processes. 9
Methodology, Scope, & Criteria Office of Internal Audit and Compliance • Standards for the Methodology – Institute of Internal Auditor (IIA - www.theiia.org) – Information System Audit & Control Association (ISACA - www.isaca.org) • Scope of Application: Area of Emphasis (Entity or Process) – Usually focused on institution-wide processes, e.g., data classification, IT services, NOC, incident response / emergency planning, strategic planning, change management, etc. • Determine what areas of High Risk or Critical Systems exist for the assessed entities at the institution? – Risk Analysis (OIAC) & Preliminary Assessment with Institution – Prior Coordination / Business Impact Analysis / Risk Assessment - Information request list, based upon audited entities – Analysis of information provided from pre-audit phase • Scope of Execution: Area of Emphasis (Entity or Process) – Business Functions (High Critical Risk) • Examples: IAM: Identity and Access Control Management & NETSEC: Perimeter & Network Security – Will incorporate recommended focus areas from institutional leadership – Scope can change during the course of an audit if warranted • CMMI Criteria level 3: Process is Defined & Documented and periodically Evaluated 10
Those Involved in Areas Reviewed & Priority of Emphasis (# Personnel – # Meetings) Office of Internal Audit and Compliance Information Technology Academic Units Department (Limited) (High) Administrative Auxiliaries Units (Medium) (Low) 11
Summary for Plan of Action Office of Internal Audit and Compliance During the engagement we … • Gather Information / Evidence - related to implementation of controls to address High Impact / High Probability risk – Interviews with key personnel (Business Owner, Trustees, & Stewards) – Test and Validate Objectives • Information - Information systems • Direct observation & dialogue • Document initial analysis (informal) • Dialogue and gain Confirmation of Observations (validation) • Dialogue and gain Common Understanding of Exceptions and Issues • Identify to Key Shareholders / Leadership Issues and discuss Solutions • Up until the final report is completed, dialogue will continue with audited entity regarding issues (objections are welcome – it is your right!) 12
The Process We Follow – From Notification to Reporting Office of Internal Audit and Compliance • 1st Phase: Pre-Campus Work (Preparatory Efforts) – Announcement / Notification Letter, sent to President upon rolling audit plan approval (specific 5-month period during which the audit will be conducted) – Preliminary Survey- Brief visit on campus, approx. 60 prior to start of audit – Engagement Letter – Sent to President approx. 30 days prior to start of audit – Data Collection – Initial interviews, data requests, network scans may take place prior to arrival on campus – the more we get ahead of time the less time we have to spend onsite • 2nd Phase: On-Campus Fieldwork (Evidence Gathering Phase) – Initiated with Entrance Conference (“Line in the Sand”) – Scope of work may expand / contract – Campus POC kept informed on audit progress and issues (daily) – End of field work review, a meeting conducted at close of work summarizing initial results and implications • 3rd Phase: Post-Campus Work (Documentation & Publication Phase) – Draft Report prepared and sent as discussion document – Exit Conference held either in person or via phone / video conference – Official Draft Report sent requiring response from institution – Institution’s response incorporated in report – Report published and distributed 13
Summary of Engagement Office of Internal Audit Flow Timeframes and Compliance Rolling Risk Assessment & Notification – three times per year 1 Preliminary Survey onsite with Senior Leadership 60 Days Audit Letter with data request sent – preliminary assessment 2 30 Days Entrance meeting & field work 2 to 4 Wks End of field work meeting w/ Key Shareholders 3 4-6 Wks 1-2 Wks 1Wk 30 Days 1Wk 90 Days 14
Assessment Results / Reporting Office of Internal Audit and Compliance 15
Office of Internal Audit and Compliance Assessment Lifecycle & Applying of Controls 16
Assessment Life Cycle? Office of Internal Audit and Compliance 17
“Life Cycle” of Security & Process Office of Internal Audit Provisioning and Compliance 18
Office of Internal Audit and Compliance Overview & Summary 19
Putting it all together… Office of Internal Audit and Compliance 20
Thank You for Your Patience & Office of Internal Audit and Compliance Participation - Any Questions?  Understand OIAC requirements and the IT audit function applies their framework for assessing controls to compensate for high impact/probability risks.  Provide a high-level overview of how the framework applies to institutional and agency audits / consulting.  Provide a resources for review & dialogue 21
Helpful Resources Office of Internal Audit and Compliance  CIS Benchmarks - http://www.cisecurity.org/benchmarks.html  IIA - www.theiia.org  ISACA - www.isaca.org  ISC(2) - www.isc2.org  ISO - www.iso.org  ITGI - www.itgi.org  NIST - csrc.nist.gov  NSA - www.nsa.gov  IASE - iase.disa.mil  Web App Consortium - www.webappsec.org  EDUCAUSE - educause.edu/security  Univ. Austin Texas Sec. - security.utexas.edu  Univ. Cornell Sec. - www.cit.cornell.edu/security  Virginia Tech Sec. - security.vt.edu  Ga. Tech Info Sec. Center - www.gtisc.gatech.edu 22
Office of Internal Audit and Compliance Terminology & Context of the Audit Implementation 23
Securing Business Events Office of Internal Audit and Compliance • It still comes down to …, Business event Needs and Outcomes – Goals or Objectives – Vision, Mission, & Operations – Rules and Requirements • Identifying critical business functions – Support Infrastructure: Finance and Accounting, Human Resources, Facilities, Services, other administrative functions or departments – Production Infrastructure: those folks who actually make the widgets (Instruction)! • Identify the departments and who are the key personnel, e.g., Business owners, Trustees and Stewards? • Identify the vertical (B2S - dependent) and horizontal (B2B - interdependent) relationships that potentially introduce risk (IT Governance) • Identify the systems that support business functions • Categories and type of information and information systems • Answer the question … “How are the people and systems integrated into the business process?” • Answer the question … “What internal controls exist or need to be implemented to mitigate risk?” 24
Governance Interdependencies & Value Drivers Office of Internal Audit and Compliance Control Objectives for Information and related Technology (COBIT®) 25
Business Functions and Characteristics Office of Internal Audit and Compliance Control Objectives for Information and related Technology (COBIT®) 26
Governance: Business to Stewardship (B2S) versus Business to Business (B2B) Office of Internal Audit and Compliance 27
Office of Internal Audit and Compliance Risk Identification & Reconciliation 28
Audit Risk Life Cycle Variables Office of Internal Audit and Compliance 29
Standards of Application Office of Internal Audit and Compliance • Industry Standards / Frameworks – COBiT 4.1 (Control Objectives for Information Technology) – NIST (National Institute of Standards and Technology) – ISO 17799/27001 (International Organization for Standardization) – ITIL (Information Technology Infrastructure Library) • Compliance and Regulatory Requirements (FISMA, FERPA, HIPAA, PCI, SOX, SCADA, etc.) • Board of Regents Standards – Board of Regents Policy – ITS Security Guidelines – Business Process Manual • Institutions’ Local Policies and Procedures NOT PERSONAL OPINION OR PREFERENCES!!!!! 30
Business Impact Analysis Office of Internal Audit and Compliance  Must understand …  Business goals and requirements  Internal and external relationships  What resources are involved  Who is in charge and what interdependencies exist  Vision (Strategic)  Mission (Tactical)  Objectives (Operational)  factors for success  KPI’s  What are the Key Performance / Process Indicators?  What distinctions and outcomes exist for each stage  What is the scope of probability / impact (Beware “Chicken Little” effect)  What expectations exist for each key shareholder Certified Information Systems Auditor (Study Guide) Cannon, Bergmann, & Pamplin 31
Assessing for Risk … Office of Internal Audit and Compliance  Risk assessment evaluates components of information, information system security and compliance as it relates to the business function  Assess  Mitigate / Monitor  Re- Assess  Ongoing risk management program must be in place  Business owner or key shareholder must own the process  Establish a standard for considering and negotiating risk  Annual (periodic) risk assessment deliverable with recommendations for corrective action  Clearly define and document accepted risk – someone needs to sign off on the responsibility 32
Risk Mitigation Office of Internal Audit and Compliance  Once risks are identified, they must be mitigated via internal controls  Internal Controls: a practice approved by management to mitigate risk or produce a desired outcome in a business process for implementing and enforcing information security and compliance  Design  Document  Implement  Document and retain artifacts.  Test the controls prior to implementation to validate expectations  Monitor results  Re-test controls periodically 33
Re-Assess Risks Office of Internal Audit and Compliance  Risk Assessments are an on- going exercise;  Track mitigation strategies, did they work?  What “Framework(s)” are being applied?  Is there an identifiable “Structure” in place e.g., risk management program?  Is the “Methodology” recognizable, e.g., documented and not arbitrary?  Are you using tools to monitor, manage, and validate the associated processes?  Test  re-test controls (design and effectiveness)  Document test results, corrective actions, changes in business needs / requirements. Certified Information Systems Auditor (Study Guide) Cannon, Bergmann, & Pamplin 34
Office of Internal Audit and Compliance Categories and Types 35
Risk Categories and Types? Office of Internal Audit and Compliance Determined how the categories of risk may or may not apply:  Risk Types  Strategic: Affects the entities’ ability to achieve goals and objectives  Compliance: Affects compliance with laws and regulations, safety and environmental issues, litigation, conflicts of interest, etc.  Reputational: Affects reputation, public perception, political issues, etc.  Financial: Affects loss of assets, technology, etc.  Operational: Affects on-going management processes and procedures  Risk Management Process  Agreed upon methodology to assess priorities (BIA, RA, ERM)  Consistency and agreement in identification of risks  Focus upon high probability / high impact risk  Types and classification – Information, Systems, & People 36
Information & Information System Users (Internal & External) Categories and Types? Office of Internal Audit and Compliance  What type of information, on which systems, are being accessed by which users?  Public, administrative, sensitive, confidential  Internal: Administrative, Managerial, Informational  External: General Public or Specific Target group  What level of access and authorization of the information is being provided to those types of users?  Is the risk being managed with effective controls?  People who use or interact with the Information include:  Share Holders / Owners / Management  Employees & Business Partners  Service providers / Contractors /  Customers / Clients  Regulators etc… 37
Controls Framework Office of Internal Audit and Compliance 38
Control Objectives for Information and related Technology (COBIT) Office of Internal Audit and Compliance • Developed by the ITGI (Current v4.1  5.0) – https://www.isaca.org/ • Value of IT, Risk, and Control • Links IT service delivery to business requirements (already defined, right?) • A lifecycle; constantly adapting, improving, re-adapting • Four Responsibility Domains: – Plan and Organize (PO) – Acquire and Implement (AI) – Deliver and Support (DS) – Monitor and Evaluate (ME) • Make a grocery list of needs and then go shopping 39
Audit Program Design Office of Internal Audit and Compliance 40
Audit Controls Definition Office of Internal Audit and Compliance Audit Controls & Assessment • Provides roadmap to auditor on which areas to focus audit steps (assess controls) – Preventive: controls to stop the problem from occurring – Detective: controls to find the problem – Corrective: controls to repair the problem after detection – Administrative: policies, standards, guidelines, & procedures – Technical: controls using hardware or software for processing & analysis – Physical: controls to implement barriers or deterrents • Based upon industry standards, requirements, & practices • Build list of high level objectives and outcomes to address risks associated with audited entity 41
Common Maturity Model Office of Internal Audit Integrated (CMMI) and Compliance – Variants of the CMMI: CMM & ISO 15504 – Identifies WHERE you are at in the application of IT risk mitigation controls and HOW to get to the next level – Levels of Application • Level 0: No Recognizable Process, though one is needed • Level 1: Process is Ad-hoc and perform by key individuals • Level 2: Process is Repeatable , but not controlled • Level 3: Process is Defined & Documented and periodically Evaluated • Level 4: Managed & Measurable; effective Internal Controls with Risk Management • Level 5: Optimized Enterprise wide risk and control program 42
Engagement: Application of Office of Internal Audit Standards and Compliance • Assessment Standards & Identification – Create assessment program (pre-engagement) • Identify risk & criteria • Identify audit resources, skill sets, & personnel • Develop information requirements for requests – Share expectations and objectives with institution • Gather Information / Evidence – Assess Controls: Strengths / Weaknesses (during engagement) [validate assurance or identify vulnerabilities / exploitation] – Calculate Level of Control criteria being applied (CMMI) • Analysis to Determine if Compliant with Standards • Document Variances or Exceptions / Issues [potential issues] • Report Per Charter Requirements (Ratings) 43
Controls Development & Office of Internal Audit Implementation and Compliance 44
Office of Internal Audit and Compliance Example: Controls Mapping 11/12/2011 Framework for Information & System Security 45
IAM Example: Office of Internal Audit Entity to be Assessed for Risk and Compliance • IAM: Identity and Access Control Management – Identity Management; the management of user credentials and the means by which users might log onto and use various systems or resources, e.g., the provisioning and de-provisioning of student, faculty, staff, and outside agencies identities – Access Control; the mechanisms in place to permit or deny the use of a particular resource by a particular entity, e.g., technical or administrative controls to allow or deny access to file shares 46
Users Involved in Business Functions and Types of Information and Systems? (Provisioning of High Risk or Critical Information) Office of Internal Audit and Compliance  Business Functional responsibility for assigning “Rights & Permissions” to various roles within the organization  Business Owner: Responsible for the provisioning and delegation of the processes or functions and associated privileges, e.g., Payroll, Finance, HR, etc.  Trustees: Responsible to maintain trust granted by Business owner, e.g., “Worker Bees” in the associated departments that conduct day to day operations  Stewards: Responsible to service and support the business function, typically provide a technical system or infrastructure to facilitate business needs, e.g., Information Technology Services, etc.  Audience: What / Who is the use of the information intended.  B2S versus B2B: Vertical and horizontal relationships (IT Governance)  Types of Information (classification) per organization or agency  Unrestricted / Public: No consequence typically general information  Sensitive: typically references’ legal or externally imposed constraints that requires this restriction  Confidential: highest level of restriction, applies to the risk or harm that may result from disclosure or inappropriate use, e.g., FERPA, HIPAA, etc.  Types of Information Systems to support information exchange  Infrastructure and architecture to support business driven events  Classification and type (comparable to the information being managed)  Supply Chain Management (SCM), Enterprise Resource Planning (ERP), Customer Resource Management (CRM), Business Intelligence (BI), basic communications, etc.  Determine scope of assessment and entities (people, application systems, & information) to be assessed 47
Example associated Key Process – Office of Internal Audit Ecommerce e.g., One Card System and Compliance • COBIT high level framework for controls relating to the Ecommerce systems – Plan and Organize (PO) — Provides direction to solution delivery(AI) and service delivery (DS): PO1, PO4, PO5, PO6, PO8, PO9, PO10, and PO11 – Acquire and Implement (AI) —Provides the solutions and passes them to be turned into services AI5 and AI4 – Deliver and Support (DS) —Receives the solutions and makes them usable for end users: DS1, DS5 and DS11 • Map the requirements to your preferred checklist, e.g. NIST or ISO • Requirements for Ecommerce Compliment other Processes – Less work required for other system implementations – No duplication of effort if requirements are properly addressed • Identity Management applies to many different other process requirements, e.g., Applications, Operating Systems, and Databases 48
Example: Identity and Access Office of Internal Audit Control Management (IAM) and Compliance COBIT 4.1 DS5.3 Identity Management • Ensure that all users (internal, external and temporary) and their activity on IT systems (business application, IT environment, system operations, development and maintenance) are uniquely identifiable. Enable user identities via authentication mechanisms. • Confirm that user access rights to systems and data are in line with defined and documented business needs and that job requirements are attached to user identities. • Ensure that user access rights are requested by user management, approved by system owners and implemented by the security- responsible person. • Maintain user identities and access rights in a central repository. • Deploy cost-effective technical and procedural measures, and keep them current to establish user identification, implement authentication and enforce access rights. 49
Example: Identity and Access Control Management (IAM) Office of Internal Audit and Compliance Logical Didactic Approach - DS5.3 Identity Management (How it is Evaluated) • Control over the IT process of Ensure systems security that satisfies the business requirement for IT of maintaining the integrity of information and processing infrastructure and minimizing the impact of security vulnerabilities and incidents • By focusing on – defining IT security policies, plans and procedures, and monitoring, detecting, reporting and resolving security vulnerabilities and incidents • Is achieved by – Understanding security requirements, vulnerabilities and threats – Managing user identities and authorizations in a standardized manner – Testing security regularly • And is measured by – Number of incidents damaging the organization's reputation with the public – Number of systems where security requirements are not met – Number of violations in segregation of duties 50
How to Measure Success? Maturity Model – CMMI DS5 Snapshot (Criteria) Office of Internal Audit and Compliance DS5 Ensure Systems Security - Management of the process of Ensure systems security that satisfies the business requirements for IT of maintaining the integrity of information and processing infrastructure and minimizing the impact of security vulnerabilities and incidents is: 0 Non-existent when The organization does not recognize the need for IT security. Responsibilities and accountabilities are not assigned … There is a complete lack of a recognizable system security administration process. 1 Initial/Ad Hoc when The organization recognizes the need for IT security. Awareness of the need for security depends primarily on the individual. IT security is addressed on a reactive basis. IT security is not measured. Detected IT security breaches invoke finger-pointing responses, … to IT security breaches are unpredictable. 2 Repeatable but Intuitive when Responsibilities and accountabilities for IT security are assigned to an IT security …, although the management authority ... Awareness of the need for security is fragmented and limited. Although security-relevant information …, it is not analyzed. IT security is seen primarily as the responsibility and domain of IT and the business does not see IT security as within its domain. 3 Defined when Security awareness exists and is promoted by management. IT security procedures are defined and aligned with IT security policy. Responsibilities for IT security are assigned and understood, but not consistently enforced. An IT security plan and security solutions exist as driven by risk analysis. Reporting on security does not contain a clear business focus. Ad hoc security testing (e.g., intrusion testing) is performed. Security training is available for IT and the business, but is only informally scheduled and managed. 4 Managed and Measurable when Responsibilities for IT security are clearly assigned, managed and enforced. IT security risk and impact analysis is consistently performed. Security policies and procedures are completed with specific security baselines. .... User identification, authentication and authorization are standardized. Security certification is pursued for staff members ... . Security testing is completed using standard and formalized processes, leading to improvements of security levels. …. IT security reporting is linked to business objectives. IT security training is conducted …. IT security training is planned and managed in a manner that responds to business needs and defined security risk profiles. Goals and metrics for security management have been defined but are not yet measured. 5 Optimized when IT security is a joint responsibility of business and IT management and is integrated with corporate security business objectives. IT security requirements are clearly defined, optimized and included in an approved security plan. Users and customers are increasingly accountable for defining security requirements, and security functions are integrated with applications at the design stage. Security incidents are promptly addressed with formalized incident response procedures supported by automated tools. Periodic security assessments are conducted to evaluate the effectiveness of the implementation of the security plan. Information on threats and vulnerabilities is systematically collected and analyzed. Adequate controls to mitigate risks are promptly communicated …. 51
COBIT 4.01 Standards to NIST Mapping –Integration with other Standards (Alignment of IT Controls to Mitigate Risk) Office of Internal Audit and Compliance 52
NIST 800-53, Revision 1 Standards Terminology and Application Office of Internal Audit and Compliance 53
Audit Program Development Life-Cycle Office of Internal Audit and Compliance 54
COBIT Mappings Office of Internal Audit and Compliance  Others besides NIST are currently posted at www.isaca.org/downloads:  Aligning COBIT, ITIL and ISO 17799 for Business Benefit  COBIT® Mapping: Mapping of CMMI for Development  COBIT® Mapping: Mapping of ISO/IEC 17799:2000  COBIT® Mapping: Mapping of ISO/IEC 17799:2005  COBIT® Mapping: Mapping of ITIL  COBIT® Mapping: Mapping of PMBOK  COBIT® Mapping: Mapping of PRINCE2  COBIT® Mapping: Mapping of SEI’s CMM for Software  COBIT® Mapping: Mapping of TOGAF 8.1  COBIT® Mapping: Overview of International IT Guidance 55

Empfohlen

CISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainCISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainInfosecTrain
 
Cisa domain 1
Cisa domain 1 Cisa domain 1
Cisa domain 1 Ismail aboulezz
 
Business continuity planning guide
Business continuity planning guideBusiness continuity planning guide
Business continuity planning guideCenapSerdarolu
 
Personnel Audit: Auditing process
Personnel Audit: Auditing processPersonnel Audit: Auditing process
Personnel Audit: Auditing processShalini Thakur
 
Sap security compliance tools_PennonSoft
Sap security compliance tools_PennonSoftSap security compliance tools_PennonSoft
Sap security compliance tools_PennonSoftPennonSoft
 
Drefus tarpkin resume 719 it v2
Drefus tarpkin resume 719 it v2Drefus tarpkin resume 719 it v2
Drefus tarpkin resume 719 it v2dtarpkin
 
Internal audit test type guide
Internal audit test type guideInternal audit test type guide
Internal audit test type guideCenapSerdarolu
 
Control and Audit Information System
Control and Audit Information SystemControl and Audit Information System
Control and Audit Information Systemarif prasetyo
 

Empfohlen

CISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainCISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainInfosecTrain
 
Cisa domain 1
Cisa domain 1 Cisa domain 1
Cisa domain 1 Ismail aboulezz
 
Business continuity planning guide
Business continuity planning guideBusiness continuity planning guide
Business continuity planning guideCenapSerdarolu
 
Personnel Audit: Auditing process
Personnel Audit: Auditing processPersonnel Audit: Auditing process
Personnel Audit: Auditing processShalini Thakur
 
Sap security compliance tools_PennonSoft
Sap security compliance tools_PennonSoftSap security compliance tools_PennonSoft
Sap security compliance tools_PennonSoftPennonSoft
 
Drefus tarpkin resume 719 it v2
Drefus tarpkin resume 719 it v2Drefus tarpkin resume 719 it v2
Drefus tarpkin resume 719 it v2dtarpkin
 
Internal audit test type guide
Internal audit test type guideInternal audit test type guide
Internal audit test type guideCenapSerdarolu
 
Control and Audit Information System
Control and Audit Information SystemControl and Audit Information System
Control and Audit Information Systemarif prasetyo
 
Auditing application controls
Auditing application controlsAuditing application controls
Auditing application controlsCenapSerdarolu
 
Casa engl
Casa englCasa engl
Casa englIBS Schreiber GmbH
 
Internal Control & Risk Management Framework
Internal Control & Risk Management FrameworkInternal Control & Risk Management Framework
Internal Control & Risk Management FrameworkTreasury Consulting LLP
 
Key considerations for your internal audit plan
Key considerations for your internal audit planKey considerations for your internal audit plan
Key considerations for your internal audit planessbaih
 
Everything You Need To Know About Internal Control Reviews
Everything You Need To Know About Internal Control ReviewsEverything You Need To Know About Internal Control Reviews
Everything You Need To Know About Internal Control ReviewsAdriana Sklencar
 
Audit ratings guide
Audit ratings guideAudit ratings guide
Audit ratings guideCenapSerdarolu
 
Introduction to COSO 2013 - Corporate Compliance Seminars
Introduction to COSO 2013 - Corporate Compliance SeminarsIntroduction to COSO 2013 - Corporate Compliance Seminars
Introduction to COSO 2013 - Corporate Compliance SeminarsCorporate Compliance Seminars
 
Ch2 2009 cisa
Ch2 2009 cisaCh2 2009 cisa
Ch2 2009 cisaasrulsani09
 
Data analytics and audit coverage guide
Data analytics and audit coverage guideData analytics and audit coverage guide
Data analytics and audit coverage guideCenapSerdarolu
 
Risk Assessment For Internal Auditors
Risk Assessment For Internal AuditorsRisk Assessment For Internal Auditors
Risk Assessment For Internal Auditorsminkhollow
 
Information system control and audit
Information system control and auditInformation system control and audit
Information system control and auditAstri Stiawaty
 
CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016Hafiz Sheikh Adnan Ahmed
 
The Consulting Approach of IA
The Consulting Approach of IAThe Consulting Approach of IA
The Consulting Approach of IASalih Islam
 
Building continuous auditing capabilities
Building continuous auditing capabilitiesBuilding continuous auditing capabilities
Building continuous auditing capabilitiesWafaa N. AbuSadah
 
Chap2 2007 Cisa Review Course
Chap2 2007 Cisa Review CourseChap2 2007 Cisa Review Course
Chap2 2007 Cisa Review CourseDesmond Devendran
 
Mobile EHS and Quality Auditing - Lessons Learned
Mobile EHS and Quality Auditing - Lessons LearnedMobile EHS and Quality Auditing - Lessons Learned
Mobile EHS and Quality Auditing - Lessons LearnedNimonik
 
Risk assessment and internal controls - Internal Audit
Risk assessment and internal controls - Internal AuditRisk assessment and internal controls - Internal Audit
Risk assessment and internal controls - Internal AuditSmitesh Bhosale
 
Audit of Risk Management Final Report
Audit of Risk Management Final ReportAudit of Risk Management Final Report
Audit of Risk Management Final Reportessbaih
 
Internal audit ratings guide
Internal audit ratings guideInternal audit ratings guide
Internal audit ratings guideCenapSerdarolu
 
Internal Audit COSO Framework
Internal Audit COSO FrameworkInternal Audit COSO Framework
Internal Audit COSO FrameworkJesús Gándara
 
It Audit Expectations High Detail
It Audit Expectations High DetailIt Audit Expectations High Detail
It Audit Expectations High Detailecarrow
 
Internal Audit Best Practices for Safety, Environment, and Quality Audits
Internal Audit Best Practices for Safety, Environment, and Quality AuditsInternal Audit Best Practices for Safety, Environment, and Quality Audits
Internal Audit Best Practices for Safety, Environment, and Quality AuditsNimonik
 

Weitere ähnliche Inhalte

Was ist angesagt?

Auditing application controls
Auditing application controlsAuditing application controls
Auditing application controlsCenapSerdarolu
 
Internal Control & Risk Management Framework
Internal Control & Risk Management FrameworkInternal Control & Risk Management Framework
Internal Control & Risk Management FrameworkTreasury Consulting LLP
 
Key considerations for your internal audit plan
Key considerations for your internal audit planKey considerations for your internal audit plan
Key considerations for your internal audit planessbaih
 
Everything You Need To Know About Internal Control Reviews
Everything You Need To Know About Internal Control ReviewsEverything You Need To Know About Internal Control Reviews
Everything You Need To Know About Internal Control ReviewsAdriana Sklencar
 
Introduction to COSO 2013 - Corporate Compliance Seminars
Introduction to COSO 2013 - Corporate Compliance SeminarsIntroduction to COSO 2013 - Corporate Compliance Seminars
Introduction to COSO 2013 - Corporate Compliance SeminarsCorporate Compliance Seminars
 
Data analytics and audit coverage guide
Data analytics and audit coverage guideData analytics and audit coverage guide
Data analytics and audit coverage guideCenapSerdarolu
 
Risk Assessment For Internal Auditors
Risk Assessment For Internal AuditorsRisk Assessment For Internal Auditors
Risk Assessment For Internal Auditorsminkhollow
 
Information system control and audit
Information system control and auditInformation system control and audit
Information system control and auditAstri Stiawaty
 
The Consulting Approach of IA
The Consulting Approach of IAThe Consulting Approach of IA
The Consulting Approach of IASalih Islam
 
Building continuous auditing capabilities
Building continuous auditing capabilitiesBuilding continuous auditing capabilities
Building continuous auditing capabilitiesWafaa N. AbuSadah
 
Chap2 2007 Cisa Review Course
Chap2 2007 Cisa Review CourseChap2 2007 Cisa Review Course
Chap2 2007 Cisa Review CourseDesmond Devendran
 
Mobile EHS and Quality Auditing - Lessons Learned
Mobile EHS and Quality Auditing - Lessons LearnedMobile EHS and Quality Auditing - Lessons Learned
Mobile EHS and Quality Auditing - Lessons LearnedNimonik
 
Risk assessment and internal controls - Internal Audit
Risk assessment and internal controls - Internal AuditRisk assessment and internal controls - Internal Audit
Risk assessment and internal controls - Internal AuditSmitesh Bhosale
 
Audit of Risk Management Final Report
Audit of Risk Management Final ReportAudit of Risk Management Final Report
Audit of Risk Management Final Reportessbaih
 
Internal audit ratings guide
Internal audit ratings guideInternal audit ratings guide
Internal audit ratings guideCenapSerdarolu
 
Internal Audit COSO Framework
Internal Audit COSO FrameworkInternal Audit COSO Framework
Internal Audit COSO FrameworkJesús Gándara
 

Was ist angesagt? (20)

Auditing application controls
Auditing application controlsAuditing application controls
Auditing application controls
 
Casa engl
Casa englCasa engl
Casa engl
 
Internal Control & Risk Management Framework
Internal Control & Risk Management FrameworkInternal Control & Risk Management Framework
Internal Control & Risk Management Framework
 
Key considerations for your internal audit plan
Key considerations for your internal audit planKey considerations for your internal audit plan
Key considerations for your internal audit plan
 
Everything You Need To Know About Internal Control Reviews
Everything You Need To Know About Internal Control ReviewsEverything You Need To Know About Internal Control Reviews
Everything You Need To Know About Internal Control Reviews
 
Audit ratings guide
Audit ratings guideAudit ratings guide
Audit ratings guide
 
Introduction to COSO 2013 - Corporate Compliance Seminars
Introduction to COSO 2013 - Corporate Compliance SeminarsIntroduction to COSO 2013 - Corporate Compliance Seminars
Introduction to COSO 2013 - Corporate Compliance Seminars
 
Ch2 2009 cisa
Ch2 2009 cisaCh2 2009 cisa
Ch2 2009 cisa
 
Data analytics and audit coverage guide
Data analytics and audit coverage guideData analytics and audit coverage guide
Data analytics and audit coverage guide
 
Risk Assessment For Internal Auditors
Risk Assessment For Internal AuditorsRisk Assessment For Internal Auditors
Risk Assessment For Internal Auditors
 
Information system control and audit
Information system control and auditInformation system control and audit
Information system control and audit
 
CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016
 
The Consulting Approach of IA
The Consulting Approach of IAThe Consulting Approach of IA
The Consulting Approach of IA
 
Building continuous auditing capabilities
Building continuous auditing capabilitiesBuilding continuous auditing capabilities
Building continuous auditing capabilities
 
Chap2 2007 Cisa Review Course
Chap2 2007 Cisa Review CourseChap2 2007 Cisa Review Course
Chap2 2007 Cisa Review Course
 
Mobile EHS and Quality Auditing - Lessons Learned
Mobile EHS and Quality Auditing - Lessons LearnedMobile EHS and Quality Auditing - Lessons Learned
Mobile EHS and Quality Auditing - Lessons Learned
 
Risk assessment and internal controls - Internal Audit
Risk assessment and internal controls - Internal AuditRisk assessment and internal controls - Internal Audit
Risk assessment and internal controls - Internal Audit
 
Audit of Risk Management Final Report
Audit of Risk Management Final ReportAudit of Risk Management Final Report
Audit of Risk Management Final Report
 
Internal audit ratings guide
Internal audit ratings guideInternal audit ratings guide
Internal audit ratings guide
 
Internal Audit COSO Framework
Internal Audit COSO FrameworkInternal Audit COSO Framework
Internal Audit COSO Framework
 

Ähnlich wie Oiac It Audit Wo Cartoons

It Audit Expectations High Detail
It Audit Expectations High DetailIt Audit Expectations High Detail
It Audit Expectations High Detailecarrow
 
Internal Audit Best Practices for Safety, Environment, and Quality Audits
Internal Audit Best Practices for Safety, Environment, and Quality AuditsInternal Audit Best Practices for Safety, Environment, and Quality Audits
Internal Audit Best Practices for Safety, Environment, and Quality AuditsNimonik
 
Internal Process Audit
Internal Process AuditInternal Process Audit
Internal Process Auditintellisenseit
 
Robust governance processes to provide assurance on reported mineral resource...
Robust governance processes to provide assurance on reported mineral resource...Robust governance processes to provide assurance on reported mineral resource...
Robust governance processes to provide assurance on reported mineral resource...srkconsulting
 
Robust governance processess to provide assurance on reported mineral resourc...
Robust governance processess to provide assurance on reported mineral resourc...Robust governance processess to provide assurance on reported mineral resourc...
Robust governance processess to provide assurance on reported mineral resourc...srkconsulting
 
Continous auditing and risk monitoring 9 23-09
Continous auditing and risk monitoring 9 23-09Continous auditing and risk monitoring 9 23-09
Continous auditing and risk monitoring 9 23-09Gaiani (CarnCorpAudit)
 
Internal-Audit-Methodology-VV.pdf
Internal-Audit-Methodology-VV.pdfInternal-Audit-Methodology-VV.pdf
Internal-Audit-Methodology-VV.pdfrobinverma31
 
summary_of_isa_for_f8-converted-converted.pdf
summary_of_isa_for_f8-converted-converted.pdfsummary_of_isa_for_f8-converted-converted.pdf
summary_of_isa_for_f8-converted-converted.pdfFuadHassan41
 
Cyber Security_Consultant_Nial Lande.pptx
Cyber Security_Consultant_Nial Lande.pptxCyber Security_Consultant_Nial Lande.pptx
Cyber Security_Consultant_Nial Lande.pptxkoushikDutta62
 
For model i 4a - 11 - risk assessment in the internal audit department
For model i 4a - 11 - risk assessment in the internal audit departmentFor model i 4a - 11 - risk assessment in the internal audit department
For model i 4a - 11 - risk assessment in the internal audit departmentRajeswaran Muthu Venkatachalam
 
Internal financial control - how ready are you - Webinar
Internal financial control - how ready are you - WebinarInternal financial control - how ready are you - Webinar
Internal financial control - how ready are you - WebinarAli Zeeshan
 
Hanrick Curran Audit Training - Internal Controls - March 2013
Hanrick Curran Audit Training - Internal Controls - March 2013Hanrick Curran Audit Training - Internal Controls - March 2013
Hanrick Curran Audit Training - Internal Controls - March 2013Matthew Green
 
Evolving role of internal auditing function
Evolving role of internal auditing functionEvolving role of internal auditing function
Evolving role of internal auditing functionDebashis Gupta
 
Bayo Omisore, IT Auditor-Compliance Analyst
Bayo Omisore, IT Auditor-Compliance AnalystBayo Omisore, IT Auditor-Compliance Analyst
Bayo Omisore, IT Auditor-Compliance AnalystBayo Omisore.
 
It management audits it management templates
It management audits it management templatesIt management audits it management templates
It management audits it management templatesIT-Toolkits.org
 
ICAB - ITK Chapter 5 Set 1 - Internal Control in IT Systems
ICAB - ITK Chapter 5 Set 1 - Internal Control in IT SystemsICAB - ITK Chapter 5 Set 1 - Internal Control in IT Systems
ICAB - ITK Chapter 5 Set 1 - Internal Control in IT SystemsMohammad Abdul Matin Emon
 
Session 3B Quality Assurance and Building Effective Oversight System - Paul H...
Session 3B Quality Assurance and Building Effective Oversight System - Paul H...Session 3B Quality Assurance and Building Effective Oversight System - Paul H...
Session 3B Quality Assurance and Building Effective Oversight System - Paul H...International Federation of Accountants
 

Ähnlich wie Oiac It Audit Wo Cartoons (20)

It Audit Expectations High Detail
It Audit Expectations High DetailIt Audit Expectations High Detail
It Audit Expectations High Detail
 
Internal Audit Best Practices for Safety, Environment, and Quality Audits
Internal Audit Best Practices for Safety, Environment, and Quality AuditsInternal Audit Best Practices for Safety, Environment, and Quality Audits
Internal Audit Best Practices for Safety, Environment, and Quality Audits
 
Internal Process Audit
Internal Process AuditInternal Process Audit
Internal Process Audit
 
Robust governance processes to provide assurance on reported mineral resource...
Robust governance processes to provide assurance on reported mineral resource...Robust governance processes to provide assurance on reported mineral resource...
Robust governance processes to provide assurance on reported mineral resource...
 
Robust governance processess to provide assurance on reported mineral resourc...
Robust governance processess to provide assurance on reported mineral resourc...Robust governance processess to provide assurance on reported mineral resourc...
Robust governance processess to provide assurance on reported mineral resourc...
 
Continous auditing and risk monitoring 9 23-09
Continous auditing and risk monitoring 9 23-09Continous auditing and risk monitoring 9 23-09
Continous auditing and risk monitoring 9 23-09
 
איל ביקורת פנימית-הורוביץ מודעות
איל ביקורת פנימית-הורוביץ מודעותאיל ביקורת פנימית-הורוביץ מודעות
איל ביקורת פנימית-הורוביץ מודעות
 
Internal-Audit-Methodology-VV.pdf
Internal-Audit-Methodology-VV.pdfInternal-Audit-Methodology-VV.pdf
Internal-Audit-Methodology-VV.pdf
 
summary_of_isa_for_f8-converted-converted.pdf
summary_of_isa_for_f8-converted-converted.pdfsummary_of_isa_for_f8-converted-converted.pdf
summary_of_isa_for_f8-converted-converted.pdf
 
Cyber Security_Consultant_Nial Lande.pptx
Cyber Security_Consultant_Nial Lande.pptxCyber Security_Consultant_Nial Lande.pptx
Cyber Security_Consultant_Nial Lande.pptx
 
For model i 4a - 11 - risk assessment in the internal audit department
For model i 4a - 11 - risk assessment in the internal audit departmentFor model i 4a - 11 - risk assessment in the internal audit department
For model i 4a - 11 - risk assessment in the internal audit department
 
Internal financial control - how ready are you - Webinar
Internal financial control - how ready are you - WebinarInternal financial control - how ready are you - Webinar
Internal financial control - how ready are you - Webinar
 
Hanrick Curran Audit Training - Internal Controls - March 2013
Hanrick Curran Audit Training - Internal Controls - March 2013Hanrick Curran Audit Training - Internal Controls - March 2013
Hanrick Curran Audit Training - Internal Controls - March 2013
 
Evolving role of internal auditing function
Evolving role of internal auditing functionEvolving role of internal auditing function
Evolving role of internal auditing function
 
Bayo Omisore, IT Auditor-Compliance Analyst
Bayo Omisore, IT Auditor-Compliance AnalystBayo Omisore, IT Auditor-Compliance Analyst
Bayo Omisore, IT Auditor-Compliance Analyst
 
It management audits it management templates
It management audits it management templatesIt management audits it management templates
It management audits it management templates
 
ICAB - ITK Chapter 5 Set 1 - Internal Control in IT Systems
ICAB - ITK Chapter 5 Set 1 - Internal Control in IT SystemsICAB - ITK Chapter 5 Set 1 - Internal Control in IT Systems
ICAB - ITK Chapter 5 Set 1 - Internal Control in IT Systems
 
Security audit
Security auditSecurity audit
Security audit
 
Session 3B Quality Assurance and Building Effective Oversight System - Paul H...
Session 3B Quality Assurance and Building Effective Oversight System - Paul H...Session 3B Quality Assurance and Building Effective Oversight System - Paul H...
Session 3B Quality Assurance and Building Effective Oversight System - Paul H...
 
2 Day MOSTI Workshop
2 Day MOSTI Workshop2 Day MOSTI Workshop
2 Day MOSTI Workshop
 

Mehr von ecarrow

Dns Hardening Linux Os
Dns Hardening Linux OsDns Hardening Linux Os
Dns Hardening Linux Osecarrow
 
Why My E Identity Needs Protection
Why My E Identity Needs ProtectionWhy My E Identity Needs Protection
Why My E Identity Needs Protectionecarrow
 
Social Networks And Phishing
Social Networks And PhishingSocial Networks And Phishing
Social Networks And Phishingecarrow
 
Educause+V4
Educause+V4Educause+V4
Educause+V4ecarrow
 
Puppetnets and Botnets: Information Technology Vulnerability Exploits
Puppetnets and Botnets: Information Technology Vulnerability ExploitsPuppetnets and Botnets: Information Technology Vulnerability Exploits
Puppetnets and Botnets: Information Technology Vulnerability Exploitsecarrow
 
InfoSec Technology Management of User Space and Services Through Security Thr...
InfoSec Technology Management of User Space and Services Through Security Thr...InfoSec Technology Management of User Space and Services Through Security Thr...
InfoSec Technology Management of User Space and Services Through Security Thr...ecarrow
 

Mehr von ecarrow (6)

Dns Hardening Linux Os
Dns Hardening Linux OsDns Hardening Linux Os
Dns Hardening Linux Os
 
Why My E Identity Needs Protection
Why My E Identity Needs ProtectionWhy My E Identity Needs Protection
Why My E Identity Needs Protection
 
Social Networks And Phishing
Social Networks And PhishingSocial Networks And Phishing
Social Networks And Phishing
 
Educause+V4
Educause+V4Educause+V4
Educause+V4
 
Puppetnets and Botnets: Information Technology Vulnerability Exploits
Puppetnets and Botnets: Information Technology Vulnerability ExploitsPuppetnets and Botnets: Information Technology Vulnerability Exploits
Puppetnets and Botnets: Information Technology Vulnerability Exploits
 
InfoSec Technology Management of User Space and Services Through Security Thr...
InfoSec Technology Management of User Space and Services Through Security Thr...InfoSec Technology Management of User Space and Services Through Security Thr...
InfoSec Technology Management of User Space and Services Through Security Thr...
 

Oiac It Audit Wo Cartoons

  • 1. Office of Internal Audit and Compliance IT Auditing Overview CIO Advisory Counsel Meeting Spring 2011 - Savannah, Ga.
  • 2. Session Guide Office of Internal Audit and Compliance • Erwin (Chris) L. Carrow IT Audit Director; M.Div., MSIS, CISSP, INFOSEC, CCAI, CCNP, CCSP, CQS, CCNA, LCP, LCI, OCM, MCSE, MCP+I, LSS Green Belt, etc. (Alphabet soup – who cares?!) Board of Regents, University System of Georgia Office of Internal Audit and Compliance 270 Washington Street S.W., Ste. 7087 Atlanta, GA 30334 (404)657-9890 Office, (678)644-3526 Cell, (404)463-0699 Fax Email: erwin.carrow@usg.edu ecarrow@gmail.com ecarrow@google.com http://www.linkedin.com/in/thebishop Twitter: @ecarrow Skype: erwin.louis.carrow 2
  • 3. Session Agenda (22 Slides – unless additional needs for clarity) Office of Internal Audit and Compliance  Quick Overview – Audit Methodology (slides 1-15)  Assessment Lifecycle & Applying Controls (slides 16-18)  Overview & Summary (slides 19-22) ______________________________________________________________  Terminology & Context of Security Implementation (slides 23-27)  Securing Business Functions  Governance  Business Function Characteristics  Vertical (B2S) and Horizontal (B2B) Relationship  Risk Identification & Reconciliation (slides 28-34)  Business Impact Analysis  Risk Assessment Process  Risk Analysis Methodology  Categories and Types (slides 35-37)  Risk – Enterprise Risk Management (BIA, RA, ERM)  Information, Information Systems, & Users  Controls Framework (slides 38-44)  Types of Controls, Skill Sets, and Resources  Criteria  Maturity of Controls to Support Outcomes  Procedures  Operational Tasks to Implement and Support Controls (low-level)  Example: Identity Management (COBIT, CMMI, & NIST) (slides 45-55) 3
  • 4. Key Takeaways Office of Internal Audit and Compliance  Understand OIAC requirements how IT audit function applies their framework for assessing controls to compensate for high impact/probability risks.  Provide a high-level overview of how the framework applies to institutional and agency audits / consulting.  Provide a resources for review & dialogue 4
  • 5. Office of Internal Audit and Compliance Quick Overview – Audit Methodology 5
  • 6. Why We Audit – Mission & Charter Office of Internal Audit and Compliance • “Internal auditing provides independent and objective assurance and consulting services to the Board of Regents (Board), the Chancellor, and institution leadership in order to add value and improve operations. The internal audit activity helps the University System Office (USO) and USG institutions accomplish their objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of governance, risk management, compliance, and internal control processes.” - Internal Audit Charter approved by the Board of Regents *(underline added ) 6
  • 7. Types of Audits – Federal, State, Office of Internal Audit Campus, and Board of Regents and Compliance • Federal Auditors – Rely on work of state auditors – May focus on federal compliance (FISMA, FERPA, HIPAA, etc.), financial aid, and federal grants management • State Auditors – Financial and Performance – Financial / Operational auditors - external auditors validating internal controls and the AFR – Performance auditors – external auditors focused on specific system-wide process or policy issue • Campus Auditors – Varies by campus – Generally focused on departmental reviews – Report to institution President and USO Chief Audit Officer • Board of Regents Auditors – Shoot the gaps that other agencies do not address and engage with specific BOR or Legislative concerns
  • 8. The Audits Selection Process: OIAC Risk Assessment & Planning Process Office of Internal Audit and Compliance (The “Why Us Syndrome and What We Audit?”) • OIAC’s Risk Assessment process – Quantitative Data: previous findings, financials, etc. – Qualitative Data: surveys, interviews, trends, etc. – Quarterly review and assessment versus annual approach to be proactive • Rolling Audit Plan – Designed to ensure coverage of institutions with high risk – Also designed to ensure OIAC coverage at all USG institutions at least once every 3-4 years – Specifies institution and broad categories in which to audit – May also incorporate consulting engagements and other special projects
  • 9. Overall Engagement Plan Summary of Process Office of Internal Audit and Compliance • Top Down methodology for the auditing assessment – Risk based: High Impact / High Probability – 32 different influencers – Business Goals to Standards and Practices – Business Function critical component identification – Leadership (administrator) to Technician or Staff member (end user) – Assess Requirements, Resources, and Processes • The approach focused on key business functions and their associated Business Goals and Objectives as it relates to the assessed entities. • Once identified and agreed upon for each business function, the key associated requirements, resources, and processes were identified and assessed to determine if high or critical risk is being managed. • Focus was upon Control Practices and Responsibility / Accountability associated with key activities with an expected CMMI level 3 criteria for High Risk Critical processes. 9
  • 10. Methodology, Scope, & Criteria Office of Internal Audit and Compliance • Standards for the Methodology – Institute of Internal Auditor (IIA - www.theiia.org) – Information System Audit & Control Association (ISACA - www.isaca.org) • Scope of Application: Area of Emphasis (Entity or Process) – Usually focused on institution-wide processes, e.g., data classification, IT services, NOC, incident response / emergency planning, strategic planning, change management, etc. • Determine what areas of High Risk or Critical Systems exist for the assessed entities at the institution? – Risk Analysis (OIAC) & Preliminary Assessment with Institution – Prior Coordination / Business Impact Analysis / Risk Assessment - Information request list, based upon audited entities – Analysis of information provided from pre-audit phase • Scope of Execution: Area of Emphasis (Entity or Process) – Business Functions (High Critical Risk) • Examples: IAM: Identity and Access Control Management & NETSEC: Perimeter & Network Security – Will incorporate recommended focus areas from institutional leadership – Scope can change during the course of an audit if warranted • CMMI Criteria level 3: Process is Defined & Documented and periodically Evaluated 10
  • 11. Those Involved in Areas Reviewed & Priority of Emphasis (# Personnel – # Meetings) Office of Internal Audit and Compliance Information Technology Academic Units Department (Limited) (High) Administrative Auxiliaries Units (Medium) (Low) 11
  • 12. Summary for Plan of Action Office of Internal Audit and Compliance During the engagement we … • Gather Information / Evidence - related to implementation of controls to address High Impact / High Probability risk – Interviews with key personnel (Business Owner, Trustees, & Stewards) – Test and Validate Objectives • Information - Information systems • Direct observation & dialogue • Document initial analysis (informal) • Dialogue and gain Confirmation of Observations (validation) • Dialogue and gain Common Understanding of Exceptions and Issues • Identify to Key Shareholders / Leadership Issues and discuss Solutions • Up until the final report is completed, dialogue will continue with audited entity regarding issues (objections are welcome – it is your right!) 12
  • 13. The Process We Follow – From Notification to Reporting Office of Internal Audit and Compliance • 1st Phase: Pre-Campus Work (Preparatory Efforts) – Announcement / Notification Letter, sent to President upon rolling audit plan approval (specific 5-month period during which the audit will be conducted) – Preliminary Survey- Brief visit on campus, approx. 60 prior to start of audit – Engagement Letter – Sent to President approx. 30 days prior to start of audit – Data Collection – Initial interviews, data requests, network scans may take place prior to arrival on campus – the more we get ahead of time the less time we have to spend onsite • 2nd Phase: On-Campus Fieldwork (Evidence Gathering Phase) – Initiated with Entrance Conference (“Line in the Sand”) – Scope of work may expand / contract – Campus POC kept informed on audit progress and issues (daily) – End of field work review, a meeting conducted at close of work summarizing initial results and implications • 3rd Phase: Post-Campus Work (Documentation & Publication Phase) – Draft Report prepared and sent as discussion document – Exit Conference held either in person or via phone / video conference – Official Draft Report sent requiring response from institution – Institution’s response incorporated in report – Report published and distributed 13
  • 14. Summary of Engagement Office of Internal Audit Flow Timeframes and Compliance Rolling Risk Assessment & Notification – three times per year 1 Preliminary Survey onsite with Senior Leadership 60 Days Audit Letter with data request sent – preliminary assessment 2 30 Days Entrance meeting & field work 2 to 4 Wks End of field work meeting w/ Key Shareholders 3 4-6 Wks 1-2 Wks 1Wk 30 Days 1Wk 90 Days 14
  • 15. Assessment Results / Reporting Office of Internal Audit and Compliance 15
  • 16. Office of Internal Audit and Compliance Assessment Lifecycle & Applying of Controls 16
  • 17. Assessment Life Cycle? Office of Internal Audit and Compliance 17
  • 18. “Life Cycle” of Security & Process Office of Internal Audit Provisioning and Compliance 18
  • 19. Office of Internal Audit and Compliance Overview & Summary 19
  • 20. Putting it all together… Office of Internal Audit and Compliance 20
  • 21. Thank You for Your Patience & Office of Internal Audit and Compliance Participation - Any Questions?  Understand OIAC requirements and the IT audit function applies their framework for assessing controls to compensate for high impact/probability risks.  Provide a high-level overview of how the framework applies to institutional and agency audits / consulting.  Provide a resources for review & dialogue 21
  • 22. Helpful Resources Office of Internal Audit and Compliance  CIS Benchmarks - http://www.cisecurity.org/benchmarks.html  IIA - www.theiia.org  ISACA - www.isaca.org  ISC(2) - www.isc2.org  ISO - www.iso.org  ITGI - www.itgi.org  NIST - csrc.nist.gov  NSA - www.nsa.gov  IASE - iase.disa.mil  Web App Consortium - www.webappsec.org  EDUCAUSE - educause.edu/security  Univ. Austin Texas Sec. - security.utexas.edu  Univ. Cornell Sec. - www.cit.cornell.edu/security  Virginia Tech Sec. - security.vt.edu  Ga. Tech Info Sec. Center - www.gtisc.gatech.edu 22
  • 23. Office of Internal Audit and Compliance Terminology & Context of the Audit Implementation 23
  • 24. Securing Business Events Office of Internal Audit and Compliance • It still comes down to …, Business event Needs and Outcomes – Goals or Objectives – Vision, Mission, & Operations – Rules and Requirements • Identifying critical business functions – Support Infrastructure: Finance and Accounting, Human Resources, Facilities, Services, other administrative functions or departments – Production Infrastructure: those folks who actually make the widgets (Instruction)! • Identify the departments and who are the key personnel, e.g., Business owners, Trustees and Stewards? • Identify the vertical (B2S - dependent) and horizontal (B2B - interdependent) relationships that potentially introduce risk (IT Governance) • Identify the systems that support business functions • Categories and type of information and information systems • Answer the question … “How are the people and systems integrated into the business process?” • Answer the question … “What internal controls exist or need to be implemented to mitigate risk?” 24
  • 25. Governance Interdependencies & Value Drivers Office of Internal Audit and Compliance Control Objectives for Information and related Technology (COBIT®) 25
  • 26. Business Functions and Characteristics Office of Internal Audit and Compliance Control Objectives for Information and related Technology (COBIT®) 26
  • 27. Governance: Business to Stewardship (B2S) versus Business to Business (B2B) Office of Internal Audit and Compliance 27
  • 28. Office of Internal Audit and Compliance Risk Identification & Reconciliation 28
  • 29. Audit Risk Life Cycle Variables Office of Internal Audit and Compliance 29
  • 30. Standards of Application Office of Internal Audit and Compliance • Industry Standards / Frameworks – COBiT 4.1 (Control Objectives for Information Technology) – NIST (National Institute of Standards and Technology) – ISO 17799/27001 (International Organization for Standardization) – ITIL (Information Technology Infrastructure Library) • Compliance and Regulatory Requirements (FISMA, FERPA, HIPAA, PCI, SOX, SCADA, etc.) • Board of Regents Standards – Board of Regents Policy – ITS Security Guidelines – Business Process Manual • Institutions’ Local Policies and Procedures NOT PERSONAL OPINION OR PREFERENCES!!!!! 30
  • 31. Business Impact Analysis Office of Internal Audit and Compliance  Must understand …  Business goals and requirements  Internal and external relationships  What resources are involved  Who is in charge and what interdependencies exist  Vision (Strategic)  Mission (Tactical)  Objectives (Operational)  factors for success  KPI’s  What are the Key Performance / Process Indicators?  What distinctions and outcomes exist for each stage  What is the scope of probability / impact (Beware “Chicken Little” effect)  What expectations exist for each key shareholder Certified Information Systems Auditor (Study Guide) Cannon, Bergmann, & Pamplin 31
  • 32. Assessing for Risk … Office of Internal Audit and Compliance  Risk assessment evaluates components of information, information system security and compliance as it relates to the business function  Assess  Mitigate / Monitor  Re- Assess  Ongoing risk management program must be in place  Business owner or key shareholder must own the process  Establish a standard for considering and negotiating risk  Annual (periodic) risk assessment deliverable with recommendations for corrective action  Clearly define and document accepted risk – someone needs to sign off on the responsibility 32
  • 33. Risk Mitigation Office of Internal Audit and Compliance  Once risks are identified, they must be mitigated via internal controls  Internal Controls: a practice approved by management to mitigate risk or produce a desired outcome in a business process for implementing and enforcing information security and compliance  Design  Document  Implement  Document and retain artifacts.  Test the controls prior to implementation to validate expectations  Monitor results  Re-test controls periodically 33
  • 34. Re-Assess Risks Office of Internal Audit and Compliance  Risk Assessments are an on- going exercise;  Track mitigation strategies, did they work?  What “Framework(s)” are being applied?  Is there an identifiable “Structure” in place e.g., risk management program?  Is the “Methodology” recognizable, e.g., documented and not arbitrary?  Are you using tools to monitor, manage, and validate the associated processes?  Test  re-test controls (design and effectiveness)  Document test results, corrective actions, changes in business needs / requirements. Certified Information Systems Auditor (Study Guide) Cannon, Bergmann, & Pamplin 34
  • 35. Office of Internal Audit and Compliance Categories and Types 35
  • 36. Risk Categories and Types? Office of Internal Audit and Compliance Determined how the categories of risk may or may not apply:  Risk Types  Strategic: Affects the entities’ ability to achieve goals and objectives  Compliance: Affects compliance with laws and regulations, safety and environmental issues, litigation, conflicts of interest, etc.  Reputational: Affects reputation, public perception, political issues, etc.  Financial: Affects loss of assets, technology, etc.  Operational: Affects on-going management processes and procedures  Risk Management Process  Agreed upon methodology to assess priorities (BIA, RA, ERM)  Consistency and agreement in identification of risks  Focus upon high probability / high impact risk  Types and classification – Information, Systems, & People 36
  • 37. Information & Information System Users (Internal & External) Categories and Types? Office of Internal Audit and Compliance  What type of information, on which systems, are being accessed by which users?  Public, administrative, sensitive, confidential  Internal: Administrative, Managerial, Informational  External: General Public or Specific Target group  What level of access and authorization of the information is being provided to those types of users?  Is the risk being managed with effective controls?  People who use or interact with the Information include:  Share Holders / Owners / Management  Employees & Business Partners  Service providers / Contractors /  Customers / Clients  Regulators etc… 37
  • 38. Controls Framework Office of Internal Audit and Compliance 38
  • 39. Control Objectives for Information and related Technology (COBIT) Office of Internal Audit and Compliance • Developed by the ITGI (Current v4.1  5.0) – https://www.isaca.org/ • Value of IT, Risk, and Control • Links IT service delivery to business requirements (already defined, right?) • A lifecycle; constantly adapting, improving, re-adapting • Four Responsibility Domains: – Plan and Organize (PO) – Acquire and Implement (AI) – Deliver and Support (DS) – Monitor and Evaluate (ME) • Make a grocery list of needs and then go shopping 39
  • 40. Audit Program Design Office of Internal Audit and Compliance 40
  • 41. Audit Controls Definition Office of Internal Audit and Compliance Audit Controls & Assessment • Provides roadmap to auditor on which areas to focus audit steps (assess controls) – Preventive: controls to stop the problem from occurring – Detective: controls to find the problem – Corrective: controls to repair the problem after detection – Administrative: policies, standards, guidelines, & procedures – Technical: controls using hardware or software for processing & analysis – Physical: controls to implement barriers or deterrents • Based upon industry standards, requirements, & practices • Build list of high level objectives and outcomes to address risks associated with audited entity 41
  • 42. Common Maturity Model Office of Internal Audit Integrated (CMMI) and Compliance – Variants of the CMMI: CMM & ISO 15504 – Identifies WHERE you are at in the application of IT risk mitigation controls and HOW to get to the next level – Levels of Application • Level 0: No Recognizable Process, though one is needed • Level 1: Process is Ad-hoc and perform by key individuals • Level 2: Process is Repeatable , but not controlled • Level 3: Process is Defined & Documented and periodically Evaluated • Level 4: Managed & Measurable; effective Internal Controls with Risk Management • Level 5: Optimized Enterprise wide risk and control program 42
  • 43. Engagement: Application of Office of Internal Audit Standards and Compliance • Assessment Standards & Identification – Create assessment program (pre-engagement) • Identify risk & criteria • Identify audit resources, skill sets, & personnel • Develop information requirements for requests – Share expectations and objectives with institution • Gather Information / Evidence – Assess Controls: Strengths / Weaknesses (during engagement) [validate assurance or identify vulnerabilities / exploitation] – Calculate Level of Control criteria being applied (CMMI) • Analysis to Determine if Compliant with Standards • Document Variances or Exceptions / Issues [potential issues] • Report Per Charter Requirements (Ratings) 43
  • 44. Controls Development & Office of Internal Audit Implementation and Compliance 44
  • 45. Office of Internal Audit and Compliance Example: Controls Mapping 11/12/2011 Framework for Information & System Security 45
  • 46. IAM Example: Office of Internal Audit Entity to be Assessed for Risk and Compliance • IAM: Identity and Access Control Management – Identity Management; the management of user credentials and the means by which users might log onto and use various systems or resources, e.g., the provisioning and de-provisioning of student, faculty, staff, and outside agencies identities – Access Control; the mechanisms in place to permit or deny the use of a particular resource by a particular entity, e.g., technical or administrative controls to allow or deny access to file shares 46
  • 47. Users Involved in Business Functions and Types of Information and Systems? (Provisioning of High Risk or Critical Information) Office of Internal Audit and Compliance  Business Functional responsibility for assigning “Rights & Permissions” to various roles within the organization  Business Owner: Responsible for the provisioning and delegation of the processes or functions and associated privileges, e.g., Payroll, Finance, HR, etc.  Trustees: Responsible to maintain trust granted by Business owner, e.g., “Worker Bees” in the associated departments that conduct day to day operations  Stewards: Responsible to service and support the business function, typically provide a technical system or infrastructure to facilitate business needs, e.g., Information Technology Services, etc.  Audience: What / Who is the use of the information intended.  B2S versus B2B: Vertical and horizontal relationships (IT Governance)  Types of Information (classification) per organization or agency  Unrestricted / Public: No consequence typically general information  Sensitive: typically references’ legal or externally imposed constraints that requires this restriction  Confidential: highest level of restriction, applies to the risk or harm that may result from disclosure or inappropriate use, e.g., FERPA, HIPAA, etc.  Types of Information Systems to support information exchange  Infrastructure and architecture to support business driven events  Classification and type (comparable to the information being managed)  Supply Chain Management (SCM), Enterprise Resource Planning (ERP), Customer Resource Management (CRM), Business Intelligence (BI), basic communications, etc.  Determine scope of assessment and entities (people, application systems, & information) to be assessed 47
  • 48. Example associated Key Process – Office of Internal Audit Ecommerce e.g., One Card System and Compliance • COBIT high level framework for controls relating to the Ecommerce systems – Plan and Organize (PO) — Provides direction to solution delivery(AI) and service delivery (DS): PO1, PO4, PO5, PO6, PO8, PO9, PO10, and PO11 – Acquire and Implement (AI) —Provides the solutions and passes them to be turned into services AI5 and AI4 – Deliver and Support (DS) —Receives the solutions and makes them usable for end users: DS1, DS5 and DS11 • Map the requirements to your preferred checklist, e.g. NIST or ISO • Requirements for Ecommerce Compliment other Processes – Less work required for other system implementations – No duplication of effort if requirements are properly addressed • Identity Management applies to many different other process requirements, e.g., Applications, Operating Systems, and Databases 48
  • 49. Example: Identity and Access Office of Internal Audit Control Management (IAM) and Compliance COBIT 4.1 DS5.3 Identity Management • Ensure that all users (internal, external and temporary) and their activity on IT systems (business application, IT environment, system operations, development and maintenance) are uniquely identifiable. Enable user identities via authentication mechanisms. • Confirm that user access rights to systems and data are in line with defined and documented business needs and that job requirements are attached to user identities. • Ensure that user access rights are requested by user management, approved by system owners and implemented by the security- responsible person. • Maintain user identities and access rights in a central repository. • Deploy cost-effective technical and procedural measures, and keep them current to establish user identification, implement authentication and enforce access rights. 49
  • 50. Example: Identity and Access Control Management (IAM) Office of Internal Audit and Compliance Logical Didactic Approach - DS5.3 Identity Management (How it is Evaluated) • Control over the IT process of Ensure systems security that satisfies the business requirement for IT of maintaining the integrity of information and processing infrastructure and minimizing the impact of security vulnerabilities and incidents • By focusing on – defining IT security policies, plans and procedures, and monitoring, detecting, reporting and resolving security vulnerabilities and incidents • Is achieved by – Understanding security requirements, vulnerabilities and threats – Managing user identities and authorizations in a standardized manner – Testing security regularly • And is measured by – Number of incidents damaging the organization's reputation with the public – Number of systems where security requirements are not met – Number of violations in segregation of duties 50
  • 51. How to Measure Success? Maturity Model – CMMI DS5 Snapshot (Criteria) Office of Internal Audit and Compliance DS5 Ensure Systems Security - Management of the process of Ensure systems security that satisfies the business requirements for IT of maintaining the integrity of information and processing infrastructure and minimizing the impact of security vulnerabilities and incidents is: 0 Non-existent when The organization does not recognize the need for IT security. Responsibilities and accountabilities are not assigned … There is a complete lack of a recognizable system security administration process. 1 Initial/Ad Hoc when The organization recognizes the need for IT security. Awareness of the need for security depends primarily on the individual. IT security is addressed on a reactive basis. IT security is not measured. Detected IT security breaches invoke finger-pointing responses, … to IT security breaches are unpredictable. 2 Repeatable but Intuitive when Responsibilities and accountabilities for IT security are assigned to an IT security …, although the management authority ... Awareness of the need for security is fragmented and limited. Although security-relevant information …, it is not analyzed. IT security is seen primarily as the responsibility and domain of IT and the business does not see IT security as within its domain. 3 Defined when Security awareness exists and is promoted by management. IT security procedures are defined and aligned with IT security policy. Responsibilities for IT security are assigned and understood, but not consistently enforced. An IT security plan and security solutions exist as driven by risk analysis. Reporting on security does not contain a clear business focus. Ad hoc security testing (e.g., intrusion testing) is performed. Security training is available for IT and the business, but is only informally scheduled and managed. 4 Managed and Measurable when Responsibilities for IT security are clearly assigned, managed and enforced. IT security risk and impact analysis is consistently performed. Security policies and procedures are completed with specific security baselines. .... User identification, authentication and authorization are standardized. Security certification is pursued for staff members ... . Security testing is completed using standard and formalized processes, leading to improvements of security levels. …. IT security reporting is linked to business objectives. IT security training is conducted …. IT security training is planned and managed in a manner that responds to business needs and defined security risk profiles. Goals and metrics for security management have been defined but are not yet measured. 5 Optimized when IT security is a joint responsibility of business and IT management and is integrated with corporate security business objectives. IT security requirements are clearly defined, optimized and included in an approved security plan. Users and customers are increasingly accountable for defining security requirements, and security functions are integrated with applications at the design stage. Security incidents are promptly addressed with formalized incident response procedures supported by automated tools. Periodic security assessments are conducted to evaluate the effectiveness of the implementation of the security plan. Information on threats and vulnerabilities is systematically collected and analyzed. Adequate controls to mitigate risks are promptly communicated …. 51
  • 52. COBIT 4.01 Standards to NIST Mapping –Integration with other Standards (Alignment of IT Controls to Mitigate Risk) Office of Internal Audit and Compliance 52
  • 53. NIST 800-53, Revision 1 Standards Terminology and Application Office of Internal Audit and Compliance 53
  • 54. Audit Program Development Life-Cycle Office of Internal Audit and Compliance 54
  • 55. COBIT Mappings Office of Internal Audit and Compliance  Others besides NIST are currently posted at www.isaca.org/downloads:  Aligning COBIT, ITIL and ISO 17799 for Business Benefit  COBIT® Mapping: Mapping of CMMI for Development  COBIT® Mapping: Mapping of ISO/IEC 17799:2000  COBIT® Mapping: Mapping of ISO/IEC 17799:2005  COBIT® Mapping: Mapping of ITIL  COBIT® Mapping: Mapping of PMBOK  COBIT® Mapping: Mapping of PRINCE2  COBIT® Mapping: Mapping of SEI’s CMM for Software  COBIT® Mapping: Mapping of TOGAF 8.1  COBIT® Mapping: Overview of International IT Guidance 55