SlideShare une entreprise Scribd logo

CIO IT Audit Survival TNS07

Thomas Danford
Thomas Danford

This document provides an overview of an IT audit conducted at a state university system. It describes the types of audits performed, including operational, financial, compliance, and IT audits. For IT audits, it examines infrastructure security and controls, application security and controls, and disaster preparedness plans. Key areas investigated include physical security, network configuration, user access controls, and backup procedures. The document concludes with tips for making an IT audit go smoothly, such as avoiding an adversarial approach and fully documenting systems and controls.

TechnologieBusiness
1  sur  16
Télécharger pour lire hors ligne
A CIO’s Survival Guide for f an IT Audit A di Thomas Danford CIO, Tennessee Board of Regents C, ss o do gs
Background & Objectives … State Audit chose the TBR office as its “pilot” for developing IT Audit plans and procedures for Banner. Brief discussion of the various types of audits and how they relate to IT Audits. Share with the audience what’s investigated in an IT Audit and how it’s conducted. Relay some findings to date. Provide some guidance & suggestions for when your institution has its IT Audit.
Types of Audits Operational Audits examine the use of unit resources to evaluate whether those resources are b being used in the most d effective and efficient way. They include elements of the other audit types listed below. Financial A di examine accounting and reporting of financial Fi i l Audits i i d i f fi il transactions. Compliance Audits examine adherence to laws, regulations, policies and procedures. li i d d Internal Control Reviews focus on the components of major business activities such as payroll and benefits, and their physical security. security Information Technology (IT) Audits examine internal control environment of automated information processing systems and how people use those systems. systems
The IT Audit Evaluates … System(s) input, output, and processing controls input output Backup & media storage (off-site) (off- Disaster preparedness plan ( d if it has been Di d l (and i h b tested!) System(s) security Computer facilities p
How does the IT Audit Work? Kick- Kick-off Meeting to discuss g audit objectives with delivery of extensive questionnaires. Interview & investigative phase based upon responses to questionnaires. Exit interview with Q&A on any discovered weaknesses or findings. Published A di Report with P bli h d Audit R ih weaknesses and/or findings. Management response. g p
What Are Auditors Looking For? Reportable conditions – are matters that represent a significant deficiency in the d d design or operation of the internal control structure which could adversely affect the organization's ability to record, process, summarize, and report financial data consistent with the assertions of management in the financial statements. Material Weaknesses – are significant deficiencies, or combination of significant deficiencies, that results in more than deficiencies a remote likelihood that a material control process could be obverted or bypassed. Findings – conditions that do adversely affect the institution and may include conditions dealing with irregularities, illegal acts, errors, inefficiency, waste, ineffectiveness, conflicts of interest, and for our purposes control weaknesses. pp
Interview & Investigation Areas Infrastructure Security & Control Application Security & Control Disaster Preparedness Plan Di P d Pl
INFRASTRUCTURE SECURITY & CONTROL: Relates to the d i of the campus network system and i l d the h design f h k d includes h backbones, routers, switches, wireless access points, access methods and protocols used. Of special interest are the filters p used. p & protective measures that govern (1) Internet open access (2) Intranet controlled access and (3) Secured Access. Particular areas of interest include: Physical security of computer center – Environmental controls, locks, cameras & authorizations to enter. Network configuration – Fil & firewall rule-sets and their change processes. N k fi i Filter fi ll rule- l d hi h ID and password rule-sets – Length, character requirements, aging, etc. rule- Operating System – File & directory permissions. Patch management – Remediation of known exploits. Segregation of duties of IT staff.
APPLICATION SECURITY & CONTROL: Relates to the design of the administrative system and includes additional server operating system issues as well as the DBMS and the application that sits on top of both. Heavily scrutinized are users, both functional and technical and their roles. Particular areas of interest include: Default users and their passwords Role based security – Especially as it is setup in the application itself and access to the native DBMS or OS. OS User accounts and password management – Procedures & signoff for account holders, length, character requirements, aging, etc. Software modification – Procedures and segregation of duties in their gg implementation. Patch management – Remediation of known exploits across multiple instances. Segregation of duties of IT and functional users. users
APPLICATION SECURITY & CONTROL (Top 5 Issues) (T I ) Improper account p pp provisioning with segregation of duties g gg Insufficient controls for change management A general lack of understanding around key system configurations Audit logs not being reviewed (or that review itself not being logged) Abnormal transactions not identified in a timely manner
DISASTER PREPAREDNESS PLAN: The state in which an institution is i i i i prepared f di d for disaster. P Preparedness i d involves a l plan for avoiding and recovering from a disaster with preservation and retrieval of records lost by an unexpected catastrophic occurrence. Particular areas of interest include: Backup of critical data – Including frequency, media, where and how far away. Printed plans – Kept off site by plan principles with contact lists. Recovery processes – Includes not only IT operations but facilities (hot & yp y p ( cold sites). Business continuity while IT functions are restored. Actual testing of the plan.
Banner Issues Discovered Di d As of 10/12/2007
Y10K Compliance Banner cannot handle the switch from the year 9999 to 10000
Tips to Make the Audit Go Smoothly Avoid making it an “adversarial” engagement adversarial Provide what’s asked of you Document & diagram D di
For Additional Information: Wikipedia has a g p good overview of IT auditing at: g http://en.wikipedia.org/wiki/Information_technology_audit Control Objectives for Information and related Technology (COBIT) is a set of best practices (framework) for information technology (IT) management created by the Information Systems Audit and Control Association (ISACA), (ISACA) and the IT Governance Institute (ITGI) in 1992. http://www.isaca.org/Template.cfm?Section=COBIT6&Template=/Tagged Page/TaggedPageDisplay.cfm&TPLID=55&ContentID=7981
Thank You Please share your comments, ideas, suggestions, questions . . . Thomas Danford tdanford@tbr.edu 615-366- 615-366-4451

Recommandé

IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubKaushal Trivedi
 
Auditing SOX ITGC Compliance
Auditing SOX ITGC ComplianceAuditing SOX ITGC Compliance
Auditing SOX ITGC Complianceseanpizzy
 
ITGC audit of ERPs
ITGC audit of ERPsITGC audit of ERPs
ITGC audit of ERPsJayesh Daga
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Dinesh O Bareja
 
IT General Controls
IT General ControlsIT General Controls
IT General ControlsCicero Ray Rufino
 
03.1 general control
03.1 general control03.1 general control
03.1 general controlMulyadi Yusuf
 
IT Control Objectives for SOX
IT Control Objectives for SOXIT Control Objectives for SOX
IT Control Objectives for SOXMahesh Patwardhan
 
Audit Sample Report
Audit Sample ReportAudit Sample Report
Audit Sample ReportRandy James
 

Recommandé

IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubKaushal Trivedi
 
Auditing SOX ITGC Compliance
Auditing SOX ITGC ComplianceAuditing SOX ITGC Compliance
Auditing SOX ITGC Complianceseanpizzy
 
ITGC audit of ERPs
ITGC audit of ERPsITGC audit of ERPs
ITGC audit of ERPsJayesh Daga
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Dinesh O Bareja
 
IT General Controls
IT General ControlsIT General Controls
IT General ControlsCicero Ray Rufino
 
03.1 general control
03.1 general control03.1 general control
03.1 general controlMulyadi Yusuf
 
IT Control Objectives for SOX
IT Control Objectives for SOXIT Control Objectives for SOX
IT Control Objectives for SOXMahesh Patwardhan
 
Audit Sample Report
Audit Sample ReportAudit Sample Report
Audit Sample ReportRandy James
 
Cissp Week 24
Cissp Week 24Cissp Week 24
Cissp Week 24jemtallon
 
Risk management of basel norms
Risk management of basel norms Risk management of basel norms
Risk management of basel norms SKMohamedKasim
 
Chapter 2 auditing it governance controls
Chapter 2 auditing it governance controlsChapter 2 auditing it governance controls
Chapter 2 auditing it governance controlsjayussuryawan
 
It audit methodologies
It audit methodologiesIt audit methodologies
It audit methodologiesSalih Islam
 
8. operations security
8. operations security8. operations security
8. operations security7wounders
 
Auditing in Computerized Environment
Auditing in Computerized EnvironmentAuditing in Computerized Environment
Auditing in Computerized EnvironmentDr. Sushil Bansode
 
Chapter 11 Enterprise Resource Planning System
Chapter 11 Enterprise Resource Planning SystemChapter 11 Enterprise Resource Planning System
Chapter 11 Enterprise Resource Planning SystemMuhammad Azmy
 
Chapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networksChapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networksjayussuryawan
 
2 Day MOSTI Workshop
2 Day MOSTI Workshop2 Day MOSTI Workshop
2 Day MOSTI WorkshopCondition Zebra (CONZebra)
 
IT Audit methodologies
IT Audit methodologiesIT Audit methodologies
IT Audit methodologiesgenetics
 
IT & the Auditor
IT & the AuditorIT & the Auditor
IT & the AuditorLinda Forbes
 
CISSP Week 9
CISSP Week 9CISSP Week 9
CISSP Week 9jemtallon
 
Hipaa checklist - information security
Hipaa checklist - information securityHipaa checklist - information security
Hipaa checklist - information securityVijay Sekar
 
Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1Sreekanth Narendran
 
9 Bcp+Drp
9 Bcp+Drp9 Bcp+Drp
9 Bcp+DrpAlfred Ouyang
 
Cissp Week 23
Cissp Week 23Cissp Week 23
Cissp Week 23jemtallon
 
4 Operations Security
4 Operations Security4 Operations Security
4 Operations SecurityAlfred Ouyang
 
Information System Architecture and Audit Control Lecture 1
Information System Architecture and Audit Control Lecture 1Information System Architecture and Audit Control Lecture 1
Information System Architecture and Audit Control Lecture 1Yasir Khan
 
Security Management Practices
Security Management PracticesSecurity Management Practices
Security Management Practicesamiable_indian
 
Technology Audit
Technology AuditTechnology Audit
Technology AuditArish Roy
 
Technology Audit
Technology AuditTechnology Audit
Technology AuditArish Roy
 
Technology audit presentation
Technology audit presentationTechnology audit presentation
Technology audit presentationArish Roy
 

Contenu connexe

Tendances

Cissp Week 24
Cissp Week 24Cissp Week 24
Cissp Week 24jemtallon
 
Risk management of basel norms
Risk management of basel norms Risk management of basel norms
Risk management of basel norms SKMohamedKasim
 
Chapter 2 auditing it governance controls
Chapter 2 auditing it governance controlsChapter 2 auditing it governance controls
Chapter 2 auditing it governance controlsjayussuryawan
 
It audit methodologies
It audit methodologiesIt audit methodologies
It audit methodologiesSalih Islam
 
8. operations security
8. operations security8. operations security
8. operations security7wounders
 
Auditing in Computerized Environment
Auditing in Computerized EnvironmentAuditing in Computerized Environment
Auditing in Computerized EnvironmentDr. Sushil Bansode
 
Chapter 11 Enterprise Resource Planning System
Chapter 11 Enterprise Resource Planning SystemChapter 11 Enterprise Resource Planning System
Chapter 11 Enterprise Resource Planning SystemMuhammad Azmy
 
Chapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networksChapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networksjayussuryawan
 
IT Audit methodologies
IT Audit methodologiesIT Audit methodologies
IT Audit methodologiesgenetics
 
CISSP Week 9
CISSP Week 9CISSP Week 9
CISSP Week 9jemtallon
 
Hipaa checklist - information security
Hipaa checklist - information securityHipaa checklist - information security
Hipaa checklist - information securityVijay Sekar
 
Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1Sreekanth Narendran
 
Cissp Week 23
Cissp Week 23Cissp Week 23
Cissp Week 23jemtallon
 
4 Operations Security
4 Operations Security4 Operations Security
4 Operations SecurityAlfred Ouyang
 
Information System Architecture and Audit Control Lecture 1
Information System Architecture and Audit Control Lecture 1Information System Architecture and Audit Control Lecture 1
Information System Architecture and Audit Control Lecture 1Yasir Khan
 
Security Management Practices
Security Management PracticesSecurity Management Practices
Security Management Practicesamiable_indian
 
Technology Audit
Technology AuditTechnology Audit
Technology AuditArish Roy
 

Tendances (20)

Cissp Week 24
Cissp Week 24Cissp Week 24
Cissp Week 24
 
Risk management of basel norms
Risk management of basel norms Risk management of basel norms
Risk management of basel norms
 
Chapter 2 auditing it governance controls
Chapter 2 auditing it governance controlsChapter 2 auditing it governance controls
Chapter 2 auditing it governance controls
 
It audit methodologies
It audit methodologiesIt audit methodologies
It audit methodologies
 
8. operations security
8. operations security8. operations security
8. operations security
 
Auditing in Computerized Environment
Auditing in Computerized EnvironmentAuditing in Computerized Environment
Auditing in Computerized Environment
 
Chapter 11 Enterprise Resource Planning System
Chapter 11 Enterprise Resource Planning SystemChapter 11 Enterprise Resource Planning System
Chapter 11 Enterprise Resource Planning System
 
Chapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networksChapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networks
 
2 Day MOSTI Workshop
2 Day MOSTI Workshop2 Day MOSTI Workshop
2 Day MOSTI Workshop
 
IT Audit methodologies
IT Audit methodologiesIT Audit methodologies
IT Audit methodologies
 
IT & the Auditor
IT & the AuditorIT & the Auditor
IT & the Auditor
 
CISSP Week 9
CISSP Week 9CISSP Week 9
CISSP Week 9
 
Hipaa checklist - information security
Hipaa checklist - information securityHipaa checklist - information security
Hipaa checklist - information security
 
Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1
 
9 Bcp+Drp
9 Bcp+Drp9 Bcp+Drp
9 Bcp+Drp
 
Cissp Week 23
Cissp Week 23Cissp Week 23
Cissp Week 23
 
4 Operations Security
4 Operations Security4 Operations Security
4 Operations Security
 
Information System Architecture and Audit Control Lecture 1
Information System Architecture and Audit Control Lecture 1Information System Architecture and Audit Control Lecture 1
Information System Architecture and Audit Control Lecture 1
 
Security Management Practices
Security Management PracticesSecurity Management Practices
Security Management Practices
 
Technology Audit
Technology AuditTechnology Audit
Technology Audit
 

Similaire à CIO IT Audit Survival TNS07

Technology Audit
Technology AuditTechnology Audit
Technology AuditArish Roy
 
Technology audit presentation
Technology audit presentationTechnology audit presentation
Technology audit presentationArish Roy
 
Overview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptxOverview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptxJoshJaro
 
It implement-it-asset-management-executive-brief
It implement-it-asset-management-executive-briefIt implement-it-asset-management-executive-brief
It implement-it-asset-management-executive-briefVisal Thach
 
Leveraging Change Control for Security
Leveraging Change Control for SecurityLeveraging Change Control for Security
Leveraging Change Control for SecurityTripwire
 
The Importance of Security within the Computer Environment
The Importance of Security within the Computer EnvironmentThe Importance of Security within the Computer Environment
The Importance of Security within the Computer EnvironmentAdetula Bunmi
 
IS Audits and Internal Controls
IS Audits and Internal ControlsIS Audits and Internal Controls
IS Audits and Internal ControlsBharath Rao
 
Internal Controls Over Information Systems
Internal Controls Over Information Systems Internal Controls Over Information Systems
Internal Controls Over Information Systems Jeffrey Paulette
 
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docxLynellBull52
 
IT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsIT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsEd Tobias
 
Information system audit 2
Information system audit 2 Information system audit 2
Information system audit 2 Jayant Dalvi
 
Maclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and TrendsMaclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and TrendsMaclear LLC
 
Top learnings from evaluating and implementing a DLP Solution
Top learnings from evaluating and implementing a DLP Solution Top learnings from evaluating and implementing a DLP Solution
Top learnings from evaluating and implementing a DLP Solution Priyanka Aash
 
Services Industry Case Study: A Practical Approach To Process Automation
Services Industry Case Study: A Practical Approach To Process AutomationServices Industry Case Study: A Practical Approach To Process Automation
Services Industry Case Study: A Practical Approach To Process AutomationNathaniel Palmer
 
Building a Business Continuity Capability
Building a Business Continuity CapabilityBuilding a Business Continuity Capability
Building a Business Continuity CapabilityRod Davis
 
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.gueste080564
 
Technology Controls in Business - End User Computing
Technology Controls in Business - End User ComputingTechnology Controls in Business - End User Computing
Technology Controls in Business - End User Computingguestc1bca2
 

Similaire à CIO IT Audit Survival TNS07 (20)

Technology Audit
Technology AuditTechnology Audit
Technology Audit
 
Technology audit presentation
Technology audit presentationTechnology audit presentation
Technology audit presentation
 
Overview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptxOverview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptx
 
audit_it_250759.pdf
audit_it_250759.pdfaudit_it_250759.pdf
audit_it_250759.pdf
 
PPT Latvia, SIGMA Workshop on Digital Auditing for SAIs, Skopje, November 2019
PPT Latvia, SIGMA Workshop on Digital Auditing for SAIs, Skopje, November 2019 PPT Latvia, SIGMA Workshop on Digital Auditing for SAIs, Skopje, November 2019
PPT Latvia, SIGMA Workshop on Digital Auditing for SAIs, Skopje, November 2019
 
It implement-it-asset-management-executive-brief
It implement-it-asset-management-executive-briefIt implement-it-asset-management-executive-brief
It implement-it-asset-management-executive-brief
 
Leveraging Change Control for Security
Leveraging Change Control for SecurityLeveraging Change Control for Security
Leveraging Change Control for Security
 
The Importance of Security within the Computer Environment
The Importance of Security within the Computer EnvironmentThe Importance of Security within the Computer Environment
The Importance of Security within the Computer Environment
 
IS Audits and Internal Controls
IS Audits and Internal ControlsIS Audits and Internal Controls
IS Audits and Internal Controls
 
Internal Controls Over Information Systems
Internal Controls Over Information Systems Internal Controls Over Information Systems
Internal Controls Over Information Systems
 
GRC in Australia slides
GRC in Australia slidesGRC in Australia slides
GRC in Australia slides
 
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
 
IT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsIT Audit For Non-IT Auditors
IT Audit For Non-IT Auditors
 
Information system audit 2
Information system audit 2 Information system audit 2
Information system audit 2
 
Maclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and TrendsMaclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and Trends
 
Top learnings from evaluating and implementing a DLP Solution
Top learnings from evaluating and implementing a DLP Solution Top learnings from evaluating and implementing a DLP Solution
Top learnings from evaluating and implementing a DLP Solution
 
Services Industry Case Study: A Practical Approach To Process Automation
Services Industry Case Study: A Practical Approach To Process AutomationServices Industry Case Study: A Practical Approach To Process Automation
Services Industry Case Study: A Practical Approach To Process Automation
 
Building a Business Continuity Capability
Building a Business Continuity CapabilityBuilding a Business Continuity Capability
Building a Business Continuity Capability
 
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
 
Technology Controls in Business - End User Computing
Technology Controls in Business - End User ComputingTechnology Controls in Business - End User Computing
Technology Controls in Business - End User Computing
 

Plus de Thomas Danford

Information and Computer Technology (ICT) Accessibility
Information and Computer Technology (ICT) AccessibilityInformation and Computer Technology (ICT) Accessibility
Information and Computer Technology (ICT) AccessibilityThomas Danford
 
Success Factors in IT 4 10 and 13
Success Factors in IT 4 10 and 13Success Factors in IT 4 10 and 13
Success Factors in IT 4 10 and 13Thomas Danford
 
P2P Legislation EduPol08
P2P Legislation EduPol08P2P Legislation EduPol08
P2P Legislation EduPol08Thomas Danford
 
TBR Collaboration Analysis
TBR Collaboration AnalysisTBR Collaboration Analysis
TBR Collaboration AnalysisThomas Danford
 
CIC Final Report 050406
CIC Final Report 050406CIC Final Report 050406
CIC Final Report 050406Thomas Danford
 
Tn 2015 Legislative Compilation
Tn 2015 Legislative CompilationTn 2015 Legislative Compilation
Tn 2015 Legislative CompilationThomas Danford
 
Elive15 Discussion TBR Performance Metrics
Elive15 Discussion TBR Performance MetricsElive15 Discussion TBR Performance Metrics
Elive15 Discussion TBR Performance MetricsThomas Danford
 
Credit Card Computers and Their Application in HE
Credit Card Computers and Their Application in HECredit Card Computers and Their Application in HE
Credit Card Computers and Their Application in HEThomas Danford
 
Providing Metrics for Decision Makers CoHEsion13
Providing Metrics for Decision Makers CoHEsion13Providing Metrics for Decision Makers CoHEsion13
Providing Metrics for Decision Makers CoHEsion13Thomas Danford
 
10 Determinants and 13 Ground Rules CoHEsion13
10 Determinants and 13 Ground Rules CoHEsion1310 Determinants and 13 Ground Rules CoHEsion13
10 Determinants and 13 Ground Rules CoHEsion13Thomas Danford
 
Big Data in Higher Ed TENNAIR13
Big Data in Higher Ed TENNAIR13Big Data in Higher Ed TENNAIR13
Big Data in Higher Ed TENNAIR13Thomas Danford
 
TBR Common Data Repository ITS13
TBR Common Data Repository ITS13TBR Common Data Repository ITS13
TBR Common Data Repository ITS13Thomas Danford
 
Colaborative Cloud Poster EDUCAUSE12
Colaborative Cloud Poster EDUCAUSE12Colaborative Cloud Poster EDUCAUSE12
Colaborative Cloud Poster EDUCAUSE12Thomas Danford
 
TBR Business Process Improvement EDUCAUSE12
TBR Business Process Improvement EDUCAUSE12TBR Business Process Improvement EDUCAUSE12
TBR Business Process Improvement EDUCAUSE12Thomas Danford
 
eProcurement TN-Summit 2012
eProcurement TN-Summit 2012eProcurement TN-Summit 2012
eProcurement TN-Summit 2012Thomas Danford
 
Statewide CI Resources TNSCORE12
Statewide CI Resources TNSCORE12Statewide CI Resources TNSCORE12
Statewide CI Resources TNSCORE12Thomas Danford
 
An Exploration: Moving Your Enterprise to a Cloud Collaboration
An Exploration: Moving Your Enterprise to a Cloud CollaborationAn Exploration: Moving Your Enterprise to a Cloud Collaboration
An Exploration: Moving Your Enterprise to a Cloud CollaborationThomas Danford
 
Rethinking Disaster Prepardness THEITS12
Rethinking Disaster Prepardness THEITS12Rethinking Disaster Prepardness THEITS12
Rethinking Disaster Prepardness THEITS12Thomas Danford
 

Plus de Thomas Danford (20)

Information and Computer Technology (ICT) Accessibility
Information and Computer Technology (ICT) AccessibilityInformation and Computer Technology (ICT) Accessibility
Information and Computer Technology (ICT) Accessibility
 
Success Factors in IT 4 10 and 13
Success Factors in IT 4 10 and 13Success Factors in IT 4 10 and 13
Success Factors in IT 4 10 and 13
 
P2P Legislation EduPol08
P2P Legislation EduPol08P2P Legislation EduPol08
P2P Legislation EduPol08
 
TBR Collaboration Analysis
TBR Collaboration AnalysisTBR Collaboration Analysis
TBR Collaboration Analysis
 
CIC Final Report 050406
CIC Final Report 050406CIC Final Report 050406
CIC Final Report 050406
 
Tn 2015 Legislative Compilation
Tn 2015 Legislative CompilationTn 2015 Legislative Compilation
Tn 2015 Legislative Compilation
 
Elive15 Discussion TBR Performance Metrics
Elive15 Discussion TBR Performance MetricsElive15 Discussion TBR Performance Metrics
Elive15 Discussion TBR Performance Metrics
 
Talent Mgmt EDULive
Talent Mgmt EDULiveTalent Mgmt EDULive
Talent Mgmt EDULive
 
Credit Card Computers and Their Application in HE
Credit Card Computers and Their Application in HECredit Card Computers and Their Application in HE
Credit Card Computers and Their Application in HE
 
Providing Metrics for Decision Makers CoHEsion13
Providing Metrics for Decision Makers CoHEsion13Providing Metrics for Decision Makers CoHEsion13
Providing Metrics for Decision Makers CoHEsion13
 
10 Determinants and 13 Ground Rules CoHEsion13
10 Determinants and 13 Ground Rules CoHEsion1310 Determinants and 13 Ground Rules CoHEsion13
10 Determinants and 13 Ground Rules CoHEsion13
 
Big Data in Higher Ed TENNAIR13
Big Data in Higher Ed TENNAIR13Big Data in Higher Ed TENNAIR13
Big Data in Higher Ed TENNAIR13
 
TBR Common Data Repository ITS13
TBR Common Data Repository ITS13TBR Common Data Repository ITS13
TBR Common Data Repository ITS13
 
Ellucian Live ES 2013
Ellucian Live ES 2013Ellucian Live ES 2013
Ellucian Live ES 2013
 
Colaborative Cloud Poster EDUCAUSE12
Colaborative Cloud Poster EDUCAUSE12Colaborative Cloud Poster EDUCAUSE12
Colaborative Cloud Poster EDUCAUSE12
 
TBR Business Process Improvement EDUCAUSE12
TBR Business Process Improvement EDUCAUSE12TBR Business Process Improvement EDUCAUSE12
TBR Business Process Improvement EDUCAUSE12
 
eProcurement TN-Summit 2012
eProcurement TN-Summit 2012eProcurement TN-Summit 2012
eProcurement TN-Summit 2012
 
Statewide CI Resources TNSCORE12
Statewide CI Resources TNSCORE12Statewide CI Resources TNSCORE12
Statewide CI Resources TNSCORE12
 
An Exploration: Moving Your Enterprise to a Cloud Collaboration
An Exploration: Moving Your Enterprise to a Cloud CollaborationAn Exploration: Moving Your Enterprise to a Cloud Collaboration
An Exploration: Moving Your Enterprise to a Cloud Collaboration
 
Rethinking Disaster Prepardness THEITS12
Rethinking Disaster Prepardness THEITS12Rethinking Disaster Prepardness THEITS12
Rethinking Disaster Prepardness THEITS12
 

Dernier

Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 

Dernier (20)

Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 

CIO IT Audit Survival TNS07

  • 1. A CIO’s Survival Guide for f an IT Audit A di Thomas Danford CIO, Tennessee Board of Regents C, ss o do gs
  • 2. Background & Objectives … State Audit chose the TBR office as its “pilot” for developing IT Audit plans and procedures for Banner. Brief discussion of the various types of audits and how they relate to IT Audits. Share with the audience what’s investigated in an IT Audit and how it’s conducted. Relay some findings to date. Provide some guidance & suggestions for when your institution has its IT Audit.
  • 3. Types of Audits Operational Audits examine the use of unit resources to evaluate whether those resources are b being used in the most d effective and efficient way. They include elements of the other audit types listed below. Financial A di examine accounting and reporting of financial Fi i l Audits i i d i f fi il transactions. Compliance Audits examine adherence to laws, regulations, policies and procedures. li i d d Internal Control Reviews focus on the components of major business activities such as payroll and benefits, and their physical security. security Information Technology (IT) Audits examine internal control environment of automated information processing systems and how people use those systems. systems
  • 4. The IT Audit Evaluates … System(s) input, output, and processing controls input output Backup & media storage (off-site) (off- Disaster preparedness plan ( d if it has been Di d l (and i h b tested!) System(s) security Computer facilities p
  • 5. How does the IT Audit Work? Kick- Kick-off Meeting to discuss g audit objectives with delivery of extensive questionnaires. Interview & investigative phase based upon responses to questionnaires. Exit interview with Q&A on any discovered weaknesses or findings. Published A di Report with P bli h d Audit R ih weaknesses and/or findings. Management response. g p
  • 6. What Are Auditors Looking For? Reportable conditions – are matters that represent a significant deficiency in the d d design or operation of the internal control structure which could adversely affect the organization's ability to record, process, summarize, and report financial data consistent with the assertions of management in the financial statements. Material Weaknesses – are significant deficiencies, or combination of significant deficiencies, that results in more than deficiencies a remote likelihood that a material control process could be obverted or bypassed. Findings – conditions that do adversely affect the institution and may include conditions dealing with irregularities, illegal acts, errors, inefficiency, waste, ineffectiveness, conflicts of interest, and for our purposes control weaknesses. pp
  • 7. Interview & Investigation Areas Infrastructure Security & Control Application Security & Control Disaster Preparedness Plan Di P d Pl
  • 8. INFRASTRUCTURE SECURITY & CONTROL: Relates to the d i of the campus network system and i l d the h design f h k d includes h backbones, routers, switches, wireless access points, access methods and protocols used. Of special interest are the filters p used. p & protective measures that govern (1) Internet open access (2) Intranet controlled access and (3) Secured Access. Particular areas of interest include: Physical security of computer center – Environmental controls, locks, cameras & authorizations to enter. Network configuration – Fil & firewall rule-sets and their change processes. N k fi i Filter fi ll rule- l d hi h ID and password rule-sets – Length, character requirements, aging, etc. rule- Operating System – File & directory permissions. Patch management – Remediation of known exploits. Segregation of duties of IT staff.
  • 9. APPLICATION SECURITY & CONTROL: Relates to the design of the administrative system and includes additional server operating system issues as well as the DBMS and the application that sits on top of both. Heavily scrutinized are users, both functional and technical and their roles. Particular areas of interest include: Default users and their passwords Role based security – Especially as it is setup in the application itself and access to the native DBMS or OS. OS User accounts and password management – Procedures & signoff for account holders, length, character requirements, aging, etc. Software modification – Procedures and segregation of duties in their gg implementation. Patch management – Remediation of known exploits across multiple instances. Segregation of duties of IT and functional users. users
  • 10. APPLICATION SECURITY & CONTROL (Top 5 Issues) (T I ) Improper account p pp provisioning with segregation of duties g gg Insufficient controls for change management A general lack of understanding around key system configurations Audit logs not being reviewed (or that review itself not being logged) Abnormal transactions not identified in a timely manner
  • 11. DISASTER PREPAREDNESS PLAN: The state in which an institution is i i i i prepared f di d for disaster. P Preparedness i d involves a l plan for avoiding and recovering from a disaster with preservation and retrieval of records lost by an unexpected catastrophic occurrence. Particular areas of interest include: Backup of critical data – Including frequency, media, where and how far away. Printed plans – Kept off site by plan principles with contact lists. Recovery processes – Includes not only IT operations but facilities (hot & yp y p ( cold sites). Business continuity while IT functions are restored. Actual testing of the plan.
  • 12. Banner Issues Discovered Di d As of 10/12/2007
  • 13. Y10K Compliance Banner cannot handle the switch from the year 9999 to 10000
  • 14. Tips to Make the Audit Go Smoothly Avoid making it an “adversarial” engagement adversarial Provide what’s asked of you Document & diagram D di
  • 15. For Additional Information: Wikipedia has a g p good overview of IT auditing at: g http://en.wikipedia.org/wiki/Information_technology_audit Control Objectives for Information and related Technology (COBIT) is a set of best practices (framework) for information technology (IT) management created by the Information Systems Audit and Control Association (ISACA), (ISACA) and the IT Governance Institute (ITGI) in 1992. http://www.isaca.org/Template.cfm?Section=COBIT6&Template=/Tagged Page/TaggedPageDisplay.cfm&TPLID=55&ContentID=7981
  • 16. Thank You Please share your comments, ideas, suggestions, questions . . . Thomas Danford tdanford@tbr.edu 615-366- 615-366-4451