Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

Top 10 IT Audit Findings

No description
by

Dennis Gillespie

on 8 July 2014

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Top 10 IT Audit Findings

Top 10 IT Audit Findings 2010-13
About this presentation
Enterprise and Departmental solutions, not Internal Audit recommendations

If I just fix these 10 things ....................

Exchange of information

#10 Patch management procedures are lacking
Risks
System compromise, data loss, exposure to confidential information

Solutions
Tools, e.g. SCCM, Spiceworks, WSUS, Secunia, etc.

Manual review schedule (avg # of desktop/laptop supported per IT technician = 100)

Elements of a Finding
Condition - What is the problem?

Criteria - IU policy or Best Practice Standard

Effect/Risk - What is the risk? What can or did happen?

Solution/Action Plan - What departments have done to prevent or correct the problem?
Key Points in Identification
Identified top 10 IT audit issues over the past 3 years

Issues and risk can change over time

Use of Risk Assessment and Control Evaluation (RACE Matrix) to document and communicate risks

Collaboration between Internal Audit and the IT professionals is key to addressing issues and implementing action plans
#10 Patch management procedures are lacking
Lack of process to apply system patches and/or software updates

Patches/updates not applied in a timely manner

IT-12, “proactively seek out and apply vendor-supplied fixes necessary to repair security vulnerabilities, within a timeframe commensurate with the level of risk (i.e., within 24 hours for high-risk, within 48 hours for medium-risk, and within 72 hours for low-risk).


Learning Objectives
Discuss the process of identifying audit issues

Learn the elements of an audit issue

Provide awareness of Top 10 IT Audit Issues and examples of each with policy/law references
#9 Non-IT users with admin rights
No documented reason why individual needs admin access
No process in place to educate users with admin rights
Lack of verification that patches are being applied correctly

IT-12, “Limit access to needed services to only authorized persons.”
Principle of least privilege – user account only has rights to perform functions which are essential to that user’s work.

#9 Non-IT users with admin rights
Risks
Users without the necessary technical knowledge
Devices not adequately patched and protected

Solutions
User agreement outlining responsibilities
Training and notification of vulnerabilities
2nd account without admin rights
Scheduled audit or review of devices
Eliminated admin rights for all non-IT faculty and staff

#8 Admin accounts are used for day-to-day activities

Workstations/laptops users with admin access performing daily, routine functions with admin account
IT staff using admin account for day-to-day activities
IT-12, “Perform day-to-day work as a non-privileged user and only use privileged accounts for tasks that require additional capabilities.”
Principle of least privilege – user account only has rights to perform functions which are essential to that user’s work.

#8 Admin accounts are used for day-to-day activities

Risks
Increased risk or opportunity for system compromise

Solutions
Created a 2nd local account for day-to-day activities

#7 Server room: Physical controls lacking

No access control
Room not solely dedicated as a server room
Weak physical security
Lacking proper environmental controls
DM-01-S, “If institutional data are stored on any component of the university information system, that system component must have defined a formal system administration function and have assigned to it a system administrator whose responsibilities include: physical site security.”

#7 Server room: Physical controls lacking

Risks
Unauthorized access, Theft
Increased downtime
Loss of data

Solutions
Moved servers to Intelligent Infrastructure (IT-28)
Improved physical security and environmental controls

#6 Server(s) with public facing IPs without necessity

No documentation on why the server requires a public IP address

Server does not perform a service that requires a public IP

IT-12, “Technically limit access to local network addresses where possible given the function or process being supported.”

#6 Server(s) with public facing IPs without necessity

Risks
Increased exposure to cyber attacks

Solutions
Reviewed need for public IP addresses for all servers
Documented reasons for public IPs
Switched to private IPs
#5 Off site server backups are not properly secured or do not exist

Copy of server backups are not relocated to a secure environment

Off site backups are keep in an unsecured location

COBIT 4.1, DS4.9 Offsite Backup Storage

#5 Off site server backups are not properly secured or do not exist

Risks
Service interruption
Data loss

Solutions
Backup service, e.g. Tivoli Storage Manager (TSM)
New location for backups
Improved physical security of backups

#4 Disaster Recovery Plan does not exist or is outdated

DRP plan is not completed or outdated

Business Continuity Plan (BCP) considered the DRP

DRP is not tested

COBIT DS4, Ensure Continuous Service

#4 Disaster Recovery Plan does not exist or is outdated

Risks
Loss of data
Service interruption for extended period

Solutions
Completed Disaster Recovery Plan
Template on protect.iu.edu
Scheduled testing of plan

#3 Server logs are not reviewed or not reviewed regularly

Server logs are not reviewed for system compromises, attacks, or suspicious activity

IT-12, “Scan computers for security vulnerabilities using available technical tools”

#3 Server logs are not reviewed or not reviewed regularly

Risks
Cyber attack, system compromise

Solutions
Implemented routine and scheduled manual reviews
Software tools, e.g. Event Viewer, Splunk
Central service, HELPnet LogAlert

#2 Scans for critical data are not occurring

Not knowing where critical data is stored or who is accessing

Identity Finder scans not being performed

IT-12, “functional unit management/technicians must: (1) Fully understand the sensitivity of the function or operation being supported by the system and the data being stored and/or manipulated on the system.”

#2 Scans for critical data are not occurring

Risks
Unauthorized access to critical data
Unsecured critical data

Solutions
Know the classification of institutional data and who has access
Run Identity Finder scans

#1 Vulnerability scans are not occurring on server(s)

Server scans are not scheduled with SiteProtector , Web Application Vulnerability Scanner, or any other tool

Identified vulnerabilities are not corrected in a timely manner

IT-12, “Scan computers for security vulnerabilities using technical tools”

#1 Vulnerability scans are not occurring on server(s)

Risks
System compromise
Data loss
Exposure of critical or restricted data

Solutions
Regularly scheduled vulnerability scans with UISO scanners
Plan to address vulnerabilities in a timely manner

Questions?
dgillesp@indiana.edu
Internal Audit

Christine Swafford, CPA, CIA, CISA, CRMA
Director

Dennis Gillespie
Assistant IS Director

Kevin Keough, CPA, CISA, CIA, CMA
Senior IS Auditor

Sarah Nichols, CPA, CISA
Senior Auditor

Blaine Komasinski, CISA
Senior IS Auditor

What will change moving forward
Next 3 years, list will look different

IT-28 implementation

Mobile devices, IT-12.1

Applications

All roles working together
Full transcript