Department of Information Technology Database Administration Management Audit Final Report
|
|
- Kory Porter
- 2 years ago
- Views:
Transcription
1 Department of Information Technology Database Administration Management Audit Final Report October 2009 promoting efficient & effective local government
2 Executive Summary Much of the county s data is stored in and accessed through databases. These databases are used by critical business applications including the Sheriff s Inmate Systems (SIMS), the Fairfax Inspections Database Online (FIDO) application which supports the Department of Public Works, the Department of Planning and Zoning, the Health Department, and the Fire and Rescue Department, and dozens of additional systems. Database management systems (DBMS) are used to access the data stored in databases. Common database management systems are SQL, Oracle, DB2, and IDMS all of which are used by the county. Database administrators (DBAs) work with application developers and user agencies to maintain the databases and the database management systems throughout the lifecycle of the applications which use them. These administrators are tasked with managing the availability, reliability, security and performance of the county s databases and the database management systems. The DBA group resides within the Technology Infrastructure Division (TID) of the Department of Information Technology (DIT). They administer approximately 300 databases, up from 23 in 2001, in SQL, Oracle, DB2, and IDMS. The number of DB2 and IDMS databases is stable while the use of SQL and Oracle databases is increasing. We found that physical safeguards to protect the hardware were in place and working effectively. Most of the databases resided on servers and on the IBM mainframe which were housed in the enterprise data center. Our primary areas of concerns were the separation of duties and supervision, audit trails, and change controls. Our findings were: Monitoring of DBA-level activities was not as effective as it should be since there was no independent review of DBA actions by the county s IT Security Group. Compliance with the portions of the county s Information Technology Security Policy related to access controls and audit trail requirements needed to be strengthened. DBA level access was given to staff outside of the DBA group without the necessary oversight by senior DBA staff. Audit trails of DBA-level modifications were not consistently accessible across systems and applications. In several cases production data was regularly copied to development and testing databases with no masking of potentially identifying, sensitive, or confidential data. In regard to the SQL and Oracle databases, separation of duties among the DBA group and other DIT staff as it relates to managing the database management systems and limiting access to production data was not sufficient. We did find written documentation addressing the roles of DBAs but it lacked a detailed separation of duties discussion. Change management standards were not always followed when changes were made to production databases, and system or server software. For example, a change was implemented and reviewed by the same person, or a change was not documented in the Infra software which is used to track changes. Backups of databases and software were adequate but there was no documentation of disaster recovery planning or testing for Oracle or SQL databases and servers. However, this is an outstanding finding from a previous audit (Data Center Disaster Recovery) which was performed in September Database Management Audit 1
3 Scope and Objectives This audit was performed as part of our fiscal year 2008 Annual Audit Plan and was conducted in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. The scope of this audit covered the period from June 2007 through June Our objectives for this audit were: Determine the availability of written policies and procedures that define roles and responsibilities of the database administrators. Verify that database access is controlled and limited to that level necessary for users to do their job Confirm that audit trials are maintained and reviewed regularly Verify that appropriate change management controls are in place Verify that adequate security controls are in place and functioning Confirm that backup and recovery procedures exist and are tested regularly Methodology Our audit approach included reviewing the applicable system documentation, checking for compliance with internal county policies and procedures, interviewing management and staff of the database management group, and observing the processes used to maintain the database management systems managed by the Department of Information Technology. Application-level controls for the systems that use these databases were not examined, as they would be reviewed as part of separate application audits. Also, databases not managed by DIT were not included in this audit. We used as references Fairfax County s Information Technology Security Policy and the DIT Change Management Policy last revised in September of The Fairfax County Internal Audit Office is free from organizational impairments to independence in our reporting as defined by Government Auditing Standards. We report directly and are accountable to the county executive. Organizationally, we are outside the staff or line management function of the units that we audit. We report the results of our audits to the county executive and the Board of Supervisors, and reports are available to the public. Database Management Audit 2
4 Findings, Recommendations, and Management Response 1. Security Oversight SQL and UNIX servers are used for important applications such as the Financial Accounting Comprehensive Tracking System (FACTS), Treasury Workstation (TWS), and the Sheriff Information Management Systems (SIMS) and the associated databases. The IT Security Group does not have independent access to these servers. They have to go through another group in DIT for access, and sometimes rely on another group to provide data from the servers. Without independent access, there is an increased risk to the county for fraud, undetected intrusion, or error due to the changing of data before IT Security sees it, or through the IT Security Group being given incomplete access and not seeing the whole picture. The IT Security Group cannot fully evaluate and monitor server activities, or troubleshoot potential security problems without this independent access. Recommendation: We recommend that independent read-only access to all databases and servers be provided to the IT Security Group for the purpose of monitoring the activities of privileged accounts and troubleshooting possible security issues. Management Response: The IT Security Group will have independent read-only access to all databases for DBProtect for the purpose of monitoring the activities of privileged accounts and troubleshooting possible security issues. The IT Security Group will create a routine procedure and conduct regularly scheduled checks on database activities. The estimated completion date is December 31, Separation of Duties and Supervision Several SQL applications used by county agencies were supported by DIT staff outside of the DBA group, who had DBA level access to the production databases and system level access to software and hardware. This condition existed on important application systems such as SIMS (Sheriff), FACTS (Budget), and several applications supporting the Department of Public Works and Environmental Services. There were also application developers in DIT with full Oracle DBA level access to production databases. One of the applications affected is Fairfax Inspections Database Online (FIDO). Broad access to production data and software with little or no monitoring and oversight may allow unauthorized changes to occur. For example, a computer programmer responsible for designing, writing, testing, and distributing Oracle program modifications who also has access to the production database content could either inadvertently or deliberately implement computer program changes that did not process data in accordance with management s policies or that included malicious code. Separation of duties provides control by not allowing the same group or person to have the capability to perform tasks at any two of the following levels. Database Management Audit 3
5 User/Owner - create, modify, or delete production data Application Developer - modify application code DBA maintain DBMS system settings or code System - maintain system software or hardware Dividing duties in this manner diminishes the likelihood that erroneous or inappropriate actions will go undetected because the activities of one group or person will serve as a check on the activities of the others. Activities that involve critical or large dollar transactions or are inherently risky, such as the DBA functions, should be divided to enhance controls and be subject to extensive supervisory review. We found little or no evidence of direct supervisory oversight of DBA actions or of DBA level tasks performed by staff outside of the DBA group. Supervisory oversight includes regular monitoring of access through audit reports, review of results of work once it has been completed, and verification that staff is adhering to county standards. This lack of oversight compounds the risks existing from the inadequate separation of duties. In discussions with DIT management, we learned that there is consideration being given to changing the business model to put DBAs in application development groups, rather than keeping them together in a separate unit as they are currently. While this may remedy the need for application developers to have code access plus DBA level access, it could raise other issues, such as on-call coverage for database management, and control over system-wide modifications that occasionally need to be made to database management systems. Recommendation: We recommend that DBA level access to production databases not be given to staff that also have system software level access, or application developer access. Regardless of whether the DBAs are scattered throughout the IT organization, or in a group by themselves, their work should be monitored by a qualified DBA in a formal supervisory role. Management Response: DIT will assure that additional exceptions to policy waivers will be executed where needed. In addition, system notification processes are being implemented for the exception cases. The report will be reviewed by the associated branch manager/team lead on a daily basis. The change management numbers will be generated, along with justifications, and these processes are on file in the relevant DIT divisions. 3. Audit Trails for DBA Actions The presence of a thorough audit trail can assist management in accomplishing security objectives including detecting violations, reconstructing events, and resolving application processing problems. The audit trail is the evidence that demonstrates how a specific action was initiated, processed, and summarized. It should enable management to determine who performed the action, what the action accomplished, and when the action was taken. The Fairfax County Information Security Policy (PM ) dated Database Management Audit 4
6 October 5, 2007, mandates the use of audit logs for all confidential and sensitive data. These audit logs should include records of all modifications to the databases by the DBAs. These changes made by DBAs include modifications to the database structure, connections to other databases and/or applications, granting or removing access to tables, and adding or deleting tables. The lack of an audit trail of these changes leaves the county vulnerable to error or fraud. For example, a change could be made to production data or to who has access to it, and then removed at a later time without anyone realizing that a change was made. At the onset of the audit, there was no efficient tool in place to provide audit data to the Internal Audit Office or to the DBA staff. However, during the course of the audit, the tool DBProtect was installed. DIT DBA staff tested the product and found that although it was installed it was not capturing all of the DBA-level changes. Work is in progress to modify the configuration of DBProtect to capture all of these changes. Besides this general log, each application could have its own audit log depending on what was set up at application implementation. DBA-level changes to the application database such as schema changes would be captured in this log. Internal Audit found that some applications did not utilize this type of audit log. Since DBA level changes could be captured in either of these two types of logs, depending on what action was taken, it was difficult to identify and follow an audit trail for a particular change recorded in the change management system. Recommendation: We recommend that DBProtect be configured to produce reports of all DBA-level activities occurring on production databases and that management review them periodically (at least monthly). We also recommend that all applications containing sensitive or confidential data be required to maintain at a minimum, one week s worth of production data, database, and source code modification activity. Management Response: The county has purchased DBProtect, a tool that will allow the auditing of Oracle databases on the enterprise servers. This software is configured to record actions by all staff with Oracle DBA privileges. Reports are produced from the audit logs and management staff reviews the reports periodically to monitor the activity. While DBProtect is being implemented, the DBA has created a read-only account for the Information Security Office to review activity. These items have been implemented. 4. Production Data Masking The Information Technology Security Policy requires that all data be classified according to specified criteria as confidential, sensitive, internal use only, and public use. In several cases production data was regularly copied to development databases with no masking of potentially identifying, sensitive, or confidential data. The Fairfax Inspections Database Online (FIDO) application and the IAS (Tax) application are both examples of applications that use this practice. Using a copy of the production database is the easiest way for application developers to be sure that they are coding and testing all possible data conditions. However, if this practice is to be used, data masking should be employed to protect all sensitive or confidential Database Management Audit 5
7 information. The use of unmasked production data in a development, test, or training environment leaves the county vulnerable to fraud, legal consequences, and damage to the county s reputation by allowing production data to be viewed by staff not authorized to access it. The security afforded by restrictions to production data access is negated by the practice of copying to other less restrictive environments. Recommendation: We recommend that: 1. DIT establish a standard method for data owners to communicate the classification levels of all data based on the criteria in the Information Technology Security Policy In all instances where production data is to be copied to any another environment, such as development, test, or training, a process be put in place to use a data masking method on data classified as sensitive or confidential. 3. For databases containing information that has not been classified based on the criteria in the Information Technology Security Policy , no copying of the production data should take place until such classification is completed. Management Response: DIT will develop a process for documenting direction from data owners for the need to mask where production data is to be copied into another environment, such as development, test, or training. A process will be put in place to use a data masking method on data classified as sensitive or confidential. The above items have been implemented for FIDO. The owner agency for IAS determined that data is not sensitive and does not require masking. 5. Change Management The changes performed by the SQL and Oracle administrators and DBAs did not always go through the county s change management process. We found records of only 16 SQL and 9 Oracle change records for the DBA group in the Infra (and Quintus) change logs for FY Further, we could not in consultation with DIT identify DB2 and IDMS changes in the Infra change request records. This indicates that only a small number of the changes were recorded. The IT Security Policy requires that all changes follow the DIT change management procedures and schedule. The lack of compliance with the county s change management standard by DBAs and system administrators for database and server changes caused an increased risk to the availability and integrity of the software and data. The time required to troubleshoot a problem in a database or application is increased if a change was made to any part of the software and no documentation of the change exists. The person who made the change may not be aware that a problem exists, and therefore not be involved in the fix. Although some of the database changes are requested by the data owner or application developer, the DBA staff should not move forward with implementation until change management standards are satisfied including the creation of a change request record in Infra, the current change management reporting tool. Recommendation: We recommend that all changes to databases and system hardware or software be performed according to the DIT Change Management Policy Database Management Audit 6
8 and schedule or be verified through direct supervision. This will provide for independent verification of changes and assurance that no changes will be implemented without the knowledge of at least one person other than the implementer. The DIT Change Management Policy requirements include entering the information into Infra, the county s current change management reporting tool, attending the weekly change management meeting to answer any questions regarding the change, and keeping the status of the change updated in Infra. Management Response: All the changes to databases and system hardware or software will be performed according to the DIT Change Management Policy and schedule. This includes entering the information into Infra, the county s current change management reporting tool, attending the weekly change management meeting to answer any questions regarding the change, and keeping the status of the change updated in Infra. These items have been implemented. Database Management Audit 7
Department of Information Technology Software Change Control Audit - Mainframe Systems Final Report
Department of Information Technology Software Change Control Audit - Mainframe Systems Final Report March 2007 promoting efficient & effective local government Introduction Software change involves modifications
April 2010. promoting efficient & effective local government
Department of Public Works and Environmental Services Department of Information Technology Fairfax Inspections Database Online (FIDO) Application Audit Final Report April 2010 promoting efficient & effective
INTERNAL AUDIT REPORT. Review of Software Change Management. Fairfax County Internal Audit Office
INTERNAL AUDIT REPORT Review of Software Change Management FAIRFAX COUNTY, VIRGINIA INTERNAL AUDIT OFFICE M E M O R A N D U M TO: Anthony H. Griffin DATE: May 2, 2002 County Executive FROM: SUBJECT: Ronald
Department of Finance Department of Purchasing and Supply Management Fixed Assets System Audit Final Report
Department of Finance Department of Purchasing and Supply Management Fixed Assets System Audit Final Report November 2006 promoting efficient & effective local government Executive Summary The Department
Department of Information Technology Data Center Disaster Recovery Audit Report Final Report. September 2006
Department of Information Technology Data Center Disaster Recovery Audit Report Final Report September 2006 promoting efficient & effective local government Executive Summary Our audit found that a comprehensive
Health Insurance Portability and Accountability Act (HIPAA) Compliance Audit Final Report
Health Insurance Portability and Accountability Act (HIPAA) Compliance Audit Final Report April 2009 promoting efficient & effective local government Background The Health Insurance Portability and Accountability
Office of the Auditor General Performance Audit Report. Statewide Oracle Database Controls Department of Technology, Management, and Budget
Office of the Auditor General Performance Audit Report Statewide Oracle Database Controls Department of Technology, Management, and Budget March 2015 071-0565-14 State of Michigan Auditor General Doug
MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL
MICHIGAN OFFICE OF THE AUDITOR GENERAL AUDIT REPORT THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL ...The auditor general shall conduct post audits of financial transactions and accounts of the state and of
Office of Inspector General
DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Security Weaknesses Increase Risks to Critical United States Secret Service Database (Redacted) Notice: The Department of Homeland Security,
Department of Information Technology Active Directory Audit Final Report. August 2008. promoting efficient & effective local government
Department of Information Technology Active Directory Audit Final Report August 2008 promoting efficient & effective local government Executive Summary Active Directory (AD) is a directory service by Microsoft
Department of Public Safety and Correctional Services Information Technology and Communications Division
Audit Report Department of Public Safety and Correctional Services Information Technology and Communications Division March 2008 OFFICE OF LEGISLATIVE AUDITS DEPARTMENT OF LEGISLATIVE SERVICES MARYLAND
GAO INFORMATION SECURITY. Weak Controls Place Interior s Financial and Other Data at Risk. Report to the Secretary of the Interior
GAO United States General Accounting Office Report to the Secretary of the Interior July 2001 INFORMATION SECURITY Weak Controls Place Interior s Financial and Other Data at Risk GAO-01-615 United States
IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results
Acquire or develop application systems software Controls provide reasonable assurance that application and system software is acquired or developed that effectively supports financial reporting requirements.
Internal Audit Department NeighborWorks America. Audit Review of Database Administration and Controls
Department NeighborWorks America Audit Review of Database Administration and Controls Project Number: IM.DATADMN.2013 Audit Review of Database Administration and Controls Table of Contents Project Completion
ADMINISTRATOR, NETWORK AND INFORMATION SYSTEMS
PERSONNEL COMMISSION Class Code: 5165 Salary Range: 51 (M2) JOB SUMMARY ADMINISTRATOR, NETWORK AND INFORMATION SYSTEMS Under administrative direction, plan, organize, control and administer the District
Mecklenburg County Department of Internal Audit. PeopleSoft Application Security Audit Report 1452
Mecklenburg County Department of Internal Audit PeopleSoft Application Security Audit Report 1452 February 9, 2015 Internal Audit s Mission Through open communication, professionalism, expertise and trust,
MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL
MICHIGAN OFFICE OF THE AUDITOR GENERAL AUDIT REPORT THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL The auditor general shall conduct post audits of financial transactions and accounts of the state and of all
Information Resources Security Guidelines
Information Resources Security Guidelines 1. General These guidelines, under the authority of South Texas College Policy #4712- Information Resources Security, set forth the framework for a comprehensive
Data Management Policies. Sage ERP Online
Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...
EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07
EVALUATION REPORT Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review March 13, 2015 REPORT NUMBER 15-07 EXECUTIVE SUMMARY Weaknesses Identified During the FY 2014
Department of Information Technology Remote Access Audit Final Report. January 2010. promoting efficient & effective local government
Department of Information Technology Remote Access Audit Final Report January 2010 promoting efficient & effective local government Background Remote access is a service provided by the county to the Fairfax
Judiciary Judicial Information Systems
Audit Report Judiciary Judicial Information Systems November 2008 OFFICE OF LEGISLATIVE AUDITS DEPARTMENT OF LEGISLATIVE SERVICES MARYLAND GENERAL ASSEMBLY This report and any related follow-up correspondence
Final Audit Report. Audit of Data Integrity MCCS Feeder System Interfacing with SAP
Final Audit Report Audit of Data Integrity MCCS Feeder System Interfacing with SAP April 2008 Table of Contents Executive Summary... ii Introduction...........1 Background... 1 Audit Objectives... 1 Scope
U.S. Department of the Interior Office of Inspector General AUDIT REPORT
U.S. Department of the Interior Office of Inspector General AUDIT REPORT GENERAL CONTROL ENVIRONMENT OF THE FEDERAL FINANCIAL SYSTEM AT THE RESTON GENERAL PURPOSE COMPUTER CENTER, U.S. GEOLOGICAL SURVEY
Department of Public Works and Environmental Services Division of Solid Waste Disposal and Resource Recovery
Department of Public Works and Environmental Services Division of Solid Waste Disposal and Resource Recovery Revenue Collection Process Audit Final Report February 2008 promoting efficient & effective
PART 10 COMPUTER SYSTEMS
PART 10 COMPUTER SYSTEMS 10-1 PART 10 COMPUTER SYSTEMS The following is a general outline of steps to follow when contemplating the purchase of data processing hardware and/or software. The State Board
Supporting FISMA and NIST SP 800-53 with Secure Managed File Transfer
IPSWITCH FILE TRANSFER WHITE PAPER Supporting FISMA and NIST SP 800-53 with Secure Managed File Transfer www.ipswitchft.com Adherence to United States government security standards can be complex to plan
Supplier Security Assessment Questionnaire
HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.
FEDERAL FAMILY EDUCATION LOAN PROGRAM (FFELP) SYSTEM
REPORT NO. 2015-007 AUGUST 2014 DEPARTMENT OF EDUCATION FEDERAL FAMILY EDUCATION LOAN PROGRAM (FFELP) SYSTEM Information Technology Operational Audit DEPARTMENT OF EDUCATION Pursuant to Article IX, Section
Information Technology Operational Audit DEPARTMENT OF STATE. Florida Voter Registration System (FVRS) Report No. 2016-002 July 2015
July 2015 Information Technology Operational Audit DEPARTMENT OF STATE Florida Voter Registration System (FVRS) Sherrill F. Norman, CPA Auditor General Secretary of State Section 20.10, Florida Statutes,
Maryland State Department of Education
Audit Report Maryland State Department of Education February 2013 OFFICE OF LEGISLATIVE AUDITS DEPARTMENT OF LEGISLATIVE SERVICES MARYLAND GENERAL ASSEMBLY This report and any related follow-up correspondence
University of Wisconsin-Madison Policy and Procedure
Page 1 of 14 I. Policy II. A. The, the units of the UW-Madison Health Care Component and each individual or unit within UW-Madison that is a Business Associate of a covered entity (hereafter collectively
Practical Guidance for Auditing IT General Controls. September 2, 2009
Practical Guidance for Auditing IT General Controls Chase Whitaker, CPA, CIA September 2, 2009 About Hospital Corporation of America $28B annual revenue $24B total assets $4.6B EBDITA $673M Net Income
Comptroller of the Treasury Information Technology Division
Audit Report Comptroller of the Treasury Information Technology Division September 2006 OFFICE OF LEGISLATIVE AUDITS DEPARTMENT OF LEGISLATIVE SERVICES MARYLAND GENERAL ASSEMBLY This report and any related
OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii
The Office of the Auditor General has conducted a procedural review of the State Data Center (Data Center), a part of the Arizona Strategic Enterprise Technology (ASET) Division within the Arizona Department
Meaningful Use and Core Requirement 15
Meaningful Use and Core Requirement 15 How can I comply the lack of time and staff... www.compliancygroup.com 1 Meaningful Use and Core Requirement 15 Meaningful Use Protection of Protected Health Information
Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np
Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np Meaning Why is Security Audit Important Framework Audit Process Auditing Application Security
Information Security Handbook
Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...
State of Wisconsin Database Hosting Services Roles and Responsibilities
State of Wisconsin Hosting Services oles and esponsibilities Document evision History (Major Post Publishing evisions Only) Date Version reator Notes 12/9/2010 1.0 This document describes the Hosting Services
GUIDANCE FOR MANAGING THIRD-PARTY RISK
GUIDANCE FOR MANAGING THIRD-PARTY RISK Introduction An institution s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships,
U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL
U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL FINAL REPORT: U.S. Election Assistance Commission Compliance with the Requirements of the Federal Information Security Management Act Fiscal
STATE OF NORTH CAROLINA
STATE OF NORTH CAROLINA INFORMATION SYSTEMS AUDIT OFFICE OF INFORMATION TECHNOLOGY SERVICES INFORMATION TECHNOLOGY GENERAL CONTROLS OCTOBER 2014 OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA STATE AUDITOR
AUSTIN INDEPENDENT SCHOOL DISTRICT INTERNAL AUDIT DEPARTMENT TRANSPORTATION AUDIT PROGRAM
GENERAL: The Technology department is responsible for the managing of electronic devices and software for the District, as well as the Help Desk for resolution of employee-created help tickets. The subgroups
HUMAN RESOURCES MANAGEMENT NETWORK (HRMN) SELF-SERVICE
PERFORMANCE AUDIT OF HUMAN RESOURCES MANAGEMENT NETWORK (HRMN) SELF-SERVICE DEPARTMENT OF CIVIL SERVICE July 2004 ...The auditor general shall conduct post audits of financial transactions and accounts
General IT Controls Audit Program
Contributed February 5, 2002 by Paul P Shotter General IT Controls Audit Program Purpose / Scope Perform a General Controls review of Information Technology (IT). The reviews
CHAPTER 11 COMPUTER SYSTEMS INFORMATION TECHNOLOGY SERVICES CONTROLS
11-1 CHAPTER 11 COMPUTER SYSTEMS INFORMATION TECHNOLOGY SERVICES CONTROLS INTRODUCTION The State Board of Accounts, in accordance with State statutes and the Statements on Auditing Standards Numbers 78
FISH AND WILDLIFE SERVICE INFORMATION RESOURCES MANAGEMENT. Chapter 7 Information Technology (IT) Security Program 270 FW 7 TABLE OF CONTENTS
TABLE OF CONTENTS General Topics Purpose and Authorities Roles and Responsibilities Policy and Program Waiver Process Contact Abbreviated Sections/Questions 7.1 What is the purpose of this chapter? 7.2
Performance Audit E-Service Systems Security
Performance Audit E-Service Systems Security October 2009 City Auditor s Office City of Kansas City, Missouri 15-2008 October 21, 2009 Honorable Mayor and Members of the City Council: This performance
OCC 98-3 OCC BULLETIN
To: Chief Executive Officers and Chief Information Officers of all National Banks, General Managers of Federal Branches and Agencies, Deputy Comptrollers, Department and Division Heads, and Examining Personnel
INFORMATION SECURITY California Maritime Academy
CSU The California State University Office of Audit and Advisory Services INFORMATION SECURITY California Maritime Academy Audit Report 14-54 April 8, 2015 Senior Director: Mike Caldera IT Audit Manager:
Sample Career Ladder/Lattice for Information Technology
Click on a job title to see examples of descriptive information about the job. Click on a link between job titles to see the critical development experiences needed to move to that job on the pathway.
Office of the State Controller. Self-Assessment of Internal Controls. Computer Security Cycle. Objectives and Risks
Office of the State Controller Self-Assessment of Internal Controls Computer Security Cycle Objectives and Risks Agency Year-End Objectives Risks Definition and communication of organizational structure,
OFFICE OF THE CITY AUDITOR
OFFICE OF THE CITY AUDITOR AUDIT OF THE VITAL STATISTICS BIRTH AND DEATH CERTIFICATE IMAGING SYSTEM Paul T. Garner Assistant City Auditor Prepared by: Tony Aguilar, CISA Sr. IT Auditor Bill Steer, CPA,
ROSS PHILO EXECUTIVE VICE PRESIDENT AND CHIEF INFORMATION OFFICER
July 22, 2010 ROSS PHILO EXECUTIVE VICE PRESIDENT AND CHIEF INFORMATION OFFICER DEBORAH J. JUDY DIRECTOR, INFORMATION TECHNOLOGY OPERATIONS CHARLES L. MCGANN, JR. MANAGER, CORPORATE INFORMATION SECURITY
DETAIL AUDIT PROGRAM Information Systems General Controls Review
Contributed 4/23/99 by Steve_Parker/TBE/Teledyne@teledyne.com DETAIL AUDIT PROGRAM Information Systems General Controls Review 1.0 Introduction The objectives of this audit are to review policies, procedures,
NORTH DAKOTA CLASS DESCRIPTION ND Human Resource Management Services Phone: (701) 328-3290
NORTH DAKOTA CLASS DESCRIPTION ND Human Resource Management Services Phone: (701) 328-3290 Class Code(s): 0117 0118 SCOPE OF WORK: INFORMATION SYSTEMS SECURITY ANALYST Work involves the completion of technical
Special Item No. 132-51 Information Technology Professional Services. Government Site GSA Rate Effective March 6, 2015
Fixed Hourly Rates - Labor Category Contract Number: GS-35F-0278L Period Covered by Contract: March 7, 2001 through March 6, 2016 Amendment/Modification No.: PS-0011 dated March 4, 2011 Special Item No.
TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION
TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION The Mainframe Databases Reviewed Met Security Requirements; However, Automated Security Scans Were Not Performed September 30, 2011 Reference Number: 2011-20-099
University of Central Florida Class Specification Administrative and Professional. Information Security Officer
Information Security Officer Job Code: 2534 Serve as the information security officer for the University. Develop and computer security system standards, policies, and procedures. Serve as technical team
Computer Security Roles and Responsibilities and Training Should Remain Part of the Computer Security Material Weakness.
Computer Security Roles and Responsibilities and Training Should Remain Part of the Computer Security Material Weakness September 2004 Reference Number: 2004-20-155 This report has cleared the Treasury
Database Auditing & Security. Brian Flasck - IBM Louise Joosse - BPSolutions
Database Auditing & Security Brian Flasck - IBM Louise Joosse - BPSolutions Agenda Introduction Drivers for Better DB Security InfoSphere Guardium Solution Summary Netherlands Case Study The need for additional
FRESNO COUNTY OFFICE OF EDUCATION CLASSIFIED MANAGEMENT POSITION Effective: October 1, 2015
JCN: 192 EXEMPT FRESNO COUNTY OFFICE OF EDUCATION CLASSIFIED MANAGEMENT POSITION Effective: October 1, 2015 CLASS TITLE: DIRECTOR - APPLICATION DEVELOPMENT AND SUPPORT BASIC FUNCTION: Under the direction
INFORMATION TECHNOLOGY SECURITY STANDARDS
INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL
HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics
HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards
Specific observations and recommendations that were discussed with campus management are presented in detail below.
CSU The California State University Office of Audit and Advisory Services INFORMATION SECURITY California State University, San Bernardino Audit Report 14-55 March 18, 2015 EXECUTIVE SUMMARY OBJECTIVE
CHIS, Inc. Privacy General Guidelines
CHIS, Inc. and HIPAA CHIS, Inc. provides services to healthcare facilities and uses certain protected health information (PHI) in connection with performing these services. Therefore, CHIS, Inc. is classified
Module 5 Introduction to Processes and Controls
IT Terminology 1. General IT Environment The general IT environment is the umbrella over the following IT processes: 1. Operating Systems 2. Physical and Logical Security 3. Program Changes 4. System Development
A Database Security Management White Paper: Securing the Information Business Relies On. November 2004
A Database Security Management White Paper: Securing the Information Business Relies On November 2004 IPLocks, Inc. 441-A W. Trimble Road, San Jose, CA 95131 USA A Database Security Management White Paper:
HIPAA Compliance: Are you prepared for the new regulatory changes?
HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed
Office of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget
Office of the Auditor General Performance Audit Report Statewide UNIX Security Controls Department of Technology, Management, and Budget December 2015 State of Michigan Auditor General Doug A. Ringler,
NSERC SSHRC AUDIT OF IT SECURITY Corporate Internal Audit Division
AUDIT OF IT SECURITY Corporate Internal Audit Division Natural Sciences and Engineering Research Council of Canada Social Sciences and Humanities Research Council of Canada September 20, 2012 Corporate
INFORMATION TECHNOLOGY CONTROLS
CHAPTER 14 INFORMATION TECHNOLOGY CONTROLS SCOPE This chapter addresses requirements common to all financial accounting systems and is not limited to the statewide financial accounting system, ENCOMPASS,
Maintaining the operational effectiveness of organisation s Database management systems
Database Administrator Position title Division Business Business Unit Classification Database Administrator Shared Services Information, Communication and Technology (ICT) Operations D Responsible for
Department of Transportation Financial Management Information System Centralized Operations
Audit Report Department of Transportation Financial Management Information System Centralized Operations July 2001 This report and any related follow-up correspondence are available to the public and may
State of West Virginia Office of Technology Policy: Change & Configuration Management Issued by the CTO
Policy: Change & Configuration Management Issued by the CTO Policy No: WVOT-PO1015 Issue Date: 9/01/14 Revised Date: 7/01/15 Page 1 of 5 1.0 PURPOSE The purpose of Enterprise Change Management is to standardize
BKDconnect Security Overview
BKDconnect Security Overview 1 Introduction 1.1 What is BKDconnect 1.2 Site Creation 1.3 Client Authentication and Access 2 Security Design 2.1 Confidentiality 2.1.1 Least Privilege and Role Based Security
U.S. Department of Energy Office of Inspector General Office of Audits and Inspections. Evaluation Report
U.S. Department of Energy Office of Inspector General Office of Audits and Inspections Evaluation Report The Department's Unclassified Cyber Security Program 2011 DOE/IG-0856 October 2011 Department of
InfoSphere Guardium Ingmārs Briedis (ingmars.briedis@also.com) IBM SW solutions
InfoSphere Guardium Ingmārs Briedis (ingmars.briedis@also.com) IBM SW solutions Agenda Any questions unresolved? The Guardium Architecture Integration with Existing Infrastructure Summary Any questions
DIVISION OF INFORMATION SECURITY (DIS)
DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Information Systems Acquisitions, Development, and Maintenance v1.0 October 15, 2013 Revision History Update this table every time a new
OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE
OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the specific documents requested,
Department of Health and Human Services OFFICE OF INSPECTOR GENERAL
Department of Health and Human Services OFFICE OF INSPECTOR GENERAL HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION SYSTEM GENERAL CONTROLS AT THREE CALIFORNIA MANAGED-CARE
Computer Security Incident Response Team
Computer Security Incident Response Team Operational Standards The University of Scranton Information Security Office August 2014 Table of Contents 1.0 Operational Standards Document Overview... 3 2.0
DATABASE ANALYST I DATABASE ANALYST II
CITY OF ROSEVILLE DATABASE ANALYST I DATABASE ANALYST II DEFINITION To perform professional level work in designing, installing, managing, updating, and securing a variety of database systems, including
Self-Service SOX Auditing With S3 Control
Self-Service SOX Auditing With S3 Control The Sarbanes-Oxley Act (SOX), passed by the US Congress in 2002, represents a fundamental shift in corporate governance norms. As corporations come to terms with
GUIDELINES FOR THE MANAGEMENT OF OPERATIONAL RISK FOR CREDIT UNIONS
SUPERVISORY AND REGULATORY GUIDELINES Guidelines Issued: 22 December 2015 GUIDELINES FOR THE MANAGEMENT OF OPERATIONAL RISK FOR CREDIT UNIONS 1. INTRODUCTION 1.1 The Central Bank of The Bahamas ( the Central
Department of Purchasing and Supply Management Contract Management Audit Final Report. August 2011. promoting efficient & effective local government
Department of Purchasing and Supply Management Contract Management Audit Final Report August 2011 promoting efficient & effective local government Introduction The Purchasing and Supply Management Department
GAO INFORMATION SYSTEMS. The Status of Computer Security at the Department of Veterans Affairs. Report to the Secretary of Veterans Affairs
GAO United States General Accounting Office Report to the Secretary of Veterans Affairs October 1999 INFORMATION SYSTEMS The Status of Computer Security at the Department of Veterans Affairs GAO/AIMD-00-5
Department of Public Utilities Customer Information System (BANNER)
REPORT # 2010-06 AUDIT of the Customer Information System (BANNER) January 2010 TABLE OF CONTENTS Executive Summary..... i Comprehensive List of Recommendations. iii Introduction, Objective, Methodology
Technical Competency Framework for Information Management (IM)
Technical Competency Framework for Information Management (IM) Office of the Chief Information Officer (OCIO) June 15, 2009 Table of contents IM Competency Framework...1 Competency 1: Information Management
Evaluation Report. Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review. April 30, 2014 Report Number 14-12
Evaluation Report Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review April 30, 2014 Report Number 14-12 U.S. Small Business Administration Office of Inspector General
March 2012 www.tufin.com
SecureTrack Supporting Compliance with PCI DSS 2.0 March 2012 www.tufin.com Table of Contents Introduction... 3 The Importance of Network Security Operations... 3 Supporting PCI DSS with Automated Solutions...
White Paper. Regulatory Compliance and Database Management
White Paper Regulatory Compliance and Database Management March 2006 Introduction Top of mind in business executives today is how to meet new regulatory compliance and corporate governance. New laws are
HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS
Department of Health and Human Services OFFICE OF INSPECTOR GENERAL HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS AT STATE MEDICAID AGENCIES Inquiries
Securing Oracle E-Business Suite in the Cloud
Securing Oracle E-Business Suite in the Cloud November 18, 2015 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development Integrigy Corporation Agenda The
APHIS INTERNET USE AND SECURITY POLICY
United States Department of Agriculture Marketing and Regulatory Programs Animal and Plant Health Inspection Service Directive APHIS 3140.3 5/26/2000 APHIS INTERNET USE AND SECURITY POLICY 1. PURPOSE This
The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/ 287-1808
cover_comp_01 9/9/02 5:01 PM Page 1 For further information, please contact: The President s Critical Infrastructure Protection Board Office of Energy Assurance U.S. Department of Energy 202/ 287-1808
Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:
Executive Summary Texas state law requires that each state agency, including Institutions of Higher Education, have in place an Program (ISP) that is approved by the head of the institution. 1 Governance
Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification
Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification Type of Policy and Procedure Comments Completed Privacy Policy to Maintain and Update Notice of Privacy Practices
September 2011 Report No. 12-002
John Keel, CPA State Auditor An Audit Report on The Criminal Justice Information System at the Department of Public Safety and the Texas Department of Criminal Justice Report No. 12-002 An Audit Report