Arizona State University Fiscal Year 2009 IT Risk Assessment Methodology Prepared for the January 22, 2009 Audit Committee Meeting

Transcription

1 Arizona State University Fiscal Year 2009 IT Risk Assessment Methodology Prepared for the January 22, 2009 Audit Committee Meeting This document provides an overview of the methodology used by ASU University Audit and Advisory Services to fulfill the expectations of the ABOR Audit Committee in developing the Fiscal Year 2009 IT Risk Assessment: I. Mandate The Audit Committee of the Arizona Board of Regents at their January 24, 2008 Meeting, (Agenda Item #4 Discussion of Proposed Changes to the Overall Internal Audit of the University System - Information Technology Audits), instructed that a permanent working group consisting of representatives from the tri-universities and the ABOR Central Office Staff: A. Assess IT audit coverage by the Auditor General and by internal audit B. Identify areas that should be subject to audit C. Establish priorities for audit D. Recommend an IT audit component of the annual audit plans to the chief audit executives and the Audit Committee, and E. Cooperate in audits as needed. II. Scope A. Determined Auditable Units based upon the organizational structure reflected within the Fiscal Year 2009 Sources and Uses Report B. Two IT Environments: Distributed (Colleges and Administrative Units Decentralized) and Centralized (University Technology Office) C. Five campuses (four physical university locations of Tempe, Downtown Phoenix, West and Polytechnic, along with the virtual campus of ASU Online) D. Report the assessment results in conformance with ISACA standard P1 - Information Systems Risk Assessment Measurement III. Methodology ABOR Central Office Audit Staff called a meeting on February 28, 2008, to discuss the audit objectives with the IT auditors from the tri-university audit staffs. The merits of utilizing the fundamental principles of the Information Systems Audit and Control Association (ISACA) methodology of COBIT 4.1 as a general guideline were reviewed, though it was left up to the IT auditors as how to accomplish the objective. It was also determined we were to report the assessment results in conformance with ISACA standard P1 - Information Systems Risk Assessment Measurement, described as a methodology to produce a risk model to optimize the assignment of IS audit resources through a comprehensive understanding of the organization s IS environment and the risks associated with each auditable unit. The IT Risk Assessment Engagement Letter (see attached) was sent out on March 6, The engagement meeting was held on March 13, 2008, with Adrian Sannier, University Technology Officer. In that meeting, Adrian Sannier agreed with the assessment objectives and provided further guidance by recommending that we collect information regarding the storage location and ownership of sensitive data Page 1 of 6

2 in order to further classify that data to better secure that data. Other meetings with UTO management, including the Information Security Officer, were also held at this time. Our background research and due diligence included, but was not limited to: ISACA P1 Information Security Risk Assessment Measurement COBIT 4.1 (to include a two-day course hosted by ISACA covering COBIT 4.1) ISO/IEC I7799:2005 Information Technology Security Techniques NIST Risk Management Guide Payment Card Industry (PCI) Data Security Standard IIA Guide to the Assessment of IT Risk Methodology (GAIT) COSO Enterprise Risk Management Model Office of the Auditor General Arizona s Universities Information Technology Security Audit From our research and a preliminary evaluation of the IT environment of the University we determined there were two distinct IT environments at ASU; distributed and centralized. We relied on the FY 2009 Sources and Uses report to establish the universe of Auditable Units for purposes of the IT Risk Assessment Survey Questionnaire. Auditable Units were defined as a departmental unit or any unit so designated. There were numerous Auditable Units across the four physical university locations of Tempe, Downtown Phoenix, West and Polytechnic campuses, along with the virtual campus of ASU Online, within the distributed environment. The centralized IT environment is defined as the facilities and services provided by the University Technology Office (UTO). Our next concern was how to thoroughly cover the universe of the distributed IT environment and how to best organize and present the information we collected. Prior IT Risk Assessments at ASU and the IIA GAIT Methodology both suggested that the fiscal financial structure of Sources and Uses reporting gave us the comprehensive coverage structure and the appropriate level of granularity we were looking for. It became apparent that the most practical way to present the information was to evaluate Auditable Units primarily at the departmental level as delineated within the Sources and Uses report. An evaluation of Sources and Uses report further revealed there were close to 240 Auditable Units (not to include centralized UTO) at the University at the departmental level inclusive of all four campus locations and ASU Online. We determined that each of the 240 Auditable Units would receive an IT Risk Assessment Survey Questionnaire (see attached). IV. IT Risk Assessment Survey Questionnaire Development We developed the Survey Questionnaire based primarily on the industry standard of ISO/IEC I7799:2005 (recently renamed ISO/IEC 27002:2005) written in Microsoft Excel. The multiple choice format was selected to provide uniformity in compiling the answers, make the Survey Questionnaire more userfriendly and decrease the time required to complete it. The multiple choice answers to each of these questions were then numbered so that a commensurate level of risk could be attached to each answer response (weighted from 3 to 5; 3 for Medium Risk, 4 for Medium High Risk and 5 for High Risk; 1 and 2 were not an option as information technology is inherently not a Low Risk or Low Medium Risk environment). The numbered answers were then used, when added together and averaged by subcategory, to arrive at either the Impact Risk Value or the Likelihood Risk Value for each Auditable Unit (following the ISACA P1 Information Systems Risk Assessments Measurement standard framework), as well as the Combined Risk Value and Risk Rating. This Risk Value Computation is found on the Auditable Unit s IT Risk Assessment Results Form (RARF, see attached). Page 2 of 6

3 Risk Value Computation found on the Risk Assessment Results Form (RARF) The responses that support the Risk Assessment Conclusion on the Auditable Unit s RARF are drawn from a total of 68 questions in PART ONE (tab one) of the Survey Questionnaire document. Business Managers were responsible for answering 38 of the questions and IT Administrators were responsible for answering the remaining 30 questions. In PART TWO (tab two), respondents were requested to list the software applications that are being utilized and the kinds of data they create, transfer and store for the Auditable Unit. Typically, IT Administrators are more familiar with the overall applications in use and how they map to the IT infrastructure, while Business Managers are more familiar with the specific data generated from those applications and user requirements. Ultimately, it is the Accountable Administrator, who is the head of the department or Auditable Unit (a VP, Dean, Chair, Director or designated Administrator), that is the responsible owner of the data, particularly sensitive data that is subject to regulations and compliance as to how that data is protected and stored. The applications and data information on PART TWO will serve to further facilitate a greater understanding of the composition of the data for any one Auditable Unit for data classification purposes. PART TWO seeks to identify sensitive and/or non-sensitive data and the location of where that data is stored. Succinctly, the Accountable Administrator is the data owner and the IT Administrator is the data custodian. To be effective, an IT Risk Assessment for an institution of higher education should be a collaboration between business and information technology. Page 3 of 6

4 With the Survey Questionnaire draft completed, we vetted the document against comparable examples from other institutions of higher learning and against the pronounced fundamental standards of IT security. The assessment related information from Ohio State University, New Mexico State University, the University of Minnesota and the University System of California was particularly beneficial. The one standard that we followed the closest while developing our Survey Questionnaire was ISO/IEC I7799, followed by COBIT 4.1, COSO and NIST Having developed a structure for the Survey Questionnaire that aligned with industry standards, we determined that we had to build flexibility into the document so that the diverse interests from the various parts of the distributed IT environment of the university would be represented equally and without bias. To do that, we determined that we must provide a range of multiple choice answers that would represent every possible answer, within reason. While holding the structure of our industry standard questions constant, we met with as many representative groups across the university as possible in order to discuss the questions and how they would answer them. From their answers we built a range of responses that we hoped would be inclusive for all the approximately 240 distributed Auditable Units at ASU. To accomplish our goal of representative participation, we met individually or in small groups with the Internal Audit Liaisons, which provided us with insight from a wide array of academic and administrative units within the University. We also requested every Liaison to include the ranking IT Administrator in their respective areas of responsibility for a two hour meeting designed to further review the effectiveness of the Survey Questionnaire. From those meetings, we also derived a more comprehensive range of multiple choice answers. The Internal Audit Liaisons represent the following areas of the University: President s Office Executive Vice President and Provost Office ASU at the Polytechnic Campus ASU at the West Campus ASU Online and Extended Campus Chief Financial Officer University Administration and Legal Affairs Research and Economic Affairs Public Affairs University Student Initiatives Intercollegiate Athletics (ICA) University Technology Office We went through all 68 multiple choice questions in these conference room meetings with overhead projector presentations in order to facilitate small group discussion for each question and each answer. Everyone s response mattered and everyone s input made a difference in further refining the ASU IT Risk Assessment Survey Questionnaire. For each answer we further discussed if the response indicated whether there was medium risk, medium high risk or high risk associated with the response and accordingly numerically weighted the response as well. We also requested the respondents to keep in mind whether the question was being answered from the business perspective or from the IT perspective. Building upon the input of the Internal Audit Liaisons and their IT Administrators, University Audit reached a representative range of responses for each of the individual questions; from just two possible answers, typically a Yes No question, to some of the more complex questions that encompass a range of response of up to eight possible answers. Page 4 of 6

5 Because of the singular opportunity presented by the Survey Questionnaire to interact with the business and IT representative of such a broad spectrum of Auditable Units across the University, we determined that we wanted to include open ended questions at the end of the document. Based on feedback gained during these meetings, we added four narrative questions in order to provide respondents the venue to share with us (1) any security breach within their respective areas during the past twelve months, (2) any additional information that they would like to provide, (3) any Survey Questionnaire question(s) they would change and (4) specific questions where respondents felt that an adequate answer wasn t provided among the choices given. For that question we asked that they leave the original answer blank, list the number of the question in the space provided at the end of the Survey Questionnaire (see #72 on page 7 of PART ONE), followed by their own answer to the question. We would then follow-up and evaluate their response for the question, weight it for risk and include it in that Auditable Unit s Risk Rating. To further get the word out about the Survey Questionnaire and to request additional feedback from the information technology community at ASU, we next made presentations to the University Technology Council and the USIST monthly meeting. The members were all provided with Survey Questionnaire drafts and were asked to reply back to us with their comments. We also presented the Survey Questionnaire and answered questions regarding the rollout process to the Academic Unit Business Managers at their monthly meeting. This was an important presentation because these individuals serve as the senior financial administrators for their respective academic units, and as such would be directly responsible for facilitating the Survey Questionnaire responses through their Auditable Units. V. IT Risk Assessment Survey Questionnaire Distribution During the first week of October 2008, the ASU IT Risk Assessment Survey Questionnaire had reached the requisite level of assurance necessary to go forward with distribution of the document to all 240 Auditable Units. We met with Paul Ward, Vice President, University Administration and Legal Affairs, and LeEtta Overmyer, Deputy Vice President, to review the Survey Questionnaire and the Methodology to date. With Paul Ward s guidance, we then met with Adrian Sannier, University Technology Officer, and Scott Banks, Information Security Officer, to review the methodology and gain their acceptance to go forward with distribution of the Survey Questionnaire. Adrian was in agreement with the methodology and provided a cover letter addressed to Survey Questionnaire Participants which endorsed the IT Risk Assessment process and emphasized the importance of the respondent s full and timely participation (see attached). Along with the Survey Questionnaire Participants, the cover letter was also sent to Elizabeth Capaldi, Executive Vice President and Provost of the University; Carol Campbell, Executive Vice President and Chief Financial Officer; and Paul Ward, Vice President. Their participation further established tone at the top that emphasized and reinforced the importance of improved IT security at ASU. Following the endorsement of senior management, we began distribution of the Survey Questionnaire in a gradual rollout process to control the process and ensure the reliability of the results. The fifteen Auditable Units of the Ira A. Fulton School of Engineering were used as our test sample. The results of those Survey Questionnaires were reviewed, changes were made to the document as appropriate and the revised Survey Questionnaire was rolled out to the remainder of the Auditable Unit population. As of December 31, 2008, all Survey Questionnaires have been distributed to a total of 245 Auditable Units. Those documents were targeted to reach the Business Representative and the IT Administrator that were the most knowledgeable for any given Auditable Unit. The Survey Questionnaire also required the participation of the Senior Business Representative and the Senior IT Administrator, as well as the Page 5 of 6

6 Accountable Administrator, who is the VP, Dean, Chair, Director or designated Administrator for the Auditable Unit. While those closest to the daily operations of business and information technology answered the bulk of the questions, it was the Accountable Administrator that had the final signoff before returning the completed document to University Audit. Over 400 individuals at the University in varying capacities have directly participated in the distributed Fiscal Year 2009 ASU IT Risk Assessment Survey Questionnaire process. VI. Results To date, there has been over a 75% response from Auditable Units returning their Survey Questionnaires. If we include the Survey Questionnaire responses that are currently outstanding but committed to respond, the final response increases to greater than 85%. VII. Deliverables The IT Risk Assessment Results Form (RARF) summarizes results drawn from the Survey Questionnaire document for each Auditable Unit which highlights areas of risk: sensitive data and data storage locations, risk attributes, and Web-based applications, if any. The RARF provides Auditable Unit administrators with an overview of areas of risk that require varying degrees of remediation. The Risk Value Computation results drawn from the survey questionnaire responses are further stratified to Impact Risk Value and Likelihood Risk Value from which a Risk Assessment Conclusion is determined in a Combined Risk Value and Risk Rating. These two overall risk factors of Combined Risk Value and Risk Rating are carried forward to a comprehensive report that compares the risk of all Auditable Units across the University (the IT Risk Assessment Ranking Report). The IT Risk Assessment Ranking Report ranks the Auditable Unit universe based on Combined Risk Value and Risk Rating. This report will rank the Auditable Units from highest to lowest risk and will serve as the basis for prioritizing future IT audits and other special projects. Trends within the Risk Assessment information gathered to date have provided insights into potential security weaknesses of a significant nature that were previously unassessed and are currently being evaluated for remedial action. The Survey Questionnaire document itself served as a training mechanism for Auditable units reviewing their internal processes for appropriate controls and adherence to University policy. Page 6 of 6