Putnam/Northern Westchester BOCES Internal Audit Report on Information Technology

Size: px
Start display at page:

Download "Putnam/Northern Westchester BOCES Internal Audit Report on Information Technology"

Transcription

1 6G Putnam/Northern Westchester BOCES Internal Audit Report on Information Technology

2 TABLE OF CONTENTS Page Report on Internal Controls Related to Information Technology Network and Network Security 1 Accounting Information System 2 Other Applications 3 Information Technology and Disaster Recovery Plan 4 Findings and Recommendations 5-10 Corrective Action Plan 10 R.S. Abrams & Co, LLP Accountants & Consultants for Over 75 Years

3 Board of Education Putnam/Northern Westchester BOCES 200 BOCES Drive Yorktown Heights, New York We have been engaged by the Board of Education (the Board ) of Putnam/Northern Westchester BOCES (the BOCES ) to provide internal audit services with respect to the BOCES internal controls related to information technology for the period April 1, 2013 through June 30, The objectives of the engagement were to evaluate and report on the BOCES internal controls pertaining to information technology and to test for compliance with laws, regulations, and the BOCES Board policies and procedures. In connection with the following procedures, we have provided findings and recommendations for the internal controls related to information technology. Our procedures were as follows: Reviewed the BOCES policies, procedures, and practices with regards to the internal controls related to information technology; Interviewed key BOCES employees involved in the information technology processes; Performed a physical observation of the BOCES server rooms at the Yorktown Campus and the Fox Meadow Campus to verify the server rooms were properly secured and that the servers were reasonably protected from fire and floods; Reviewed the user permissions within the accounting information system to identify multiple active user accounts, generic user accounts, and possible permissions granted to various employees that may not be consistent with their job responsibilities; Performed a comparison of the master vendor file to the master employee file to identify possible conflicts of interest; Reviewed the master vendor file to verify that the master vendor file was complete, accurate, free of duplicate vendors, and up to date; and Reviewed the BOCES Technology Plan to determine that the Plan identified critical information technology infrastructure and equipment, established the most suitable recovery strategy for each application utilized by the BOCES, and identified those individuals responsible for overseeing the disaster recovery process. The results of our procedures are presented on the following pages.

4 Our procedures were not designed to express an opinion on the internal controls related to information technology, and we do not express such an opinion. As you know, because of inherent limitations of any internal control, errors or fraud may occur and not be prevented or detected by internal controls. Also, projections of any evaluation of the accounting system and controls to future periods are subject to the risk that procedures may become inadequate because of changed conditions. We would like to acknowledge the courtesy and assistance extended to us by personnel of the BOCES. We are available to discuss this report with the Board or others within the BOCES at your convenience. This report is intended solely for the information and use of the Board, the Audit Committee and the management of the BOCES and is not intended to be and should not be used by anyone other than those specified parties. Very truly yours, R.S. Abrams & Co., LLP August 19, 2013

5 NETWORK AND NETWORK SECURITY Firewalls and Intrusion Detection Systems A firewall is used to implement access control between two networks. It allows the authorized BOCES network users to access outside information while preventing those outside the BOCES from accessing the BOCES systems. The BOCES firewall consists of a combination of hardware and software that provide several layers of protection against intrusions. The first layer of firewall protection, WatchGuard, utilizes Unified Threat Management (UTM) appliance technology. In addition, the BOCES uses Symantec Enterprise Endpoint Protection. This high-end software is installed on key servers as well as every BOCES computer. It further verifies and protects information if it passes through the WatchGuard Firewall. Physical Security The BOCES Network Operations Center ( NOC ) is currently at the Yorktown Campus. In addition to the NOC there is a server room located at the Fox Meadow Campus. The Yorktown Campus server room is temperature controlled and uninterrupted power supply ( UPS ) units are in place to protect the BOCES equipment from an unexpected power disruption that could cause business disruption or data loss. Back-up Controls The BOCES utilizes many servers that back up nightly at 8 p.m. The BOCES also contracts with an outside vendor to backup all data, including WinCap data, nightly and stores it in two offsite locations in Virginia and Michigan. Network and Access Microsoft Exchange serves as the BOCES server and the BOCES uses Active Directory for the authentication of network users. All access requests, changes to user permissions, additions of new employees and removal of terminated employees from Active Directory are executed by the Director of Technology or Network Manager. VPN A virtual private network ( VPN ) is a network that allows remote users to securely access the BOCES network using a public telecommunication infrastructure, such as the Internet. To gain access users must pass a password validation first with an RSA SecurID keycard (which updates passwords every minute) and then WatchGuard. After passing these two steps, users must input the proper Windows security password for that specific desktop to gain access. In addition to users being granted access from time to time, WinCap has VPN access. However, this access is limited to the WinCap server only. When WinCap needs VPN access to perform server maintenance, they must contact the Director of Technology to establish a window of time for performing maintenance. WinCap will then be granted VPN access for the agreed upon period of time and when this time expires, access will be terminated. The BOCES also uses Transport Layer Security which automatically provides cryptographic protocols to healthcare related vendor information, including s, to provide security over confidential information. R.S. Abrams & Co, LLP Accountants & Consultants for Over 75 Years Page 1

6 ACCOUNTING INFORMATION SYSTEM The BOCES utilizes WinCap as its Accounting Information System ( AIS ). This application was installed by WinCap and requires WinCap to perform application updates, database management and, if necessary, system restores. The following modules of WinCap were identified as being utilized by the BOCES (a brief description of the modules has been provided): o Accounting Maintains general ledger, accounts payable, budgetary accounting, receipts/revenue, encumbrances/purchasing, project/grant accounting; generates financial documents such as computer-generated checks, purchase orders, account and vendor histories, and assists with controls to maintain data integrity and balanced entries. o Payroll A payroll generation program that provides detailed employee records and custom generation of payroll. o Pay Authorization Module Sets up permissions to particular job functions. o Bid Module Maintains all bid information. o Employee Attendance Tracks sick, vacation and personal days histories for each employee. o Employee Benefits Benefits tracking. o Human Resource, Appointments Maintains all employee data, including educational and PDP credits, observations and evaluations, fingerprint tracking, retirement data and emergency medical information. Passwords The BOCES should have procedures in place to periodically verify its system of controls are working as intended, are still needed, and are cost effective, including a review of the controls over access to information systems. Access to computerized files and transactions should be restricted to authorized individuals only. This can be accomplished with the use of passwords and software that restricts users' access and can help ensure that only authorized individuals utilize the computer system. Permissions A good internal control framework requires the BOCES management to develop a system of controls that includes proper segregation of duties of the BOCES operations. A proper segregation of duties should exist not only in manual processes, but also within the AIS. WinCap allows the IT Administrator and the School Business Administrator to restrict access to functions specific to job descriptions. R.S. Abrams & Co, LLP Accountants & Consultants for Over 75 Years Page 2

7 OTHER APPLICATIONS eschooldata eschool Data is the student data management application currently utilized by the BOCES, which allows the BOCES to track attendance, behavior, and grades by student. The system also provides a course catalog, graduation planning, a grade book, and assists the BOCES in preparing required reports submitted to the New York State Education Department. The entire system is web-based, which allows teachers, instructional administrators, instructional clerical staff, and parents to access student information. Further restrictions are applied to the individuals user privileges to ensure that only authorized users are seeing specific information (i.e. teachers only have access to enter attendance and grades; all other functions are restricted). IEP Direct and BOCES Direct IEP Direct is the special education student management application currently utilized by the BOCES. In addition, BOCES Direct is used in conjunction with IEP Direct and is used strictly for the billing portion. IEP and BOCES Direct are web-based applications that are used to track student IEP s, evaluations, meetings, billings for services and assists school districts with the preparation of New York State required reports. Additionally, IEP Direct enables the preparation of STAC forms by the appropriate school district. IEP Direct also facilitates the BOCES compliance with applicable privacy laws and regulations. XEN Direct XEN Direct is currently utilized by the BOCES for the continuing education, adult education and adult literacy programs. XEN Direct is a web-based application that is used to track student attendance and grade reporting. R.S. Abrams & Co, LLP Accountants & Consultants for Over 75 Years Page 3

8 INFORMATION TECHNOLOGY AND DISASTER RECOVERY PLANS Information Technology Plan The purpose of the BOCES Technology Plan is to define and outline the steps necessary to prepare students for challenges and opportunities in their educational endeavors by providing the best possible technology environment. The BOCES Technology Plan discusses the BOCES plans for architecture, hardware, software, staff training, implementation, and evaluation. The current Technology Plan covers a three-year period from 2010 through Disaster Recovery Plan Disaster recovery planning is a subset of a larger process known as business continuity planning and includes planning for resumption of applications, data, hardware, communications (such as networking), and other information technology infrastructure. While the BOCES would like to ensure zero data loss and zero time loss in the event of a disaster, the costs associated with that level of protection may be impractical. The BOCES Technology Plan is comprised of several sections that document the procedures and resources that are to be followed and used in the event that a disaster occurs at the BOCES. The sections of the Technology Plan are as follows: o Current Status; o Network Infrastructure; o Software; o Administrative Applications; o Student Management Systems; o Access; o Training and Support; and o Goals & Objectives, Implementation Strategies, and Evaluation Plans. R.S. Abrams & Co, LLP Accountants & Consultants for Over 75 Years Page 4

9 FINDINGS AND RECOMMENDATIONS Based on our interviews, observations, and detailed testing, we have provided our findings and recommendations below to further strengthen the BOCES internal controls as they pertain to information technology processes and procedures outlined above. It should be noted that these recommendations are provided to the BOCES to assist management in improving the BOCES internal controls and procedures relating to information technology. It is important to note that our findings and recommendations are directed toward the improvement of the system of internal controls and should not be considered a criticism of, or reflection on, any employee of the BOCES. Policies and Procedures Procedure Performed: We reviewed the BOCES policies to determine whether the BOCES has adopted the legally required policies with regards to information technology. Result: BOCES has the minimum required policies; Confidentiality of IEP s (Policy #6330), Internet Safety (Policy #7260), and Information Security Breach and Notification (Policy #4590). Procedure Performed: We reviewed the BOCES policies and procedures to determine whether the BOCES has adopted the recommended policies and procedures per the Office of the State Comptroller with regards to information technology. Finding: We noted that the BOCES has a Technology Plan (the Plan ) for that includes areas such as a disaster recovery plan, data backup systems, physical controls, and remote access controls. In addition, BOCES utilizes Symantec s Enterprise Level Endpoint protection for anti-virus protection. However, the Plan does not outline procedures for anti-virus protections or password security as recommended by the Office of the State Comptroller. Recommendation: We recommend that the BOCES expand their Technology Plan to include procedures for anti-virus protection and password security. BOCES Corrective Action Plan: BOCES accepts the recommendation to expand our Technology Plan to include procedures for anti-virus and password security. While we currently utilize anti-virus protection and password security as integral components of our Information Technology security environment, we agree that it is practical to formally outline these procedures in our Technology Plan. Proposed Implementation Date: 11/13/2013 Responsible Party: Director of Information Technology R.S. Abrams & Co, LLP Accountants & Consultants for Over 75 Years Page 5

10 Procedure Performed: We reviewed the BOCES procedures with regards to the internal controls related to information technology. Findings: We noted that the BOCES does not periodically review audit trail reports within WinCap for user activity to identify any errors or activity that appears to be unusual. Additionally, we noted that the BOCES does not review the user security profile change report within WinCap, which includes a login/logout report, to identify unusual user changes and/or users who may be logging into the financial software at unusual times. Recommendation: We recommend that the BOCES implement procedures to review audit trails. We also recommend that the BOCES periodically review the user security profile change report within WinCap to identify unusual user information changes and ensure users are not accessing the financial software at unusual times. Additionally, we recommend that these reviews be documented and maintained on file within the business office. BOCES Corrective Action Plan: BOCES accepts the recommendation to periodically review the user security profile change report within WinCap. This report will be reviewed quarterly to ensure securities are appropriate. These reports will be kept on file in the Business Office. BOCES does not accept the recommendation to implement procedures to review WinCap audit trails. The incredible volume of activities and transactions executed on the WinCap system within even the shortest of periods, makes a review of these activities impractical. We believe a mitigating control would be a comprehensive initial review of user rights, combined with periodic reviews of the user security change report as identified above. Proposed Implementation Date: 4/1/2014 Responsible Party: School Business Administrator Procedure Performed: We reviewed the BOCES policies, procedures, and practices with regard to information technology in cash management. Finding: We noted that the BOCES does not utilize a computer dedicated solely for processing wire transfers as recommended by the Office of the State Comptroller. Recommendation: We recommend that the BOCES have one computer utilized solely for processing wire transfers. This will help minimize the computer s exposure to attacks that could compromise sensitive BOCES information. BOCES Corrective Action Plan: BOCES does not accept the recommendation to have one computer utilized solely for processing wires. We believe that the current authentication process required before any machine can be utilized, provides BOCES with a level of security that is enhanced from the single computer model. In addition, we believe bank website userid and password requirements, the use of RSA key tags, and second level approval requirements for wire activities, collectively creates a sound control environment. Finally, we believe the demands and work schedules of those involved, as well as the potential for building closures, makes the single computer model an ineffective solution for us at the current time. R.S. Abrams & Co, LLP Accountants & Consultants for Over 75 Years Page 6

11 Network Operating Center and Server Room Procedure Performed: We physically inspected the BOCES NOC (Network Operating Center) at the Yorktown Heights campus to verify that it is properly secured behind a locked door, temperature is suitably regulated and that the equipment is reasonably protected from fire and floods. Findings: While observing the Yorktown Heights Campus NOC we noted that the temperature is regulated manually by the BOCES personnel and there is no warning system to notify the BOCES personnel if the temperature exceeds the recommended heat level. Recommendation: We recommend that the BOCES implement automatic temperature controls in addition to a warning system to notify the Information Technology department if the temperature exceeds a specified level. BOCES Corrective Action Plan: BOCES accepts the recommendation to implement automatic temperature controls in addition to a warning system to notify the Information Technology department if the temperature exceeds a specified level. Our Information Technology, Operations and Maintenance, and Business Office departments will work together to find a cost effective and efficient solution for BOCES. Proposed Implementation Date: 10/31/13 Responsible Party: Director of Information Technology Procedure Performed: We physically inspected the server room at the Fox Meadow Campus to verify that the room is properly secured, temperature is suitably regulated and that the equipment is reasonably protected from fire and floods. Findings: While observing the Fox Meadow Campus, we noted the server room is not temperature controlled by a programmable air conditioned cooling device and does not contain a temperature regulation device to establish warning thresholds if the temperature exceeds the recommended heat level. We also noted that this server room does not have a fire detection system in place as required by the National Fire Protection Association Standard for the Protection of Information Technology Equipment (NFPA 75) nor does is it contain fire suppression devices (i.e. fire extinguishers). Lastly, we noted this server room is not connected to a backup power supply generator which can lead to system failure in the event of a catastrophic event. Recommendations: We recommend that the BOCES install a fire detection system at the Fox Meadow Campus server room, at a minimum, to be compliant with the National Fire Protection Association Standard for the Protection of Information Technology Equipment (NFPA 75). We also recommend the Fox Meadow Campus server room be equipped with a fire suppression device to limit damages in the event a fire occurs and with a programmable air conditioned cooling device to prevent over heating of the IT hardware housed within this room. Lastly, we R.S. Abrams & Co, LLP Accountants & Consultants for Over 75 Years Page 7

12 recommend that the BOCES either install a temperature monitoring system or put procedures in place to regularly inspect the temperature inside both the Yorktown Campus and Fox Meadow Campus server rooms in the event that temperatures rise above acceptable levels. BOCES Corrective Action Plan: BOCES will review the recommendation and develop a corrective action plan following additional analysis and consultation with our Audit Committee. This corrective action plan will be in place within 90 days of receipt of the final audit report, as per Commissioner s Regulation Proposed Implementation Date: 6/30/2014 Responsible Party: Director of Information Technology WinCap Permissions Procedure Performed: We reviewed the BOCES procedures for documenting changes to user access within WinCap, including additions, deletions and modifications. Finding: We noted that the BOCES does not have a formal procedure to document changes to user access. Recommendation: We recommend that the BOCES implement a request form documenting any changes to user access within WinCap, and that the change form be authorized and approved. BOCES Corrective Action Plan BOCES accepts the recommendation to implement a request form documenting changes to user access in part. With time and resources at a premium, we believe a written form would be an inefficient use of both. With the ability to change user security rights limited to the Chief Information Officer, Director of Business Affairs, and School Business Administrator, we believe sufficient management authorization is obtained at the time of the update. As means to address the recommendation though, we will employ a process whereby the requestor will be asked to make a formal request via an to the intended security administrator. If approved, the security administrator in question will act upon the request, reply to the requestor via , and copy the other two security administrators for their awareness. Procedure Performed: We reviewed the user permissions within WinCap to identify multiple active user accounts, generic user accounts, and possible permissions granted to employees that may not be consistent with their job responsibilities. Finding: We noted three individuals who have two active user accounts within WinCap. R.S. Abrams & Co, LLP Accountants & Consultants for Over 75 Years Page 8

13 Recommendation: We recommend that the BOCES ensure that each individual who has access to WinCap be given only one active user account. BOCES Corrective Action Plan: BOCES does not accept the recommendation to limit each individual to only one active WinCap account. A small number of users have been given a second userid for backup support functions only. While these user rights could be incorporated in the user s primary account, we have found that a second account makes it easier to track the user s activities within this support function. As such, we believe this actually improves our controls posture. Procedure Performed: We compared a list of employees who have separated from the BOCES service during the fiscal year to the active user permissions within WinCap. Finding: We noted that the BOCES has properly inactivated users who have separated from the BOCES. BOCES Corrective Action Plan Not Needed Findings: We noted the following example of segregation of duties violations within WinCap where a BOCES employee has access to various accounting functions and no audit trail or other compensating control was performed: The Junior Administrative Assistant has the ability to perform cash receipts, journal entries, payroll processing and enter accounts receivable; Recommendation: We recommend that the BOCES review its current permissions in WinCap and create a system of controls that ensures the proper segregation of duties and restrict access where necessary, or perform a compensating control. In addition, if an employee functions as a backup to another employee, permissions should be temporarily granted and then taken away as needed. BOCES Corrective Action Plan: BOCES accepts the recommendation to review its current permissions in WinCap and create a system of controls to ensure proper segregation of duties and restrict access where necessary, or perform a compensating control. We will do so through a methodical review of all user rights assigned. We also agree that if an employee is providing short-term backup support outside of their normal job responsibilities, permissions should be temporarily granted and taken away as needed. If this support is more regular though, we will continue to explore the creation of a second userid, with rights restricted to those essential for the backup support function. Proposed Implementation Date: 4/1/2014 Responsible Party: School Business Administrator R.S. Abrams & Co, LLP Accountants & Consultants for Over 75 Years Page 9

14 Vendor/Employee Match Procedure Performed: We performed a comparison of the master vendor file to the master employee file to identify possible conflicts of interest. Finding: We found two employees that had the same address as a vendor (different name from the employee) as a result of applying this procedure. Recommendation: We recommend that the BOCES review the employee and vendor information to determine if there is a conflict of interest. BOCES Corrective Action Plan: BOCES accepts the recommendation to review employee and vendor information to determine if there is a conflict of interest. Following an initial comprehensive review, a vendor change report will be given to the Claims Auditor with each check warrant. This will allow the Claims Auditor to review for potential conflicts of interest. Any potential conflicts of interest will be discussed with the Director of Business Affairs or School Business Administrator. Proposed Implementation Date: 10/15/13 Responsible Party: School Business Administrator Vendor Master File Procedure Performed: We reviewed the master vendor file to verify that the master vendor file is complete, accurate, free of duplicate vendors, and up to date. Finding: We noted several vendors that have the same name but two different vendor numbers. Recommendation: We recommend the BOCES update the master vendor file establishing one vendor number for each vendor. BOCES Corrective Action Plan: BOCES accepts the recommendation to update the master vendor file establishing one vendor number for each vendor. This recommendation has been put into practice with the advent of the ability to create multiple vendor remit addresses for the same vendor number. We will work to remove old duplicates from the vendor table. Proposed Implementation Date: 1/1/2014 Responsible Party: School Business Administrator Procedure Performed: We reviewed the BOCES procedures for documenting changes to vendor data within WinCap, including additions, deletions and modifications. R.S. Abrams & Co, LLP Accountants & Consultants for Over 75 Years Page 10

15 Finding: We noted that the BOCES does not have a formal procedure to document changes to vendor data. Recommendation: We recommend that the BOCES implement a request form documenting any changes to vendor information within WinCap, and that the change form be authorized and approved. BOCES Corrective Action Plan: BOCES will review the recommendation and develop a corrective action plan following additional analysis and consultation with our Audit Committee. This corrective action plan will be in place within 90 days of receipt of the final audit report, as per Commissioner s Regulation Disaster Recovery Plan Procedure Performed: We interviewed the Information Technology Director with regards to the BOCES Disaster Recovery Plan to determine if it identifies critical information technology infrastructure and equipment, establishes the most suitable recovery strategy for each major application utilized by the BOCES, and identifies those individuals responsible for overseeing the disaster recovery process. Finding: BOCES has not adopted a formal Disaster Recovery Plan, but has a Technology Plan in place. The Technology Plan identifies critical information technology infrastructure and equipment, however it does not establish the most suitable recovery strategy for each major application utilized by the BOCES or identify those individuals responsible for overseeing the disaster recovery process. Recommendation: We recommend the BOCES adopt a formal Disaster Recovery Plan to establish the most suitable recovery strategy for each major application utilized by the BOCES, and identify those individuals responsible for overseeing the disaster recovery process. BOCES Corrective Action Plan: BOCES accepts the recommendation to adopt a formal Disaster Recovery Plan to establish the most suitable recovery strategy for WinCap and identify those individuals responsible for overseeing the disaster recovery process. While we currently have a recovery plan in place, we agree that it is practical to formally outline these procedures in a Disaster Recovery Plan. With over 500 individual applications in use, we do not accept the recommendation to complete this process for each application. We have analyzed our environment and believe that WinCap is our most mission critical application, and as such, are focusing our efforts accordingly. Proposed Implementation Date: 6/30/2014 Responsible Party: Director of Information Technology R.S. Abrams & Co, LLP Accountants & Consultants for Over 75 Years Page 11

16 CORRECTIVE ACTION PLAN The BOCES is required to prepare a corrective action plan in response to any findings contained in the internal audit reports. As per Commissioner s Regulation , a corrective action plan, which has been approved by the Board, must be submitted to the State Education Department within 90 days of the receipt of a final internal audit report. The approved corrective action plan and a copy of the respective internal audit report should be sent to the following address: New York State Education Department Office of Audit Services, Room 524 EB 89 Washington Avenue Albany, New York Attention: John Cushin R.S. Abrams & Co, LLP Accountants & Consultants for Over 75 Years Page 12

Putnam/Northern. Westchester BOCES. Internal Audit Report on. Payroll Processing

Putnam/Northern. Westchester BOCES. Internal Audit Report on. Payroll Processing Putnam/Northern Westchester BOCES Internal Audit Report on Payroll Processing TABLE OF CONTENTS Page Report on Internal Controls Related to Payroll Processing Governance 1 2 Payroll Process Overview 3

More information

PART 10 COMPUTER SYSTEMS

PART 10 COMPUTER SYSTEMS PART 10 COMPUTER SYSTEMS 10-1 PART 10 COMPUTER SYSTEMS The following is a general outline of steps to follow when contemplating the purchase of data processing hardware and/or software. The State Board

More information

CHAPTER 11 COMPUTER SYSTEMS INFORMATION TECHNOLOGY SERVICES CONTROLS

CHAPTER 11 COMPUTER SYSTEMS INFORMATION TECHNOLOGY SERVICES CONTROLS 11-1 CHAPTER 11 COMPUTER SYSTEMS INFORMATION TECHNOLOGY SERVICES CONTROLS INTRODUCTION The State Board of Accounts, in accordance with State statutes and the Statements on Auditing Standards Numbers 78

More information

The Practice of Internal Controls. Cornell Municipal Clerks School July 16, 2014

The Practice of Internal Controls. Cornell Municipal Clerks School July 16, 2014 The Practice of Internal Controls Cornell Municipal Clerks School July 16, 2014 Page 1 July 18, 2014 Cash Receipts (Collection procedures) Centralize cash collections within a department or for the local

More information

Network & Information Security Policy

Network & Information Security Policy Policy Version: 2.1 Approved: 02/20/2015 Effective: 03/02/2015 Table of Contents I. Purpose................... 1 II. Scope.................... 1 III. Roles and Responsibilities............. 1 IV. Risk

More information

Tailored Technologies LLC

Tailored Technologies LLC 685 Third Avenue New York, NY 10017 Tel: (212) 503-6300 Fax: (212) 503-6312 Date: January 9, 2014 To: The Audit File of the Hugh L. Carey Battery Park City Authority From: Tailored Technology Observations

More information

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,

More information

IT - General Controls Questionnaire

IT - General Controls Questionnaire IT - General Controls Questionnaire Internal Control Questionnaire Question Yes No N/A Remarks G1. ACCESS CONTROLS Access controls are comprised of those policies and procedures that are designed to allow

More information

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

Information Technology General Controls Review (ITGC) Audit Program Prepared by: Information Technology General Controls Review (ITGC) Audit Program Date Prepared: 2012 Internal Audit Work Plan Objective: IT General Controls (ITGC) address the overall operation and activities of the

More information

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np Meaning Why is Security Audit Important Framework Audit Process Auditing Application Security

More information

Application Development within University. Security Checklist

Application Development within University. Security Checklist Application Development within University Security Checklist April 2011 The Application Development using data from the University Enterprise Systems or application Development for departmental use security

More information

This document and the information contained herein are the property of Bowman Systems L.L.C. and should be considered business sensitive.

This document and the information contained herein are the property of Bowman Systems L.L.C. and should be considered business sensitive. SERVICEPOINT SECURING CLIENT DATA This document and the information contained herein are the property of and should be considered business sensitive. Copyright 2006 333 Texas Street Suite 300 Shreveport,

More information

Information System Audit Report Office Of The State Comptroller

Information System Audit Report Office Of The State Comptroller STATE OF CONNECTICUT Information System Audit Report Office Of The State Comptroller AUDITORS OF PUBLIC ACCOUNTS KEVIN P. JOHNSTON ROBERT G. JAEKLE TABLE OF CONTENTS EXECUTIVE SUMMARY...1 AUDIT OBJECTIVES,

More information

SRA International Managed Information Systems Internal Audit Report

SRA International Managed Information Systems Internal Audit Report SRA International Managed Information Systems Internal Audit Report Report #2014-03 June 18, 2014 Table of Contents Executive Summary... 3 Background Information... 4 Background... 4 Audit Objectives...

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

HUMAN RESOURCES MANAGEMENT NETWORK (HRMN) SELF-SERVICE

HUMAN RESOURCES MANAGEMENT NETWORK (HRMN) SELF-SERVICE PERFORMANCE AUDIT OF HUMAN RESOURCES MANAGEMENT NETWORK (HRMN) SELF-SERVICE DEPARTMENT OF CIVIL SERVICE July 2004 ...The auditor general shall conduct post audits of financial transactions and accounts

More information

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL Title: Computer and Network Security Policy Policy Number: 04.72.12 Effective Date: November 4, 2003 Issuing Authority: Office of the Vice President for

More information

Network and Security Controls

Network and Security Controls Network and Security Controls State Of Arizona Office Of The Auditor General Phil Hanus IT Controls Webinar Series Part I Overview of IT Controls and Best Practices Part II Identifying Users and Limiting

More information

The Commonwealth of Massachusetts

The Commonwealth of Massachusetts A. JOSEPH DeNUCCI AUDITOR The Commonwealth of Massachusetts AUDITOR OF THE COMMONWEALTH ONE ASHBURTON PLACE, ROOM 1819 BOSTON, MASSACHUSETTS 02108 TEL. (617) 727-6200 No. 2008-1308-4T OFFICE OF THE STATE

More information

Created By: 2009 Windows Server Security Best Practices Committee. Revised By: 2014 Windows Server Security Best Practices Committee

Created By: 2009 Windows Server Security Best Practices Committee. Revised By: 2014 Windows Server Security Best Practices Committee Windows Server Security Best Practices Initial Document Created By: 2009 Windows Server Security Best Practices Committee Document Creation Date: August 21, 2009 Revision Revised By: 2014 Windows Server

More information

Department of Information Technology Remote Access Audit Final Report. January 2010. promoting efficient & effective local government

Department of Information Technology Remote Access Audit Final Report. January 2010. promoting efficient & effective local government Department of Information Technology Remote Access Audit Final Report January 2010 promoting efficient & effective local government Background Remote access is a service provided by the county to the Fairfax

More information

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable

More information

SCADA Compliance Tools For NERC-CIP. The Right Tools for Bringing Your Organization in Line with the Latest Standards

SCADA Compliance Tools For NERC-CIP. The Right Tools for Bringing Your Organization in Line with the Latest Standards SCADA Compliance Tools For NERC-CIP The Right Tools for Bringing Your Organization in Line with the Latest Standards OVERVIEW Electrical utilities are responsible for defining critical cyber assets which

More information

VIRGINIA STATE UNIVERSITY RISK ANALYSIS SURVEY INFORMATION TECHNOLOGY

VIRGINIA STATE UNIVERSITY RISK ANALYSIS SURVEY INFORMATION TECHNOLOGY ASSESSABLE UNIT: ENTER THE NAME OF YOUR ASSESSABLE UNIT HERE BUSINESS PROCESS: ENTER YOUR BUSINESS PROCESS HERE BANNER INDEX CODE: ENTER YOUR BANNER INDEX CODE HERE Risk: If you monitor the activity and

More information

Memorandum. ACTION: Report on Computer Security Controls of Financial Management System, FTA FE-2000-098. May 23, 2000.

Memorandum. ACTION: Report on Computer Security Controls of Financial Management System, FTA FE-2000-098. May 23, 2000. U.S. Department of Transportation Office of the Secretary of Transportation Office of Inspector General Memorandum ACTION: Report on Computer Security Controls of Financial Management System, FTA FE-2000-098

More information

University System of Maryland University of Baltimore

University System of Maryland University of Baltimore Audit Report University System of Maryland University of Baltimore May 2005 OFFICE OF LEGISLATIVE AUDITS DEPARTMENT OF LEGISLATIVE SERVICES MARYLAND GENERAL ASSEMBLY This report and any related follow-up

More information

Retention & Destruction

Retention & Destruction Last Updated: March 28, 2014 This document sets forth the security policies and procedures for WealthEngine, Inc. ( WealthEngine or the Company ). A. Retention & Destruction Retention & Destruction of

More information

UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C

UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C This Attachment addresses the Contractor s responsibility for safeguarding Compliant Data and Business Sensitive Information

More information

Certified Information Systems Auditor (CISA)

Certified Information Systems Auditor (CISA) Certified Information Systems Auditor (CISA) Course Introduction Course Introduction Module 01 - The Process of Auditing Information Systems Lesson 1: Management of the Audit Function Organization of the

More information

Client Security Risk Assessment Questionnaire

Client Security Risk Assessment Questionnaire Select the appropriate answer from the drop down in the column, and provide a brief description in the section. 1 Do you have a member of your organization with dedicated information security duties? 2

More information

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL MICHIGAN OFFICE OF THE AUDITOR GENERAL AUDIT REPORT THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL ...The auditor general shall conduct post audits of financial transactions and accounts of the state and of

More information

System Security Plan University of Texas Health Science Center School of Public Health

System Security Plan University of Texas Health Science Center School of Public Health System Security Plan University of Texas Health Science Center School of Public Health Note: This is simply a template for a NIH System Security Plan. You will need to complete, or add content, to many

More information

Information Technology Internal Controls Part 2

Information Technology Internal Controls Part 2 IT Controls Webinar Series Information Technology Internal Controls Part 2 Presented by the Arizona Office of the Auditor General October 23, 2014 Part I Overview of IT Controls and Best Practices Part

More information

A Practical Approach to Network Vulnerability Assessment AN AUDITOR S PERSPECTIVE BRYAN MILLER, IT DIRECTOR JOHN KEILLOR, CPA, AUDIT PARTNER

A Practical Approach to Network Vulnerability Assessment AN AUDITOR S PERSPECTIVE BRYAN MILLER, IT DIRECTOR JOHN KEILLOR, CPA, AUDIT PARTNER A Practical Approach to Network Vulnerability Assessment AN AUDITOR S PERSPECTIVE BRYAN MILLER, IT DIRECTOR JOHN KEILLOR, CPA, AUDIT PARTNER 1 Agenda Audits Articles/Examples Classify Your Data IT Control

More information

INFORMATION TECHNOLOGY CONTROLS

INFORMATION TECHNOLOGY CONTROLS CHAPTER 14 INFORMATION TECHNOLOGY CONTROLS SCOPE This chapter addresses requirements common to all financial accounting systems and is not limited to the statewide financial accounting system, ENCOMPASS,

More information

Best Practices For Department Server and Enterprise System Checklist

Best Practices For Department Server and Enterprise System Checklist Best Practices For Department Server and Enterprise System Checklist INSTRUCTIONS Information Best Practices are guidelines used to ensure an adequate level of protection for Information Technology (IT)

More information

April 2010. promoting efficient & effective local government

April 2010. promoting efficient & effective local government Department of Public Works and Environmental Services Department of Information Technology Fairfax Inspections Database Online (FIDO) Application Audit Final Report April 2010 promoting efficient & effective

More information

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template University of California, Riverside Computing and Communications IS3 Local Campus Overview Departmental Planning Template Last Updated April 21 st, 2011 Table of Contents: Introduction Security Plan Administrative

More information

Las Vegas Datacenter Overview. Product Overview and Data Sheet. Created on 6/18/2014 3:49:00 PM

Las Vegas Datacenter Overview. Product Overview and Data Sheet. Created on 6/18/2014 3:49:00 PM Las Vegas Datacenter Overview Product Overview and Data Sheet Product Data Sheet Maintaining a Software as a Service (SaaS) environment with market leading availability and security is something that Active

More information

DETAIL AUDIT PROGRAM Information Systems General Controls Review

DETAIL AUDIT PROGRAM Information Systems General Controls Review Contributed 4/23/99 by Steve_Parker/TBE/Teledyne@teledyne.com DETAIL AUDIT PROGRAM Information Systems General Controls Review 1.0 Introduction The objectives of this audit are to review policies, procedures,

More information

Newcastle University Information Security Procedures Version 3

Newcastle University Information Security Procedures Version 3 Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations

More information

PCI DSS Reporting WHITEPAPER

PCI DSS Reporting WHITEPAPER WHITEPAPER PCI DSS Reporting CONTENTS Executive Summary 2 Latest Patches not Installed 3 Vulnerability Dashboard 4 Web Application Protection 5 Users Logging into Sensitive Servers 6 Failed Login Attempts

More information

HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005

HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005 INTRODUCTION HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005 The Health Insurance Portability and Accountability Act (HIPAA) Security Rule, as a

More information

Best Practices Report

Best Practices Report Overview As an IT leader within your organization, you face new challenges every day from managing user requirements and operational needs to the burden of IT Compliance. Developing a strong IT general

More information

Smithsonian Enterprises

Smithsonian Enterprises Smithsonian Enterprises Audit of the Effectiveness of the Information Security Program Table of Contents I. Introduction... 1 II. Background... 2 III. Results of Audit... 3 Finding #1: Needed Improvement

More information

Data Management Policies. Sage ERP Online

Data Management Policies. Sage ERP Online Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...

More information

Mecklenburg County Department of Internal Audit. PeopleSoft Application Security Audit Report 1452

Mecklenburg County Department of Internal Audit. PeopleSoft Application Security Audit Report 1452 Mecklenburg County Department of Internal Audit PeopleSoft Application Security Audit Report 1452 February 9, 2015 Internal Audit s Mission Through open communication, professionalism, expertise and trust,

More information

Please note this policy is mandatory and staff are required to adhere to the content

Please note this policy is mandatory and staff are required to adhere to the content Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the

More information

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07 EVALUATION REPORT Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review March 13, 2015 REPORT NUMBER 15-07 EXECUTIVE SUMMARY Weaknesses Identified During the FY 2014

More information

BKDconnect Security Overview

BKDconnect Security Overview BKDconnect Security Overview 1 Introduction 1.1 What is BKDconnect 1.2 Site Creation 1.3 Client Authentication and Access 2 Security Design 2.1 Confidentiality 2.1.1 Least Privilege and Role Based Security

More information

Hosted Exchange. Security Overview. Learn More: Call us at 877.634.2728. www.megapath.com

Hosted Exchange. Security Overview. Learn More: Call us at 877.634.2728. www.megapath.com Security Overview Learn More: Call us at 877.634.2728. www.megapath.com Secure and Reliable Hosted Exchange Our Hosted Exchange service is delivered across an advanced network infrastructure, built on

More information

Office of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget

Office of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget Office of the Auditor General Performance Audit Report Statewide UNIX Security Controls Department of Technology, Management, and Budget December 2015 State of Michigan Auditor General Doug A. Ringler,

More information

GAO INFORMATION SECURITY. Weak Controls Place Interior s Financial and Other Data at Risk. Report to the Secretary of the Interior

GAO INFORMATION SECURITY. Weak Controls Place Interior s Financial and Other Data at Risk. Report to the Secretary of the Interior GAO United States General Accounting Office Report to the Secretary of the Interior July 2001 INFORMATION SECURITY Weak Controls Place Interior s Financial and Other Data at Risk GAO-01-615 United States

More information

FormFire Application and IT Security. White Paper

FormFire Application and IT Security. White Paper FormFire Application and IT Security White Paper Contents Overview... 3 FormFire Corporate Security Policy... 3 Organizational Security... 3 Infrastructure and Security Team... 4 Application Development

More information

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8. micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) Revision 8.0 August, 2013 1 Table of Contents Overview /Standards: I. Information Security Policy/Standards Preface...5 I.1 Purpose....5

More information

Information Security & Management Systems

Information Security & Management Systems Information Security & Management Systems Our Security Protocol Network Security Our entire network is protected by multiple-layer of security appliance and software. We have implemented the following

More information

Summary of Technical Information Security for Information Systems and Services Managed by NUIT (Newcastle University IT Service)

Summary of Technical Information Security for Information Systems and Services Managed by NUIT (Newcastle University IT Service) Introduction This document provides a summary of technical information security controls operated by Newcastle University s IT Service (NUIT). These information security controls apply to all NUIT managed

More information

VMware vcloud Air HIPAA Matrix

VMware vcloud Air HIPAA Matrix goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory

More information

Supplier Security Assessment Questionnaire

Supplier Security Assessment Questionnaire HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.

More information

System Description of the Date Center System Relevant to Security and Availability (SOC 3) November 1, 2011 through April 30, 2012

System Description of the Date Center System Relevant to Security and Availability (SOC 3) November 1, 2011 through April 30, 2012 System Description of the Date Center System Relevant to Security and Availability (SOC 3) November 1, 2011 through April 30, 2012 Moss Adams LLP 9665 Granite Ridge Drive, Suite 600 San Diego, CA 92123

More information

Data Stored on a Windows Server Connected to a Network

Data Stored on a Windows Server Connected to a Network Attachment A Form to Describe Sensitive Data Security Plan For the Use of Sensitive Data from The National Longitudinal Study of Adolescent to Adult Health Data Stored on a Windows Server Connected to

More information

The City of New York Office of the Comptroller Bureau of Financial Audit EDP Audit Division

The City of New York Office of the Comptroller Bureau of Financial Audit EDP Audit Division The City of New York Office of the Comptroller Bureau of Financial Audit EDP Audit Division WILLIAM C. THOMPSON, JR. Comptroller Follow-Up Report on the New York City Fire Department Arson Information

More information

Silent Safety: Best Practices for Protecting the Affluent

Silent Safety: Best Practices for Protecting the Affluent Security Checklists Security Checklists 1. Operational Security Checklist 2. Physical Security Checklist 3. Systems Security Checklist 4. Travel Protocol Checklist 5. Financial Controls Checklist In a

More information

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST Application Name: Vendor Name: Briefly describe the purpose of the application. Include an overview of the application architecture, and identify the data

More information

Supplier Information Security Addendum for GE Restricted Data

Supplier Information Security Addendum for GE Restricted Data Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,

More information

LogRhythm and NERC CIP Compliance

LogRhythm and NERC CIP Compliance LogRhythm and NERC CIP Compliance The North American Electric Reliability Corporation (NERC) is a nonprofit corporation designed to ensure that the bulk electric system in North America is reliable, adequate

More information

SECURITY MANAGEMENT IT Security Policy (ITSP- 1)

SECURITY MANAGEMENT IT Security Policy (ITSP- 1) SECURITY MANAGEMENT IT Security Policy (ITSP- 1) 1A Policy Statement District management and IT staff will plan, deploy, and monitor IT security mechanisms, policies, procedures, and technologies necessary

More information

Mille Lacs Band of Ojibwe Indians Gaming Regulatory Authority Detailed Gaming Regulations

Mille Lacs Band of Ojibwe Indians Gaming Regulatory Authority Detailed Gaming Regulations I. SCOPE. This document includes the for Information Technology to be regulated and played in compliance with Title 15 of the Mille Lacs Band Statutes Annotated. II. REGULATIONS APPLICABLE TO INFORMATION

More information

Records Management and Security Procedure. Approved by: Executive Management Team Version: 1.2 Date: 21.9.2015

Records Management and Security Procedure. Approved by: Executive Management Team Version: 1.2 Date: 21.9.2015 Document: Records Management and Security Procedure Approved by: Executive Management Team Version: 1.2 Date: 21.9.2015 1. Overview Senior management of Wentworth Institute ( WINWIN ) have a legal responsibility

More information

TOP SECRETS OF CLOUD SECURITY

TOP SECRETS OF CLOUD SECURITY TOP SECRETS OF CLOUD SECURITY Protect Your Organization s Valuable Content Table of Contents Does the Cloud Pose Special Security Challenges?...2 Client Authentication...3 User Security Management...3

More information

SECTION 15 INFORMATION TECHNOLOGY

SECTION 15 INFORMATION TECHNOLOGY SECTION 15 INFORMATION TECHNOLOGY 15.1 Purpose 15.2 Authorization 15.3 Internal Controls 15.4 Computer Resources 15.5 Network/Systems Access 15.6 Disaster Recovery Plan (DRP) 15.1 PURPOSE The Navajo County

More information

Information Technology Services Guidelines

Information Technology Services Guidelines Page 1 of 10 Table of Contents 1. Purpose... 2 2. Entities Affected by This Guideline... 2 3. Definitions... 2 4. Guidelines... 3 4.1 Requesting Data Center or... 3 4.2 Requirements for Data Center or...

More information

1B1 SECURITY RESPONSIBILITY

1B1 SECURITY RESPONSIBILITY (ITSP-1) SECURITY MANAGEMENT 1A. Policy Statement District management and IT staff will plan, deploy and monitor IT security mechanisms, policies, procedures, and technologies necessary to prevent disclosure,

More information

1. Describe the staffing levels maintained in the IT department (change titles as needed): K. Tollefsen/1

1. Describe the staffing levels maintained in the IT department (change titles as needed): K. Tollefsen/1 Page 1 of 14 Chabot-Las Positas Community College District Reference: T500 Information System Memo Prepared by: Jeannine Methe June 30, 2005 Date: 6/8/05 Reviewed by: Instructions: This memo is designed

More information

A Decision Maker s Guide to Securing an IT Infrastructure

A Decision Maker s Guide to Securing an IT Infrastructure A Decision Maker s Guide to Securing an IT Infrastructure A Rackspace White Paper Spring 2010 Summary With so many malicious attacks taking place now, securing an IT infrastructure is vital. The purpose

More information

Service Children s Education

Service Children s Education Service Children s Education Data Handling and Security Information Security Audit Issued January 2009 2009 - An Agency of the Ministry of Defence Information Security Audit 2 Information handling and

More information

COLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL

COLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL PAYMENT CARD INDUSTRY COMPLIANCE (PCI) Effective June 1, 2011 Page 1 of 6 (1) Definitions a. Payment Card Industry Data Security Standards (PCI-DSS): A set of standards established by the Payment Card

More information

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)

More information

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This

More information

Making the leap to the cloud: IS my data private and secure?

Making the leap to the cloud: IS my data private and secure? Making the leap to the cloud: IS my data private and secure? tax & accounting MAKING THE LEAP TO THE CLOUD: IS MY DATA PRIVATE AND SECURE? Cloud computing: What s in it for me? The more you know about

More information

DHHS Information Technology (IT) Access Control Standard

DHHS Information Technology (IT) Access Control Standard DHHS Information Technology (IT) Access Control Standard Issue Date: October 1, 2013 Effective Date: October 1,2013 Revised Date: Number: DHHS-2013-001-B 1.0 Purpose and Objectives With the diversity of

More information

University of Pittsburgh Security Assessment Questionnaire (v1.5)

University of Pittsburgh Security Assessment Questionnaire (v1.5) Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.5) Directions and Instructions for completing this assessment The answers provided

More information

Information Technology Internal Audit Report # 2009-01

Information Technology Internal Audit Report # 2009-01 Information Technology Internal Audit Report # 2009-01 June 2009 September 23, 2009 Mr. Peter Breslin President Board of Education Katonah-Lewisboro Union Free School District One Shady Lane South Salem,

More information

Service Organization Controls 3 Report. Report on Hyland Software, Inc. s OnBase Online Cloud Platform, relevant to Security and Availability

Service Organization Controls 3 Report. Report on Hyland Software, Inc. s OnBase Online Cloud Platform, relevant to Security and Availability Service Organization Controls 3 Report Report on Hyland Software, Inc. s OnBase Online Cloud Platform, relevant to Security and Availability for the period May 1, 2015 through October 31, 2015 Ernst &

More information

VA Office of Inspector General

VA Office of Inspector General VA Office of Inspector General OFFICE OF AUDITS & EVALUATIONS Department of Veterans Affairs Federal Information Security Management Act Audit for Fiscal Year 2013 May 29, 2014 13-01391-72 ACRONYMS AND

More information

Security Tool Kit System Checklist Departmental Servers and Enterprise Systems

Security Tool Kit System Checklist Departmental Servers and Enterprise Systems Security Tool Kit System Checklist Departmental Servers and Enterprise Systems INSTRUCTIONS System documentation specifically related to security controls of departmental servers and enterprise systems

More information

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review. 1. Obtain previous workpapers/audit reports. FIREWALL CHECKLIST Pre Audit Checklist 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review. 3. Obtain current network diagrams

More information

CloudDesk - Security in the Cloud INFORMATION

CloudDesk - Security in the Cloud INFORMATION CloudDesk - Security in the Cloud INFORMATION INFORMATION CloudDesk SECURITY IN THE CLOUD 3 GOVERNANCE AND INFORMATION SECURITY 3 DATA CENTRES 3 DATA RESILIENCE 3 DATA BACKUP 4 ELECTRONIC ACCESS TO SERVICES

More information

Woodcock-Johnson and Woodcock-Muñoz Language Survey Revised Normative Update Technical and Data Security Overview

Woodcock-Johnson and Woodcock-Muñoz Language Survey Revised Normative Update Technical and Data Security Overview Houghton Mifflin Harcourt - Riverside (HMH - Riverside) is pleased to offer online scoring and reporting for Woodcock-Johnson IV (WJ IV) and Woodcock-Muñoz Language Survey Revised Normative Update (WMLS-R

More information

modules 1 & 2. Section: Information Security Effective: December 2005 Standard: Server Security Standard Revised: Policy Ref:

modules 1 & 2. Section: Information Security Effective: December 2005 Standard: Server Security Standard Revised: Policy Ref: SERVER SECURITY STANDARD Security Standards are mandatory security rules applicable to the defined scope with respect to the subject. Overview Scope Purpose Instructions Improperly configured systems,

More information

Information security controls. Briefing for clients on Experian information security controls

Information security controls. Briefing for clients on Experian information security controls Information security controls Briefing for clients on Experian information security controls Introduction Security sits at the core of Experian s operations. The vast majority of modern organisations face

More information

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections U.S. Department of Energy Office of Inspector General Office of Audits & Inspections Audit Report Management of Western Area Power Administration's Cyber Security Program DOE/IG-0873 October 2012 Department

More information

05.0 Application Development

05.0 Application Development Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development

More information

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT A Review List This paper was put together with Security in mind, ISO, and HIPAA, for guidance as you move into a cloud deployment Dr.

More information

Internal Controls, Fraud Detection and ERP

Internal Controls, Fraud Detection and ERP Internal Controls, Fraud Detection and ERP Recently the SEC adopted Section 404 of the Sarbanes Oxley Act. This law requires each annual report of a company to contain 1. A statement of management's responsibility

More information

6-8065 Payment Card Industry Compliance

6-8065 Payment Card Industry Compliance 0 0 0 Yosemite Community College District Policies and Administrative Procedures No. -0 Policy -0 Payment Card Industry Compliance Yosemite Community College District will comply with the Payment Card

More information

Data Security Incident Response Plan. [Insert Organization Name]

Data Security Incident Response Plan. [Insert Organization Name] Data Security Incident Response Plan Dated: [Month] & [Year] [Insert Organization Name] 1 Introduction Purpose This data security incident response plan provides the framework to respond to a security

More information

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures 1. Introduction 1.1. Purpose and Background 1.2. Central Coordinator Contact 1.3. Payment Card Industry Data Security Standards (PCI-DSS) High Level Overview 2. PCI-DSS Guidelines - Division of Responsibilities

More information

Internal Control Guide & Resources

Internal Control Guide & Resources Internal Control Guide & Resources Section 5- Internal Control Activities & Best Practices Managers must establish internal control activities that support the five internal control components discussed

More information

University of Maryland Active Directory Policies

University of Maryland Active Directory Policies University of Maryland Active Directory Policies Purpose of this policy Scope AD Forest Forest Schema & Data Visibility Account and Group Synchronization Account Creation and Password Forest Security Principle

More information