Information Technology Internal Audit Report #

Save this PDF as:
Size: px
Start display at page:

Download "Information Technology Internal Audit Report # 2009-01"

Transcription

1 Information Technology Internal Audit Report # June 2009

2 September 23, 2009 Mr. Peter Breslin President Board of Education Katonah-Lewisboro Union Free School District One Shady Lane South Salem, NY Dear Mr. Breslin: We have completed our internal audit of the Information Technology (IT) General Computer Control environment of the Katonah-Lewisboro Union Free School District ( the District ). This area was recommended for audit in both our initial and updated internal audit risk assessment reports. This internal audit report includes IT General Computer Control information, the scope of the audit, our observations and recommendations, and management s responses. The audit procedures performed included various tests, reviews, and evaluations in accordance with the International Standards for the Professional Practice of Internal Auditing promulgated by the Institute of Internal Auditors. From an overall perspective the District has IT controls in place that are operating effectively. This is supported by the fact that there were no significant or needs improvement issues identified in our internal audit. The areas with observations and recommendations were rated as adequate/satisfactory which indicates modest weaknesses that require management's attention. We met with the Audit Committee on September 22, 2009 to discuss this report. We appreciate the fine level of cooperation provided to us by the District s staff during our audit and look forward to working with them in the future. Very truly yours, Accume Partners

3 Background As a result of the Internal Audit Risk Assessment, Information Technology (IT) was identified as a candidate for an internal audit. Accordingly, the Board of Education/Audit Committee authorized an audit of this area. Our audit was performed in accordance with the audit standards published by the Institute of Internal Auditors. Audit Scope and Objectives The purpose of the review was to evaluate and assess the adequacy of the procedures and controls in order to ensure that the District s computer systems are managed in a controlled manner. The procedures were performed in accordance with the Audit Plan, which was reviewed and approved by management and the Audit Committee. Our work, which was completed in June 2009, included the following areas: IT Strategy and Planning Outsourced Vendor Management Business Continuity IT Infrastructure and Maintenance Information Security Systems Development and Maintenance System Operations IT Governance Critical Systems The audit procedures that we performed included the following: We reviewed management s oversight of the IT environment to determine if policies and procedures exist, are being followed, and are suitable for the IT environment. We reviewed District Technology Committee meeting minutes for adequacy. We reviewed the District s latest strategic plans and the planning process. We reviewed controls over third party vendors to determine if there was proper selection and oversight, and if adequate documentation was maintained to support vendor relationships. We reviewed network backup procedures for appropriateness and adequacy. We reviewed security procedures and user access reports for adequacy and appropriateness. We reviewed the Acceptable Use Policies for completeness and adequacy. We reviewed the environmental controls and physical security of the computer room located in the High School. An Internal Audit Report Prepared by Accume Partners 1

4 We reviewed IT job functions to determine whether such functions are appropriately segregated. We reviewed network security administration and password controls. We reviewed that only active employees, or authorized vendors of the District, had access to the network platform and critical application systems, by comparing a listing of network and application level ID s to a listing of active and terminated employees provided by Human Resources. We reviewed the network security settings for appropriateness. We reviewed the anti-virus software to determine whether it was operational and updated. We reviewed the Network Diagram to confirm the District s connectivity. We reviewed Business Continuity Planning procedures and test results for appropriateness. We toured the Lower Hudson Regional Information Center and reviewed the process for remote backup and system monitoring. A summary of our findings and recommendations is presented on the next two pages, followed by a detailed discussion of the findings, recommendations and Management s responses. An Internal Audit Report Prepared by Accume Partners 2

5 Summary of Audit Findings We have performed an internal audit of the IT General Computer Control environment. Our audit focused specifically on the review of the following areas within IT. Included is our audit rating of the operating and control environment of each audit area. Audit Area Key Processes/ Documents Reviewed IT Strategy and Planning Board Policies Technology Plan Technology Committee Meeting Minutes Insurance Policy IT Organization Chart IT Job Descriptions HR Procedure Manual None Recommendations Audit Rating Outsourced Vendor Management Vendor Contracts Purchasing Policies Purchasing Handbook The District should monitor the control activities performed by outsourced vendors. (Observation #1) Business Continuity Disaster Recovery Plan Disaster Recovery Test Results None IT Infrastructure and Maintenance Network Diagram Hardware and Software Inventory Maintenance Schedule Vulnerability Scan System Utilization Reports The District should formalize and document IT Infrastructure and Maintenance policies and procedures. (Observation #2) Information Security Procedures for Network Account Setup Network Administrators List District Office Network ID s Finance Manager Permissions Report Infinite Campus Application Users IEP Direct Users Healthmaster Users Active/Terminated Employee List The District should perform a periodic certification of network and application users to ensure that all are active employees. (Observation #3) The District should add date of hire and separation date sections to the New Employee Notification and Exit Notification forms. Also, once a user is established on a system, their user ID should be documented on the New Employee Notification form indicating that the user was set up. (Observation #3) An Internal Audit Report Prepared by Accume Partners 3

6 Audit Area Key Processes/ Documents Reviewed Network Password/Account Lockout Settings Finance Manager Password Settings Infinite Campus Password Settings VPN Accounts and Authorization Forms Anti-Virus System Recommendations The District should formalize and document the Information Security policies and procedures that are in place. (Observation #2) Audit Rating Systems Development and Maintenance N/A The District does not develop or make changes to system applications. N/A N/A System Operations Backup Procedures Remote Backup Job Schedule LHRIC Remote Backup Job Log LHRIC Tape Backup Job Log Tape Backup Job Schedule Help Desk Procedures Sample Helpdesk Ticket Sample Helpdesk Problem Log IT Governance Acceptable Use Policies The District should formalize and document Data Backup Policies and Procedures. (Observation #2) The District should document daily system operations procedures. (Observation #2) As addressed in the above sections, the District should formalize its Information Technology Procedures and Policies. (Observation #2) * Our classification of audit findings is based on the following Audit Ratings (displayed on the next page): An Internal Audit Report Prepared by Accume Partners 4

7 Audit Ratings Significant Issues Needs Improvement Indicates significant weaknesses in the system of internal control and/or compliance with related policies, procedures and regulatory requirements. Management's immediate attention to these findings is required to prevent potential loss to the District. Indicates weaknesses in the system of internal control and/or compliance with related policies, procedures and regulatory requirements. These findings may require management's prompt resolution to prevent deterioration and possible losses. Indicates an acceptable system of internal control and satisfactory compliance with applicable policies, procedures and regulatory requirements. Findings may indicate modest weaknesses that require management's attention. An Internal Audit Report Prepared by Accume Partners 5

8 1. Monitoring of IT Vendor Activities Observations and Recommendations Observation: The District utilizes third party vendors to provide IT services including remote backup, application support for the Student Information System, network maintenance, maintenance of VPN accounts, system monitoring and computer hardware and software support. The District maintains signed contracts; however, procedures for monitoring critical vendors are not in place. School District Risk and/or Opportunity: By not monitoring vendor performance and internal controls at the service provider s data center, the District could be exposed to data being inadequately safeguarded and vendors not meeting the obligations of service level or contractual agreements. Recommendation: Establish a procedure for monitoring service provider activities and controls throughout the life of the contract. Procedures should encompass: Maintaining a list of IT vendors with contact information Documenting the activities of the on-site vendors Periodically reviewing a list of VPN accounts Reviewing daily s of remote backup service status Reviewing service level agreements (SLA s) and contract agreements to ensure that provisions are met Documenting the results of Disaster Recovery Plan testing Overall, the District should maintain adequate documentation to ensure that management is evaluating contractual vendor compliance with agreed upon terms and conditions Management s Response: The District will embed these procedures within the Katonah-Lewisboro School District IT Policies and Procedures Handbook to be developed by the Office of Technology during the school year. In addition, the District will work to encourage Southern Westchester BOCES to participate in a SAS 70 review process (ultimately, this is a decision to be made by Southern Westchester BOCES). Finally, the District will document and maintain the activities of on-site vendors and the results of Disaster Recovery Plan testing as recommended above. Proposed Implementation Date: March 2010 IT Policies and Procedures Handbook. During the school year, the District will initiate the recommendations that Southern Westchester BOCES participate in the SAS 70 review process. An Internal Audit Report Prepared by Accume Partners 6

9 Responsible Party: Carol Ann Lee, Director of Technology and Network Specialists (IT Policies and Procedures Handbook. Carol Ann Lee, Director of Technology; Mr. Michael Jumper, Assistant Superintendent for Business; and Dr. Robert J. Roelle, Superintendent will lobby with Southern Westchester BOCES to participate in the SAS 70 review process. 2. IT Policies and Procedures Observation: Although several written procedures exist for backup and security administration, the District has not formally documented comprehensive procedures over the entire Information Technology environment. School District Risk and/or Opportunity: Formal documented procedures can help improve accountability and ensure that proper separation of duties and internal controls are identified, operational and effective. The procedures also help to ensure continuity of business operations during times of change and turnover. The documentation of procedures is an ongoing process, since procedures are subject to continuous improvement initiatives. Recommendation: The District should formally document procedures over Information Technology to help ensure operational efficiency and effectiveness. Once documented, the procedures should be made available to appropriate employees. The District should consider documenting significant activities and processes related, but not limited, to: IT Infrastructure and Maintenance - Hardware and Software Inventories - Preventative Maintenance - Firewall Monitoring - Network Monitoring (capacity, utilization and server performance) - Change Management (network/operating system software and security updates) Information Security - User Risk Assessment (classify users based on their level of access to confidential data) - Security Administration (based on user risk level) - Password Security (based on user risk level) - Physical and Environmental Controls - Anti-Virus Protection - Security Monitoring - Remote Access An Internal Audit Report Prepared by Accume Partners 7

10 System Operations - Backup and Recovery - Tape Management - Help Desk/Problem Management Procedures Management s Response: These policies and procedures will be documented in the new Katonah-Lewisboro IT Policies and Procedures Handbook to be developed during the school year. In addition, the District will convert to a remote backup system through the Southern Westchester BOCES Lower Hudson Regional Information Center for the District Office, John Jay High School, John Jay Middle School, and GroupWise e- mail beginning in the school year. Proposed Implementation Date: March 2010 Responsible Party: Carol Ann Lee, Director of Technology; Network Specialists and Help Desk Analyst 3. Security Administration Observation: We compared all Finance Manager, District Office Network, IEP Direct, and a selection of Infinite Campus users to the Active Staff list obtained from HR. We also obtained and reviewed all available New Employee Notification and Exit Notification forms that were on file in Technology. The following was noted: All users on Finance Manager were for active employees no exceptions noted. 20 User ID s on Infinite Campus were for separated employees. These ID s had an Active status; however, we noted that their network ID s were disabled which would prevent them from accessing the application. Additionally, upon separation, any associated student information is reassigned. 19 users on IEP Direct were not on the HR list. Upon further review, six of those users were identified as separated employees and their ID s were removed from the system. The remaining users were appropriate. Three were District employees and ten were consultants who require access. The Confirmation Section of the New Employee Notification form was not signed by Technology for 12 of the 19 forms. We also noted that the forms did not have a date of hire section and that one new hire selected for testing did not have a form on file. Half of the Employee Exit Notification Forms reviewed also did not have the Confirmation Section signed and dated. There also was not a separation date section. An Internal Audit Report Prepared by Accume Partners 8

11 School District Risk and/or Opportunity: Failure to properly identify all users as employees or authorized users may result in unauthorized user access and information loss or privacy concerns. Recommendation: The District should perform a periodic certification of network and application users to ensure that all are active employees. In addition, we recommend adding date of hire and separation date sections to the New Employee Notification and Exit Notification forms. Also, once a user is established on a system, their user ID should be documented on the form indicating that the user was set up. Management s Response: The Office of Technology will work with Human Resources to update the New Employee Notification and Employee Exit Notification forms to meet these recommendations. In particular, the District will insure that IEP users are noted on the form, that a date of hire is included on the form, the confirmation section of the New Employee Notification form is always signed by the Office of Technology, that the date of hire and separation date are added to these forms, and that the user ID is also documented on the forms once a user is set up in the network. In addition, the Office of Technology will set quarterly tests in conjunction with Human Resources, Special Services and the Business Office to insure that employee lists and access to the network and applications are accurate. Proposed Implementation Date: September 2009 Responsible Party: Carol Ann Lee, Director of Technology; Teresa Gallo, Help Desk Analyst; Dr. Karen Benedict, Deputy Superintendent, Human Resources; Dr. Phyllis McGill, Director for Special Services; Mr. Michael Jumper, Assistant Superintendent for Business An Internal Audit Report Prepared by Accume Partners 9

AUSTIN INDEPENDENT SCHOOL DISTRICT INTERNAL AUDIT DEPARTMENT TRANSPORTATION AUDIT PROGRAM

AUSTIN INDEPENDENT SCHOOL DISTRICT INTERNAL AUDIT DEPARTMENT TRANSPORTATION AUDIT PROGRAM GENERAL: The Technology department is responsible for the managing of electronic devices and software for the District, as well as the Help Desk for resolution of employee-created help tickets. The subgroups

More information

Supplier Security Assessment Questionnaire

Supplier Security Assessment Questionnaire HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

Outsource Operations Review 1/22/07 Status Report

Outsource Operations Review 1/22/07 Status Report Outsource Operations Review 1 Contract Recommendations City needs to establish metrics beyond the service level agreements (SLAs) to evaluate Unisys against the contractual obligations on no less than

More information

NCUA LETTER TO CREDIT UNIONS

NCUA LETTER TO CREDIT UNIONS NCUA LETTER TO CREDIT UNIONS NATIONAL CREDIT UNION ADMINISTRATION 1775 Duke Street, Alexandria, VA 22314 DATE: September 2003 LETTER NO.: 03-CU-14 TO: SUBJ: ENCL: Federally Insured Credit Unions Computer

More information

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225

More information

Client Security Risk Assessment Questionnaire

Client Security Risk Assessment Questionnaire Select the appropriate answer from the drop down in the column, and provide a brief description in the section. 1 Do you have a member of your organization with dedicated information security duties? 2

More information

General Computer Controls

General Computer Controls 1 General Computer Controls Governmental Unit: University of Mississippi Financial Statement Date: June 30, 2007 Prepared by: Robin Miller and Kathy Gates Date: 6/29/2007 Description of computer systems

More information

Department of Agriculture. Network Security Controls. Information Technology Audit

Department of Agriculture. Network Security Controls. Information Technology Audit O L A OFFICE OF THE LEGISLATIVE AUDITOR STATE OF MINNESOTA FINANCIAL AUDIT DIVISION REPORT Department of Agriculture Network Security Controls Information Technology Audit July 1, 2010 Report 10-23 FINANCIAL

More information

Newcastle University Information Security Procedures Version 3

Newcastle University Information Security Procedures Version 3 Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations

More information

SRA International Managed Information Systems Internal Audit Report

SRA International Managed Information Systems Internal Audit Report SRA International Managed Information Systems Internal Audit Report Report #2014-03 June 18, 2014 Table of Contents Executive Summary... 3 Background Information... 4 Background... 4 Audit Objectives...

More information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1

More information

Information security controls. Briefing for clients on Experian information security controls

Information security controls. Briefing for clients on Experian information security controls Information security controls Briefing for clients on Experian information security controls Introduction Security sits at the core of Experian s operations. The vast majority of modern organisations face

More information

Information Technology General Controls And Best Practices

Information Technology General Controls And Best Practices Paul M. Perry, FHFMA, CITP, CPA Alabama CyberNow Conference April 5, 2016 Information Technology General Controls And Best Practices 1. IT General Controls - Why? 2. IT General Control Objectives 3. Documentation

More information

ManageEngine Desktop Central Training

ManageEngine Desktop Central Training ManageEngine Desktop Central Training Course Objectives Who Should Attend Course Agenda Course Objectives Desktop Central training helps you IT staff learn the features offered by Desktop Central and to

More information

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

Information Security Policy and Handbook Overview. ITSS Information Security June 2015 Information Security Policy and Handbook Overview ITSS Information Security June 2015 Information Security Policy Control Hierarchy System and Campus Information Security Policies UNT System Information

More information

Vendor Audit Questionnaire

Vendor Audit Questionnaire Vendor Audit Questionnaire The following questionnaire should be completed as thoroughly as possible. When information cannot be provided it should be noted why it cannot be provided. Information may be

More information

Putnam/Northern Westchester BOCES Internal Audit Report on Information Technology

Putnam/Northern Westchester BOCES Internal Audit Report on Information Technology 6G Putnam/Northern Westchester BOCES Internal Audit Report on Information Technology TABLE OF CONTENTS Page Report on Internal Controls Related to Information Technology Network and Network Security 1

More information

Library Systems Security: On Premises & Off Premises

Library Systems Security: On Premises & Off Premises Library Systems Security: On Premises & Off Premises Guoying (Grace) Liu University of Windsor Leddy Library Huoxin (Michael) Zheng Castlebreck Inc. CLA 2015 Annual Conference, Ottawa, June 5, 2015 Information

More information

Service Children s Education

Service Children s Education Service Children s Education Data Handling and Security Information Security Audit Issued January 2009 2009 - An Agency of the Ministry of Defence Information Security Audit 2 Information handling and

More information

Office of the Auditor General Performance Audit Report. Statewide Oracle Database Controls Department of Technology, Management, and Budget

Office of the Auditor General Performance Audit Report. Statewide Oracle Database Controls Department of Technology, Management, and Budget Office of the Auditor General Performance Audit Report Statewide Oracle Database Controls Department of Technology, Management, and Budget March 2015 071-0565-14 State of Michigan Auditor General Doug

More information

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable

More information

University of Pittsburgh Security Assessment Questionnaire (v1.5)

University of Pittsburgh Security Assessment Questionnaire (v1.5) Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.5) Directions and Instructions for completing this assessment The answers provided

More information

PDS (The Planetary Data System) Information Technology Security Plan for The Planetary Data System: [Node Name]

PDS (The Planetary Data System) Information Technology Security Plan for The Planetary Data System: [Node Name] PDS (The Planetary Data System) Information Technology Security Plan for The Planetary Data System: [Node Name] [Date] [Location] 1 Prepared by: [Author] [Title] Date Approved by: [Name] [Title] Date 2

More information

Supplier Information Security Addendum for GE Restricted Data

Supplier Information Security Addendum for GE Restricted Data Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,

More information

Estate Agents Authority

Estate Agents Authority INFORMATION SECURITY AND PRIVACY PROTECTION POLICY AND GUIDELINES FOR ESTATE AGENTS Estate Agents Authority The contents of this document remain the property of, and may not be reproduced in whole or in

More information

HIPAA Compliance Evaluation Report

HIPAA Compliance Evaluation Report Jun29,2016 HIPAA Compliance Evaluation Report Custom HIPAA Risk Evaluation provided for: OF Date of Report 10/13/2014 Findings Each section of the pie chart represents the HIPAA compliance risk determinations

More information

UCS Level 2 Report Issued to

UCS Level 2 Report Issued to UCS Level 2 Report Issued to MSPAlliance Unified Certification Standard (UCS) Report Copyright 2014 www.mspalliance.com/ucs info@mspalliance.com Welcome to the UCS report which stands for Unified Certification

More information

San Francisco Chapter. Information Systems Operations

San Francisco Chapter. Information Systems Operations Information Systems Operations Overview Operations as a part of General Computer Controls Key Areas of focus within Information Systems Operations Key operational risks Controls generally associated with

More information

3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014. Straightforward Security and Compliance

3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014. Straightforward Security and Compliance 3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014 Continuous Education Services (elearning/workshops) Compliance Management Portals Information Security

More information

Securing the Service Desk in the Cloud

Securing the Service Desk in the Cloud TECHNICAL WHITE PAPER Securing the Service Desk in the Cloud BMC s Security Strategy for ITSM in the SaaS Environment Introduction Faced with a growing number of regulatory, corporate, and industry requirements,

More information

MANAGED FIREWALL SERVICE

MANAGED FIREWALL SERVICE MANAGED FIREWALL SERVICE OVERVIEW This document represents a Service Level Description (SLD) between subscribing Local Educational Agencies (LEA) as the subscriber and the Northeastern Regional Information

More information

DATA SECURITY & PCI DSS COMPLIANCE PROTECTING CUSTOMER DATA

DATA SECURITY & PCI DSS COMPLIANCE PROTECTING CUSTOMER DATA DATA SECURITY & PCI DSS COMPLIANCE PROTECTING CUSTOMER DATA WHAT IS PCI DSS? PAYMENT CARD INDUSTRY DATA SECURITY STANDARD A SET OF REQUIREMENTS FOR ANY ORGANIZATION OR MERCHANT THAT ACCEPTS, TRANSMITS

More information

Network Security Management Phases 1 and 2 Follow up Report

Network Security Management Phases 1 and 2 Follow up Report Network Security Management Phases 1 and 2 Follow up Report March 2015 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County

More information

ISO 27001 Controls and Objectives

ISO 27001 Controls and Objectives ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements

More information

Cyber Security Pr o t e c t i n g y o u r b a n k a g a i n s t d a t a b r e a c h e s

Cyber Security Pr o t e c t i n g y o u r b a n k a g a i n s t d a t a b r e a c h e s Cyber Security Pr o t e c t i n g y o u r b a n k a g a i n s t d a t a b r e a c h e s 1 Agenda Data Security Trends Root causes of Cyber Attacks How can we fix this? Secure Infrastructure Security Practices

More information

OCC 98-3 OCC BULLETIN

OCC 98-3 OCC BULLETIN To: Chief Executive Officers and Chief Information Officers of all National Banks, General Managers of Federal Branches and Agencies, Deputy Comptrollers, Department and Division Heads, and Examining Personnel

More information

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION Information security is a critical issue for institutions of higher education (IHE). IHE face issues of risk, liability, business continuity,

More information

by: Scott Baranowski Community Bank Auditors Group Best Practices in Auditing Record Retention, Safeguarding Paper Documents, GLBA and Privacy

by: Scott Baranowski Community Bank Auditors Group Best Practices in Auditing Record Retention, Safeguarding Paper Documents, GLBA and Privacy Community Bank Auditors Group Best Practices in Auditing Record Retention, Safeguarding Paper Documents, GLBA and Privacy June 10, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT

More information

IT Security and Operational Policy

IT Security and Operational Policy IT Security and Operational Policy 1 Information Technology Leadership 1.1 IT Roles and Responsibilities Version 1.8, November 30, 2015 The responsibility for Hocking College s information and information

More information

Instructions for Completing the Information Technology Officer s Questionnaire

Instructions for Completing the Information Technology Officer s Questionnaire Instructions for Completing the The (Questionnaire) contains questions covering significant areas of a bank s information technology (IT) function. Your responses to these questions will help determine

More information

INFORMATION TECHNOLOGY OFFICER S QUESTIONNAIRE. Instructions for Completing the Information Technology Examination Officer s Questionnaire

INFORMATION TECHNOLOGY OFFICER S QUESTIONNAIRE. Instructions for Completing the Information Technology Examination Officer s Questionnaire Institution Charter Date of Exam Prepared By INFORMATION TECHLOGY OFFICER S QUESTIONNAIRE Instructions for Completing the Information Technology Examination Officer s Questionnaire The Information Technology

More information

I. EXECUTIVE SUMMARY. Date: June 30, 2015. Sabina Sitaru, Chief Innovation Officer, Metro Hartford Innovation Services

I. EXECUTIVE SUMMARY. Date: June 30, 2015. Sabina Sitaru, Chief Innovation Officer, Metro Hartford Innovation Services Date: June 30, 2015 To: Sabina Sitaru, Chief Innovation Officer, Metro Hartford Innovation Services From: Craig Trujillo, CPA, Deputy Chief Auditor CST Tele: Office 860-757-9952 Mobile 860-422-3600 City

More information

STATEMENT OF JOHN E. MCCOY II DEPUTY ASSISTANT INSPECTOR GENERAL FOR AUDITS U.S. DEPARTMENT OF HOMELAND SECURITY BEFORE THE

STATEMENT OF JOHN E. MCCOY II DEPUTY ASSISTANT INSPECTOR GENERAL FOR AUDITS U.S. DEPARTMENT OF HOMELAND SECURITY BEFORE THE STATEMENT OF JOHN E. MCCOY II DEPUTY ASSISTANT INSPECTOR GENERAL FOR AUDITS U.S. DEPARTMENT OF HOMELAND SECURITY BEFORE THE COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM SUBCOMMITTEE ON GOVERNMENT ORGANIZATION,

More information

HIPAA COMPLIANCE CALIFORNIA STATE UNIVERSITY, EAST BAY. Audit Report 10-53 October 25, 2010

HIPAA COMPLIANCE CALIFORNIA STATE UNIVERSITY, EAST BAY. Audit Report 10-53 October 25, 2010 HIPAA COMPLIANCE CALIFORNIA STATE UNIVERSITY, EAST BAY Audit Report 10-53 October 25, 2010 Members, Committee on Audit Henry Mendoza, Chair Raymond W. Holdsworth, Vice Chair Nicole M. Anderson Margaret

More information

OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the specific documents requested,

More information

Dundalk Institute of Technology. Outsourcing/Third Party Access Policy. Version 1.1

Dundalk Institute of Technology. Outsourcing/Third Party Access Policy. Version 1.1 Dundalk Institute of Technology Outsourcing/Third Party Access Policy Version 1.1 1 Document Location..\DkIT_Policy_Documents\Policies Revision History Date of this revision: Date of next review: Version

More information

Memorandum. ACTION: Report on Computer Security Controls of Financial Management System, FTA FE-2000-098. May 23, 2000.

Memorandum. ACTION: Report on Computer Security Controls of Financial Management System, FTA FE-2000-098. May 23, 2000. U.S. Department of Transportation Office of the Secretary of Transportation Office of Inspector General Memorandum ACTION: Report on Computer Security Controls of Financial Management System, FTA FE-2000-098

More information

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07 EVALUATION REPORT Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review March 13, 2015 REPORT NUMBER 15-07 EXECUTIVE SUMMARY Weaknesses Identified During the FY 2014

More information

DETAIL AUDIT PROGRAM Information Systems General Controls Review

DETAIL AUDIT PROGRAM Information Systems General Controls Review Contributed 4/23/99 by Steve_Parker/TBE/Teledyne@teledyne.com DETAIL AUDIT PROGRAM Information Systems General Controls Review 1.0 Introduction The objectives of this audit are to review policies, procedures,

More information

PeopleSoft IT General Controls

PeopleSoft IT General Controls PeopleSoft IT General Controls Performance Audit December 2009 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of

More information

Music Recording Studio Security Program Security Assessment Version 1.1

Music Recording Studio Security Program Security Assessment Version 1.1 Music Recording Studio Security Program Security Assessment Version 1.1 DOCUMENTATION, RISK MANAGEMENT AND COMPLIANCE PERSONNEL AND RESOURCES ASSET MANAGEMENT PHYSICAL SECURITY IT SECURITY TRAINING AND

More information

INCIDENT RESPONSE CHECKLIST

INCIDENT RESPONSE CHECKLIST INCIDENT RESPONSE CHECKLIST The purpose of this checklist is to provide clients of Kivu Consulting, Inc. with guidance in the initial stages of an actual or possible data breach. Clients are encouraged

More information

Security Controls What Works. Southside Virginia Community College: Security Awareness

Security Controls What Works. Southside Virginia Community College: Security Awareness Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction

More information

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms

More information

BMC s Security Strategy for ITSM in the SaaS Environment

BMC s Security Strategy for ITSM in the SaaS Environment BMC s Security Strategy for ITSM in the SaaS Environment TABLE OF CONTENTS Introduction... 3 Data Security... 4 Secure Backup... 6 Administrative Access... 6 Patching Processes... 6 Security Certifications...

More information

Program Overview. CDP is a registered certification designed and administered by Identity Management Institute (IMI).

Program Overview. CDP is a registered certification designed and administered by Identity Management Institute (IMI). Overview Certified in Data Protection (CDP) is a comprehensive global training and certification program which leverages international security standards and privacy laws to teach candidates on how to

More information

21 Questions you should ask your IT service provider Before hiring them to support your network

21 Questions you should ask your IT service provider Before hiring them to support your network 21 Questions you should ask your IT service provider Before hiring them to support your network Customer Service: Q1: Do they answer their phones live or do you always have to leave a voice mail and wait

More information

INFORMATION TECHNOLOGY SECURITY STANDARDS

INFORMATION TECHNOLOGY SECURITY STANDARDS INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL

More information

Operational Risk Publication Date: May 2015. 1. Operational Risk... 3

Operational Risk Publication Date: May 2015. 1. Operational Risk... 3 OPERATIONAL RISK Contents 1. Operational Risk... 3 1.1 Legislation... 3 1.2 Guidance... 3 1.3 Risk management process... 4 1.4 Risk register... 7 1.5 EBA Guidelines on the Security of Internet Payments...

More information

Outsourcing Technology Services A Management Decision

Outsourcing Technology Services A Management Decision Outsourcing Technology Services A Management Decision A Telephone Seminar for National Banks Tuesday, July 20, 2004 And again on Wednesday, July 21, 2004 Agenda Outsourcing activities and relationships

More information

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results Acquire or develop application systems software Controls provide reasonable assurance that application and system software is acquired or developed that effectively supports financial reporting requirements.

More information

IT OUTSOURCING SECURITY

IT OUTSOURCING SECURITY IT OUTSOURCING SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without

More information

Office of Inspector General

Office of Inspector General DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Security Weaknesses Increase Risks to Critical United States Secret Service Database (Redacted) Notice: The Department of Homeland Security,

More information

1. Describe the staffing levels maintained in the IT department (change titles as needed): K. Tollefsen/1

1. Describe the staffing levels maintained in the IT department (change titles as needed): K. Tollefsen/1 Page 1 of 14 Chabot-Las Positas Community College District Reference: T500 Information System Memo Prepared by: Jeannine Methe June 30, 2005 Date: 6/8/05 Reviewed by: Instructions: This memo is designed

More information

Hosted Exchange. Security Overview. Learn More: Call us at 877.634.2728. www.megapath.com

Hosted Exchange. Security Overview. Learn More: Call us at 877.634.2728. www.megapath.com Security Overview Learn More: Call us at 877.634.2728. www.megapath.com Secure and Reliable Hosted Exchange Our Hosted Exchange service is delivered across an advanced network infrastructure, built on

More information

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures 1. Introduction 1.1. Purpose and Background 1.2. Central Coordinator Contact 1.3. Payment Card Industry Data Security Standards (PCI-DSS) High Level Overview 2. PCI-DSS Guidelines - Division of Responsibilities

More information

2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.

2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec. The OCR Auditors are coming - Are you next? What to Expect and How to Prepare On June 10, 2011, the U.S. Department of Health and Human Services Office for Civil Rights ( OCR ) awarded KPMG a $9.2 million

More information

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

REGULATIONS FOR THE SECURITY OF INTERNET BANKING REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY

More information

Information Technology Internal Audit Report

Information Technology Internal Audit Report Information Technology Internal Audit Report Report #2014-05 July 25, 2014 Table of Contents Page Executive Summary... 3 Background Information... 4 Background... 4 Audit Objectives... 4 Scope and Testing

More information

Request for Proposal Managed IT Services 7 December 2009

Request for Proposal Managed IT Services 7 December 2009 Request for Proposal Managed IT Services 7 December 2009 BuzzBack, LLC 25 West 45 th Street Suite 202 New York, NY 10036 Table of Contents 1 Summary... 1 2 Proposal Guidelines and Requirements... 1 2.1

More information

LHRIC Network Support - Additional Service Features

LHRIC Network Support - Additional Service Features LHRIC Network Support - Additional Service Features It is important to note that costs associated with LHRIC Network Support service not only cover an on-site support engineer but also include a number

More information

ELECTRONIC INFORMATION SECURITY A.R.

ELECTRONIC INFORMATION SECURITY A.R. A.R. Number: 2.6 Effective Date: 2/1/2009 Page: 1 of 7 I. PURPOSE In recognition of the critical role that electronic information systems play in City of Richmond (COR) business activities, this policy

More information

Information System Audit. Arkansas Administrative Statewide Information System (AASIS) General Controls

Information System Audit. Arkansas Administrative Statewide Information System (AASIS) General Controls Information System Audit Arkansas Administrative Statewide Information System (AASIS) General Controls ARKANSAS DIVISION OF LEGISLATIVE AUDIT April 12, 2002 April 12, 2002 Members of the Legislative Joint

More information

Circular to All Licensed Corporations on Information Technology Management

Circular to All Licensed Corporations on Information Technology Management Circular 16 March 2010 Circular to All Licensed Corporations on Information Technology Management In the course of our supervision, it has recently come to our attention that certain deficiencies in information

More information

Services Providers. Ivan Soto

Services Providers. Ivan Soto SOP s for Managing Application Services Providers Ivan Soto Learning Objectives At the end of this session we will have covered: Types of Managed Services Outsourcing process Quality expectations for Managed

More information

Dokument Nr. 521.dw Ausgabe Februar 2013, Rev. 01. . Seite 1 von 11. 521d Seite 1 von 11

Dokument Nr. 521.dw Ausgabe Februar 2013, Rev. 01. . Seite 1 von 11. 521d Seite 1 von 11 Eidgenössisches Departement für Wirtschaft, Bildung und Forschung WBF Staatssekretariat für Wirtschaft SECO Schweizerische Akkreditierungsstelle SAS Checkliste für die harmonisierte Umsetzung der Anforderungen

More information

Office of the City Auditor. Audit Report. AUDIT OF SELECTED CLIENT SERVER GENERAL CONTROLS (Report No. A08-010 ) May 2, 2008.

Office of the City Auditor. Audit Report. AUDIT OF SELECTED CLIENT SERVER GENERAL CONTROLS (Report No. A08-010 ) May 2, 2008. CITY OF DALLAS Dallas City Council Office of the City Auditor Audit Report Mayor Tom Leppert Mayor Pro Tem Dr. Elba Garcia Deputy Mayor Pro Tem Dwaine Caraway AUDIT OF SELECTED CLIENT SERVER GENERAL CONTROLS

More information

Office of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget

Office of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget Office of the Auditor General Performance Audit Report Statewide UNIX Security Controls Department of Technology, Management, and Budget December 2015 State of Michigan Auditor General Doug A. Ringler,

More information

How to Practice Safely in an era of Cybercrime and Privacy Fears

How to Practice Safely in an era of Cybercrime and Privacy Fears How to Practice Safely in an era of Cybercrime and Privacy Fears Christina Harbridge INFORMATION PROTECTION SPECIALIST Information Security The practice of defending information from unauthorised access,

More information

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii The Office of the Auditor General has conducted a procedural review of the State Data Center (Data Center), a part of the Arizona Strategic Enterprise Technology (ASET) Division within the Arizona Department

More information

H.I.P.A.A. Compliance Made Easy Products and Services

H.I.P.A.A. Compliance Made Easy Products and Services H.I.P.A.A Compliance Made Easy Products and Services Provided by: Prevare IT Solutions 100 Cummings Center Suite 225D Beverly, MA 01915 Info-HIPAA@prevare.com 877-232-9191 Dear Health Care Professional,

More information

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL Title: Computer and Network Security Policy Policy Number: 04.72.12 Effective Date: November 4, 2003 Issuing Authority: Office of the Vice President for

More information

Department of Public Utilities Customer Information System (BANNER)

Department of Public Utilities Customer Information System (BANNER) REPORT # 2010-06 AUDIT of the Customer Information System (BANNER) January 2010 TABLE OF CONTENTS Executive Summary..... i Comprehensive List of Recommendations. iii Introduction, Objective, Methodology

More information

NETWORK SECURITY GUIDELINES

NETWORK SECURITY GUIDELINES NETWORK SECURITY GUIDELINES VIRUS PROTECTION STANDARDS All networked computers and networked laptop computers are protected by GST BOCES or district standard anti-virus protection software. The anti-virus

More information

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

Information Technology General Controls Review (ITGC) Audit Program Prepared by: Information Technology General Controls Review (ITGC) Audit Program Date Prepared: 2012 Internal Audit Work Plan Objective: IT General Controls (ITGC) address the overall operation and activities of the

More information

Risk Management of Outsourced Technology Services. November 28, 2000

Risk Management of Outsourced Technology Services. November 28, 2000 Risk Management of Outsourced Technology Services November 28, 2000 Purpose and Background This statement focuses on the risk management process of identifying, measuring, monitoring, and controlling the

More information

July 6, 2015. Mr. Michael L. Joseph Chairman of the Board Roswell Park Cancer Institute Elm & Carlton Streets Buffalo, NY 14263

July 6, 2015. Mr. Michael L. Joseph Chairman of the Board Roswell Park Cancer Institute Elm & Carlton Streets Buffalo, NY 14263 July 6, 2015 Mr. Michael L. Joseph Chairman of the Board Roswell Park Cancer Institute Elm & Carlton Streets Buffalo, NY 14263 Re: Security Over Electronic Protected Health Information Report 2014-S-67

More information

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10) MIT s Information Security Program for Protecting Personal Information Requiring Notification (Revision date: 2/26/10) Table of Contents 1. Program Summary... 3 2. Definitions... 4 2.1 Identity Theft...

More information

ISO27001 Controls and Objectives

ISO27001 Controls and Objectives Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the

More information

DEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY

DEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY DEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY This Plan we adopted by member, partner, etc.) on Our Program Coordinator (date). (Board of Directors, owner, We have appointed

More information

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL MICHIGAN OFFICE OF THE AUDITOR GENERAL AUDIT REPORT THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL The auditor general shall conduct post audits of financial transactions and accounts of the state and of all

More information

Domain 1 The Process of Auditing Information Systems

Domain 1 The Process of Auditing Information Systems Certified Information Systems Auditor (CISA ) Certification Course Description Our 5-day ISACA Certified Information Systems Auditor (CISA) training course equips information professionals with the knowledge

More information

Hengtian Information Security White Paper

Hengtian Information Security White Paper Hengtian Information Security White Paper March, 2012 Contents Overview... 1 1. Security Policy... 2 2. Organization of information security... 2 3. Asset management... 3 4. Human Resources Security...

More information

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL FINAL REPORT: U.S. Election Assistance Commission Compliance with the Requirements of the Federal Information Security Management Act Fiscal

More information

VMware vcloud Air SOC 1 Control Matrix

VMware vcloud Air SOC 1 Control Matrix SOC 1 Control Objectives/Activities Matrix goes to great lengths to ensure the security and availability of vcloud Air services. In this effort, we have undergone a variety of industry standard audits,

More information

Network and Security Controls

Network and Security Controls Network and Security Controls State Of Arizona Office Of The Auditor General Phil Hanus IT Controls Webinar Series Part I Overview of IT Controls and Best Practices Part II Identifying Users and Limiting

More information

Audit Report. Effectiveness of IT Controls at the Global Fund Follow-up report. GF-OIG-15-20b 26 November 2015 Geneva, Switzerland

Audit Report. Effectiveness of IT Controls at the Global Fund Follow-up report. GF-OIG-15-20b 26 November 2015 Geneva, Switzerland Audit Report Effectiveness of IT Controls at the Global Fund Follow-up report GF-OIG-15-20b Geneva, Switzerland Table of Contents I. Background and scope... 3 II. Executive Summary... 4 III. Status of

More information

Security from a customer s perspective. Halogen s approach to security

Security from a customer s perspective. Halogen s approach to security September 18, 2015 Security from a customer s perspective Using a cloud-based talent management program can deliver tremendous benefits to your organization, including aligning your workforce, improving

More information

Ayla Networks, Inc. SOC 3 SysTrust 2015

Ayla Networks, Inc. SOC 3 SysTrust 2015 Ayla Networks, Inc. SOC 3 SysTrust 2015 SOC 3 SYSTRUST FOR SERVICE ORGANIZATIONS REPORT July 1, 2015 To December 31, 2015 Table of Contents SECTION 1 INDEPENDENT SERVICE AUDITOR S REPORT... 2 SECTION 2

More information