Auditing Application User Account Security and Identity Management with Data Analytics

Transcription

1 Auditing Application User Account Security and Identity Management with Data Analytics James Kidwell, JD, CISA Senior Information Systems Auditor Audit Services

2 Session Agenda and Learning Objectives Brief background and risk history Discuss continuous auditing/monitoring project design, planning and execution steps Describe continuous audit and data analytic project challenges Discuss approaches used to help management make enterprise application user account security and identity management process and control improvements Share lessons learned by auditing with data analytics 9/14/2015 2

3 Background About Carolinas HealthCare System (CHS) Audit Findings. Terminated users still had active application user accounts Active application user accounts could not be linked to enterprise identity management data sources Applications access, process, store and transmit Protected Health Information (PHI) and other confidential data Why? When some workforce members leave CHS or move jobs internally, their app user accounts are not promptly disabled? Does this occur across multiple enterprise applications? 9/14/2015 3

4 Why Use Data Analytics (DA) to Audit? Multiple process and control issue factors Complex application interfaces and infrastructures Broad geographical facility locations and remote users Coordination of remote user support and account management between Corporate and other health system entities Non-employee users, Contractors, Vendors, etc Multiple authoritative identity and user access security data sources Improve Critical Thinking with Technology Excel, Access, etc. are great CAAT tools, but sometimes a little more power is needed CHS strengthened ACL Desktop with Audit Exchange (AX) Server 9/14/2015 4

5 Using Repeatable Data Analytics 9/14/ Image Source: Data-Analytics_whp_Eng_0811.pdf (ISACA)

6 Why Use Continuous Auditing/Monitoring (CA/CM) to Mitigate Risk? Beyond Repeatable DA, other Benefits too: Advanced, pre-defined analytic scripting to support repeatability and automation Audit assurance/consultation skill/knowledge/experience increase Automated data source feeds to AX (as opposed to ad hoc IT extracts) Enhanced data file security on centralized server PHI in raw data and audit samples, Payroll, excecutive compensation, etc. AX Audit program data testing and scripting standards 9/14/2015 6

7 Key CA/CM Project Design Considerations Identify data owners, stakeholders and key players Learn where the data is maintained Determine the needed data (DB tables and fields) Define the purpose and scope of the testing Select audit tools to perform data analytic tests Define the data analytic processes and tests Establish the data request/delivery process Define audit/monitoring report distribution/timing Build client confidence in program 9/14/2015 7

8 CA/CM Project Execution/Challenges Primary client education and awareness Subject matter expert engagement Auditor education and awareness Long-term management acceptance and engagement Data source acquisition and management Segregation of duties Cultural realities Mapping business processes to workforce and software activities Audit communications 9/14/2015 8

9 CA/CM Project Lessons Learned Oh boy, where should we begin Audit project communications Mapping business processes to workforce and software activities Cultural realities Segregation of duties Data source acquisition and management Long-term management acceptance and engagement Auditor education and awareness Subject matter expert engagement Primary client education and awareness 9/14/2015 9

10 Q & A??? 9/14/

11 James Kidwell Senior Information Systems Auditor Audit Services James.Kidwell (at) CarolinasHealthCare.org O: