AUDIT REPORT. Corporate Access and Identity Management Project Audit Opinion: Satisfactory. July 31, 2015

Transcription

1 AUDIT REPORT Corporate Access and Identity Management Project Audit Opinion: Satisfactory July 31, 2015 Report Number: 2015-IT-02 Corporate Access and Identity Management Project

2 Table of Contents: Page Executive Summary Background 1 Objectives and Scope 1 Audit Opinion 2 Appendices Definitions 3 Distribution 4 Audit Performed By 4 Report Number: 2015-IT-02 Corporate Access and Identity Management Project

3 Executive Summary Background During May 2014, Citizens commenced with establishing a corporate Access and Identity Management (AIM) program to develop stronger governance, process ownership and improved processes across our widely distributed application security environment. Conceptually, identity management refers to the management of the entire life cycle of user and system accounts so that users can be uniquely identified to IT systems before being granted access to sensitive IT assets. Processes in place include: user provisioning; maintenance; deprovisioning; monitoring; and reporting on accounts and related access permissions. During 2010, a Computer Access Management program was developed by IT Security that divided user application access processes between business areas and IT Security for applications considered as high risk. This program has not been effective mainly due to the lack of automation and assignment of resources required to comply with the program requirements from both a business and information technology perspective. With the current project, a renewed emphasis is being applied in the management of access throughout Citizens vast systems infrastructure with the intent to fully distribute user access management processes to the appropriate business areas. Going forward, instead of being the custodian of access management, IT Security will be providing governance oversight and compliance validation functions. The primary objectives of the AIM project are to: Develop a governance framework that provides guidance in security access management as well as a business user access process document to capture and understand processes currently in place. (A more over-arching IT Security Policy is being developed as part of another initiative, which will further strengthen governance and control over system access.) Document and assess current application identity management processes for applications containing data classified as restricted and sensitive. Assess gaps in processes and user access reporting and define improvements needed to effectively manage and monitor these processes. Remediate gaps where necessary to comply with the minimum standards contained in the framework. Results from this project are not intended to provide assurance that single user access is addressed with proper separation of duties across multiple systems. It has a single focus on an application by application basis. Audit Objectives and Scope We evaluated the adequacy and effectiveness of the governance structure associated with the project in accordance with project management best practices as defined in the Global Technology Audit Guide 12, Auditing IT Projects and the Control Objectives for Information and related Technology (COBIT ) 4.1. We also evaluated compliance to the Citizens Enterprise Project Management Methodology. The scope of the audit included the following components that were identified as integral parts of the governance process: Report Number: 2015-IT-02 Corporate Access and Identity Management Project Page 1

4 Executive Summary A sound project governance structure has been established (project team and stakeholders group), objectives have been clearly defined and communicated and a clear escalation path is implemented. Required project artifacts are created and stored in the required location in line with the Project Methodology. Appropriate approvals are obtained for artifacts and significant project decisions. Roles and responsibilities have been delineated and communicated to business application owners and contacts. Tasks, resources and target dates are maintained up to date and periodically reported to the project owner and sponsor. Project risks are being identified as part of project progression. Status reports are being generated and distributed in line with the required Project Methodology time frame. Audit Opinion Based upon our audit work, the overall effectiveness of the governance processes and Citizens Enterprise Project Management Methodology policy compliance evaluated during the audit is rated as Satisfactory. We found that the project governance structure is designed well with an escalation path to a stakeholders group and an executive sponsor. Monthly stakeholder meetings are held to review project status and issues. Appropriate approvals have been obtained for documents requiring such by policy. Primary project team members are available to business owners and application contacts for assistance in completing the current state assessment documents. Formalized status checkpoints have been installed with application owners as the User Access Process documents are being completed between May and November, We would like to thank management and staff in IT Security and the Program Management Office for their cooperation and professional courtesy throughout the course of this audit. Report Number: 2015-IT-02 Corporate Access and Identity Management Project Page 2

5 Appendix 1 Definitions Audit Ratings Satisfactory: Critical internal control systems are functioning in an acceptable manner. There may be no or very few minor issues, but their number and severity relative to the size and scope of the operation, entity, or process audited indicate minimal concern. Corrective action to address the issues identified, although not serious, remains an area of focus. Needs Improvement: Internal control systems are not functioning in an acceptable manner and the control environment will require some enhancement before it can be considered as fully effective. The number and severity of issues relative to the size and scope of the operation, entity, or process being audited indicate some significant areas of weakness. Overall exposure (existing or potential) requires corrective action plan with priority. Unsatisfactory: One or more critical control deficiencies exist which would have a significant adverse effect on loss potential, customer satisfaction or management information. Or the number and severity of issues relative to the size and scope of the operation, entity, or process being audited indicate pervasive, systemic, or individually serious weaknesses. As a result the control environment is not considered to be appropriate, or the management of risks reviewed falls outside acceptable parameters, or both. Overall exposure (existing or potential) is unacceptable and requires immediate corrective action plan with highest priority. Report Number: 2015-IT-02 Corporate Access and Identity Management Project Page 3

6 Appendix 2 Distribution Addressees Copies Mitch Brockbank, Director IT Security and Risk Juan Cocuy, Citizens Audit Committee Chairman Bette Brown, Citizens Audit Committee Member Jim Henderson, Citizens Audit Committee Member Barry Gilway, President/CEO/Executive Director Kelly Booten, Chief Systems and Operations Curt Overpeck, Chief Information Officer John Rollins, Chief Risk Officer Dan Sumner, Chief Legal Officer and General Counsel Christine Ashburn, VP, Legislative and External Affairs and Communications Robert Owens, Director, Program Management Office Bruce Meeks, Inspector General Following Audit Committee Distribution The Honorable Rick Scott, Governor The Honorable Jeff Atwater, Chief Financial Officer The Honorable Pam Bondi, Attorney General The Honorable Adam Putnam, Commissioner of Agriculture The Honorable Andy Gardiner, President of the Senate The Honorable Steve Crisafulli, Speaker of the House of Representatives Audit Performed By Audit Director Under the Direction of Karen Wittlinger, Director IT Audit Joe Martins Chief of Internal Audit Report Number: 2015-IT-02 Corporate Access and Identity Management Project Page 4