OFFICE OF THE CITY AUDITOR



Similar documents
Internal Audit Report ITS CHANGE MANAGEMENT PROCESS. Report No. SC-11-11

CITY OF SAN ANTONIO OFFICE OF THE CITY AUDITOR. Follow-up Audit of Information Technology Services Department. IT Contingency Planning

- PUBLIC REPORT - CITY OF SAN ANTONIO INTERNAL AUDIT DEPARTMENT

Looking at the SANS 20 Critical Security Controls

CITY OF SAN ANTONIO OFFICE OF THE CITY AUDITOR. Audit of the Finance Department. Payroll. Project No. AU June 9, 2014

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

Audit Report. The Social Security Administration s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

Evaluation Report. Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review. April 30, 2014 Report Number 14-12

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

Critical Controls for Cyber Security.

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections. Evaluation Report

Office of the City Auditor. Audit Report

CITY OF SAN ANTONIO OFFICE OF THE CITY AUDITOR. Follow-up Audit of San Antonio Fire Department. Fleet Maintenance Division. Project No.

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

Department of Information Technology Software Change Control Audit - Mainframe Systems Final Report

Distribution: Sheryl L. Sculley, City Manager Gloria Hurtado, Assistant City Manager Ben Gorzell, Chief Financial Officer Dr.

OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

SACM and CMDB Strategy and Roadmap. David Lowe ActionableITSM.com March 20, 2012

How To Audit The Mint'S Information Technology

NETWORK INFRASTRUCTURE USE

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008

CITY OF SAN ANTONIO OFFICE OF THE CITY AUDITOR. Audit of San Antonio Fire Department. Drug Inventory Management. Project No.

Performance Audit of the San Diego Convention Center s Information Technology Infrastructure JULY 2012

WHITE PAPER. Automated IT Asset Management Maximize Organizational Value Using Numara Track-It! p: f:

Final Audit Report. Report No. 4A-CI-OO

STATE OF NORTH CAROLINA

CITY OF SAN ANTONIO OFFICE OF THE CITY AUDITOR. Follow-Up Audit of Finance Department. San Antonio eprocurement System (SAePS) Controls

CITY OF SAN ANTONIO OFFICE OF THE CITY AUDITOR. Audit of Center City Development & Operations Department. Parking Revenue. Project No.

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

How To Improve Nasa'S Security

Firewall Change Management

Autodesk PLM 360 Security Whitepaper

GOVERNANCE AND MANAGEMENT OF CITY COMPUTER SOFTWARE NEEDS IMPROVEMENT. January 7, 2011

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii

CITY OF SAN ANTONIO OFFICE OF THE CITY AUDITOR. Audit of Customer Service/311. CRM System. Project No. AU April 15, 2013

The Commonwealth of Massachusetts

Domain 1 The Process of Auditing Information Systems

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

GOVERNANCE AND MANAGEMENT OF CITY WIRELESS TECHNOLOGY NEEDS IMPROVEMENT MARCH 12, 2010

Get Confidence in Mission Security with IV&V Information Assurance

PDS (The Planetary Data System) Information Technology Security Plan for The Planetary Data System: [Node Name]

BSM for IT Governance, Risk and Compliance: NERC CIP

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

Altius IT Policy Collection Compliance and Standards Matrix

CTR System Report FISMA

STATEMENT OF JOHN E. MCCOY II DEPUTY ASSISTANT INSPECTOR GENERAL FOR AUDITS U.S. DEPARTMENT OF HOMELAND SECURITY BEFORE THE

Subject: Information Technology Configuration Management Manual

U.S. OFFICE OF PERSONNEL MANAGEMENT OFFICE OF THE INSPECTOR GENERAL OFFICE OF AUDITS. Final Audit Report

Final Audit Report -- CAUTION --

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

FEDERAL HOUSING FINANCE AGENCY OFFICE OF INSPECTOR GENERAL

Distribution: Sheryl L. Sculley, City Manager Erik Walsh, Deputy City Manager Ben Gorzell, Chief Financial Officer Charles N. Hood, Fire Chief Martha

Automated IT Asset Management Maximize organizational value using BMC Track-It! WHITE PAPER

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

NIST A: Guide for Assessing the Security Controls in Federal Information Systems. Samuel R. Ashmore Margarita Castillo Barry Gavrich

Information Technology Security Review April 16, 2012

Office of the Auditor General Performance Audit Report. Statewide Oracle Database Controls Department of Technology, Management, and Budget

Service Asset & Configuration Management PinkVERIFY

ISAAC Risk Assessment Training

Proving Control of the Infrastructure

NSSC Enterprise Service Desk Configuration Management Database (CMDB) Configuration Management Service Delivery Guide

CMS Policy for Configuration Management

REVIEW OF MEDICARE CONTRACTOR INFORMATION SECURITY PROGRAM EVALUATIONS FOR FISCAL YEAR 2013

EVALUATION REPORT. The Department of Energy's Unclassified Cybersecurity Program 2014

Review of the SEC s Systems Certification and Accreditation Process

Server Management-Scans & Patches

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections

PATCH MANAGEMENT. February The Government of the Hong Kong Special Administrative Region

COMPUTER OPERATIONS - BACKUP AND RESTORATION

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

Information Technology General Controls (ITGCs) 101

OFFICE OF AUDITS & ADVISORY SERVICES IT DISASTER RECOVERY AUDIT FINAL REPORT

CHIS, Inc. Privacy General Guidelines

NIST Cyber Security Activities

Guide to Vulnerability Management for Small Companies

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

Cover Page. Title Configuration Management Database. Category Enterprise IT Management Initiatives

CRISC Glossary. Scope Note: Risk: Can also refer to the verification of the correctness of a piece of data

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS

5 FAH-11 H-500 PERFORMANCE MEASURES FOR INFORMATION ASSURANCE

CSUSB Vulnerability Management Standard CSUSB, Information Security & Emerging Technologies Office

MANAGEMENT AUDIT REPORT DISASTER RECOVERY PLAN DEPARTMENT OF FINANCE AND ADMINISTRATIVE SERVICES INFORMATION TECHNOLOGY SERVICES DIVISION

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

Internal Control Deliverables. For. System Development Projects

Judiciary Judicial Information Systems

CITY OF SAN ANTONIO OFFICE OF THE CITY AUDITOR. Follow-Up Audit of San Antonio Metropolitan Health District Laboratory Operations

CITY OF SAN ANTONIO OFFICE OF THE CITY AUDITOR. Audit of Transportation and Capital Improvements. On-Call Contracts. Project No.

AUDIT REPORT. The Energy Information Administration s Information Technology Program

SRA International Managed Information Systems Internal Audit Report

Final Audit Report -- CAUTION --

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections. Evaluation Report

CITY OF SAN ANTONIO OFFICE OF THE CITY AUDITOR. Audit of Payment Card Industry Data Security Standards (PCI DSS) Security Governance

The Protection Mission a constant endeavor

Performance Audit E-Service Systems Security

FOLLOW-UP REPORT Change Management Practices

FISMA Implementation Project

Final Audit Report AUDIT OF INFORMATION SYSTEMS GENERAL AND APPLICATION CONTROLS AT HEALTH CARE SERVICE CORPORATION. Report No. 1A

Security Controls What Works. Southside Virginia Community College: Security Awareness

AUDIT REPORT. Cybersecurity Controls Over a Major National Nuclear Security Administration Information System

Transcription:

CITY OF SAN ANTONIO OFFICE OF THE CITY AUDITOR Audit of Information Technology Services Department Project No. AU10-012 September 1, 2011

Audit of Information Technology Services Department Executive Summary As part of our annual Audit Plan approved by City Council, we conducted an Information Technology Services Department (ITSD) configuration management audit. This audit is the third in a series of audits we will perform over the next few years to assist ITSD by evaluating information technology general controls that apply to all or a large segment of the City s computer applications (see Appendix B on page 5 for our tentative IT audit schedule). The audit objective and conclusion follow: Determine if changes to information technology resources are authorized and systems are configured and operating securely. We determined that changes to information technology resources are authorized and systems are configured and operating securely with respect to change management. ITSD has developed and consistently followed a configuration management (a.k.a. change management) process that includes planning, impact analysis, and a formal approval process that includes a Change Approval Board. Furthermore, the system development process is well documented and considers security controls throughout the lifecycle. Management of ITSD agrees with the audit report. Its verbatim response is in Appendix D on page 7. City of San Antonio, Office of the City Auditor i

Table of Contents Executive Summary... i Background... 1 Audit Scope and Methodology... 2 Internal Controls... 3 Appendix A COBIT Maturity Model... 4 Appendix B Information Technology Audit Schedule... 5 Appendix C Staff Acknowledgement... 6 Appendix D Management Response... 7

Audit of Information Technology Services Department Background Information Technology (IT) systems play a vital role in acquiring, processing, storing and distributing key financial, operational, and human resource related data at the City of San Antonio. ITSD provides IT services to all City Departments, delegate agencies, various local, state, and federal government entities through information and technology sharing agreements. 1 ITSD is structured as a centralized IT shared services organization that provides governance and support for all technology functions and builds information systems around IT industry practices that facilitate the goals and objectives of the City of San Antonio. ITSD is comprised of four areas, Enterprise Application Support, Enterprise Information Technology Infrastructure, Public Safety, and Customer Relations. One of the 11 Goals and Objectives of ITSD is Customer Support Services. Their mission is to provide an improved single point of contact for IT Support 24-hours a day, 7-days a week that will improve the business processes for customer service, asset management, inventory, change management and incident management. The Service Desk provides two separate and distinct functions: (1) logging, tracking, resolution, and elevation of problems; and (2) coordination of all data and voice service requests for adds, moves, and changes. 2 Configuration management (CM) provides reasonable assurance that changes to information system resources are authorized, tested, and tracked, and that systems are configured and operating securely and as intended. CM also entails updating software on a timely basis to protect against known vulnerabilities. In October 2010, ITSD implemented a CM software solution called BMC Remedy for facilitating configuration changes. BMC Remedy applies a repeatable process for information system changes to improve the stability of business service and required technology configuration changes. BMC Remedy facilitates change requests and approval, risk analysis, planning, orchestration of tasks, verification, and change tracking. Additionally, BMC Remedy can manage and track IT related assets such as mobile devices, security cameras, handheld radios, computers, network equipment, software and applications. 1 City of San Antonio, Texas, Balanced Adopted Annual Operating and Capital Budget - Fiscal Year 2011, (San Antonio, 2010), 508. 2 Ibid. City of San Antonio, Office of the City Auditor 1

Audit Scope and Methodology Audit of Information Technology Services Department The audit scope included FY 2011 (October 1, 2010 through the present). The audit included inquiries of City ITSD employees and review of documented policies and procedures provided by ITSD management. Furthermore, auditors utilized BMC Remedy to review configurable item 3 change details. Our audit also included tests of management controls that we considered necessary under the circumstances. These tests verified that the Change Approval Board was operating effectively and included appropriate representation across the entity. Additionally, auditors verified that information technology hardware and software items are inventoried and mapped to the application(s) they support. Auditors tested samples of system changes, normal and emergency, to determine that the organization uses a systematic process that includes justification, review, impact analysis and approval. Auditors also reviewed policies and procedures pertaining to version controls and verified that access controls surrounding the source code library exist and are effective. Other policies and procedures reviewed pertain to infrastructure maintenance, patch management, troubleshooting, and hardware reconciliations. Auditors also verified that policies and procedures are in place surrounding application development and include an effective System Development Life Cycle. We obtained sufficient criteria and best practices for Information Technology (IT) related processes and procedures. We used the Government Accountability Office s (GAO) Federal Information System Controls Audit Manual (FISCAM). FISCAM presents a methodology for performing information system control audits in accordance with government auditing standards. We also relied on related National Institute of Standards and Technology (NIST) security publications. We conducted this audit from January 2011 to June 2011 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate information to provide a reasonable basis for the results based on the audit objectives. We believe that the information obtained provides a reasonable basis for our audit results and conclusions based on our audit objectives. 3 Hardware, software, relationships, documentation, personnel attributes, etc. City of San Antonio, Office of the City Auditor 2

Audit of Information Technology Services Department Internal Controls Based on the Control Objectives for Information and related Technology (COBIT) maturity model for managing changes 4, we concluded that overall, the maturity of ITSD s change management process is at the Defined Process (3) level but approaching the Managed and Measurable (4) level. ITSD s change management process is a formal process that includes categorization, prioritization, emergency procedures, change authorization and release management. Additionally, change management documentation is current and correct, with changes formally tracked and auditable in the BMC Remedy Change Management System. Maturity modeling is a method of evaluating internal controls in their current state against a maturity scale of non-existent (0) to optimized (5). The ultimate or target maturity level should be higher (e.g. 3, 4, or 5) rather than lower and should be influenced by ITSD and COSA business objectives, dependence on IT, technology sophistication, and most importantly, the value of the City s information. Additional explanations of the different levels of the COBIT maturity model are included in Appendix A on page 4. 4 IT Governance Institute COBIT 4.1, AI6 Acquisition and Implementation Manage Changes, 96. City of San Antonio, Office of the City Auditor 3

Audit of Information Technology Services Department Appendix A COBIT Maturity Model The COBIT maturity model for managing changes 5 is based on six levels of maturity, which are paraphrased below: 0 Non-Existent: There is no defined change management process, and changes can be made with virtually no control. There is no awareness that change can be disruptive for IT and business operations, and no awareness of the benefits of good change management. 1 Initial: It is recognized that changes should be managed and controlled. Practices vary, and it is likely that unauthorized changes take place. There is poor or non-existent documentation of change and configuration documentation is incomplete and unreliable. 2 Repeatable but Intuitive: There is an informal change management process in place and most changes follow this approach; however, it is unstructured, rudimentary and prone to error. Configuration documentation accuracy is inconsistent, and only limited planning and impact assessment take place prior to a change. 3 Defined Process: There is a defined formal change management process in place, including categorization, prioritization, emergency procedures, change authorization and release management, and compliance is emerging. Workarounds take place, and processes are often bypassed. Errors may occur and unauthorized changes occasionally occur. 4 Managed and Measurable: The change management process is well developed and consistently followed for all changes, and management is confident that there are minimal exceptions. The process is efficient and effective, but relies on considerable manual procedures and controls to ensure that quality is achieved. All changes are subject to thorough planning and impact assessment to minimize the likelihood of post-production problems. An approval process for changes is in place. Change management documentation is current and correct, with changes formally tracked. 5 Optimized: The change management process is regularly reviewed and updated to stay in line with good practices. The review process reflects the outcome of monitoring. Configuration information is computer-based and provides version control. 5 Ibid. City of San Antonio, Office of the City Auditor 4

Audit of Information Technology Services Department Appendix B Information Technology Audit Schedule Based on FISCAM Control Categories 9-1-1 Dispatch System SAP Accounting System 3-1-1 Customer Relationship Management System Potential Future Audits Application Security Controls Interface Controls Business Process Controls Data Management System Controls Security Contingency Management Planning Configuration Management Segregation of Duties Access Controls* Tentative Schedule: April 2010 2010 / 2011 2010 / 2011 2011/ 2012 2011/ 2012 *Access Controls include physical access security (e.g. data center access) and logical access security audits. Logical access security may include audits of system-level components such as the City s IT network (e.g. firewalls, web servers, routers), operating systems (server and workstation), and infrastructure application software (e.g. database management systems, identification and authentication systems, email/messaging systems, etc.). City of San Antonio, Office of the City Auditor 5

Appendix C Staff Acknowledgement Audit of Information Technology Services Department Mark Bigler, CPA-Utah, CISA, CFE, Audit Manager Gabe Trevino, CISA, Auditor in Charge City of San Antonio, Office of the City Auditor 6

Appendix D Management Response Audit of Information Technology Services Department City of San Antonio, Office of the City Auditor 7

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information