State of West Virginia Office of Technology Policy: Information Security Audit Program Issued by the CTO



Similar documents
State of West Virginia Office of Technology Policy: Change & Configuration Management Issued by the CTO

ADMINISTRATIVE POLICY # (2014) Information Security Roles and Responsibilities

Information Resources Security Guidelines

OCCUPATIONAL GROUP: Information Technology. CLASS FAMILY: Security CLASS FAMILY DESCRIPTION:

Information Security Program Management Standard

The Next Generation of Security Leaders

INFORMATION TECHNOLOGY POLICY

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

NSW Government Digital Information Security Policy

Legislative Language

TITLE III INFORMATION SECURITY

Application for CISA Certification

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

Governance and Management of Information Security

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL

Wellesley College Written Information Security Program

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

Information Security Management Systems

SRA International Managed Information Systems Internal Audit Report

INFORMATION SECURITY Humboldt State University

July 6, Mr. Michael L. Joseph Chairman of the Board Roswell Park Cancer Institute Elm & Carlton Streets Buffalo, NY 14263

Information Security Program

Marist College. Information Security Policy

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

Specific observations and recommendations that were discussed with campus management are presented in detail below.

Statement of Policy. Reason for Policy

Application for CISM Certification

My Docs Online HIPAA Compliance

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL

Network Security Policy

INFORMATION SECURITY MANAGEMENT POLICY

HUMAN RESOURCES MANAGEMENT NETWORK (HRMN) SELF-SERVICE

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

HIPAA BUSINESS ASSOCIATE AGREEMENT

Question: 1 Which of the following should be the FIRST step in developing an information security plan?

HIPAA Privacy Rule Policies

Information Security Program CHARTER

Can Your Diocese Afford to Fail a HIPAA Audit?

Encryption Security Standard

C. Author(s): David Millar (ISC Information Security) and Lauren Steinfeld (Chief Privacy Officer)

INFORMATION SECURITY & HIPAA COMPLIANCE MPCA

APHIS INTERNET USE AND SECURITY POLICY

Domain 5 Information Security Governance and Risk Management

Wright State University Information Security

Records and Document Management

DOCUMENT NUMBER: IT-0514

Director, IT Security District Office Kern Community College District JOB DESCRIPTION

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

CHIS, Inc. Privacy General Guidelines

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

CHAPTER Committee Substitute for Committee Substitute for Committee Substitute for House Bill No. 1033

University of Wisconsin-Madison Policy and Procedure

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

Information Technology Policy

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

Security Transcends Technology

Business Associate and Data Use Agreement

BUSINESS ASSOCIATE AGREEMENT. (Contractor name and address), hereinafter referred to as Business Associate;

Title: Data Security Policy Code: Date: rev Approved: WPL INTRODUCTION

BUSINESS ASSOCIATE AGREEMENT

Federal Trade Commission Privacy Impact Assessment

Utica College. Information Security Plan

Virginia Commonwealth University Information Security Standard

University of New England. Institutional Compliance Plan and Codes of Conduct

Contact: Henry Torres, (870)

Office of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget

HIPAA Security Rule Compliance

OFFICE OF CONTRACT ADMINISTRATION PURCHASING DIVISION. Appendix A HEALTHCARE INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPPA)

Privacy Recommendations for the Use of Cloud Computing by Federal Departments and Agencies. Privacy Committee Web 2.0/Cloud Computing Subcommittee

Missouri Student Information System Data Governance

Estate Agents Authority

PBGC Information Security Policy

BUSINESS ASSOCIATE AGREEMENT

Web Time and Attendance

Virginia Commonwealth University School of Medicine Information Security Standard

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections. Evaluation Report

NSW Government Digital Information Security Policy

The Institute of Professional Practice, Inc. Business Associate Agreement

INFORMATION TECHNOLOGY SECURITY POLICY

BUDGET LETTER PEER-TO-PEER FILE SHARING , , EXECUTIVE ORDER S-16-04

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT

The Commonwealth of Massachusetts

STATE OF NORTH CAROLINA

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT ( BAA )

Healthcare Management Service Organization Accreditation Program (MSOAP)

Experienced professionals may apply for the Certified Risk Management Professional (CRMP) certification under the grandfathering provision.

TABLE OF CONTENTS Information Systems Security Handbook Information Systems Security program elements. 7

Standard: Information Security Incident Management

SAMPLE BUSINESS ASSOCIATE AGREEMENT

UF IT Risk Assessment Standard

TABLE OF CONTENTS. University of Northern Colorado

Security Controls What Works. Southside Virginia Community College: Security Awareness

I. EXECUTIVE SUMMARY. Date: June 30, Sabina Sitaru, Chief Innovation Officer, Metro Hartford Innovation Services

By His Excellency DEVAL L. PATRICK GOVERNOR EXECUTIVE ORDER NO. 504 ORDER REGARDING THE SECURITY AND CONFIDEN'TIALITY OF PERSONAL INFORMATION

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL

INFORMATION SECURITY California Maritime Academy

Transcription:

Policy: Information Security Audit Program Issued by the CTO Policy No: WVOT-PO1008 Issue Date: 08.01.09 Revised: Page 1 of 12 1.0 PURPOSE The West Virginia Office of Technology (WVOT) will maintain an objective and internally independent Information Security Audit Program. This program will serve the Executive Branch by examining, evaluating, and reporting on information technology (IT) applications, related systems, operations, processes, and practices to provide reasonable assurance that security controls will: Safeguard information assets and protect privacy; Preserve the integrity and reliability of data; Function as intended to achieve the entity s objectives; and Comply with established and/or relevant standards, policy, and regulations. Audit efforts are focused on those operational areas presenting the highest degree of risk, as well as the greatest potential for benefit to the Executive Branch. This policy explains the authority of the WVOT Information Security Audit Program, as well as the standards of audit practice. 2.0 SCOPE This policy applies to all State entities or personnel who desire or require auditing services from the WVOT Information Security Audit Program. 3.0 BACKGROUND Under the provisions of West Virginia Code 5A-6-4a, the Chief Technology Officer (CTO) is granted both the authority and the responsibility to develop information technology policy, promulgate that policy, audit for policy compliance, and require corrective action where compliance is found to be unsatisfactory or absent.

Policy No: WVOT-PO1008 Issue Date: 08.01.09 Revised: Page 2 of 12 This policy is one in a series of IT related policies intended to define and enable the incorporation of appropriate practices into all activities using State-provided technology in the State of West Virginia. 4.0 RELEVANT DOCUMENTS/MATERIAL 4.1 WVOT-PR1008 Information Security Audit Program 4.2 West Virginia Office of Technology (WVOT) Page 4.3 West Virginia Code 5A-6-4a Duties of the Chief Technology Officer Relating to Security of Government Information 4.4 Proper Use of Government Information, Resources, and Position (Government Audit Standards, July 2007) 4.5 West Virginia Code 29B-1-4 Freedom of Information Act Exemptions Public Records 5.0 RESPONSIBILITY/REQUIREMENTS 5.1 Standards of Audit Practice 5.1.1 The WVOT Office of Information Security and Controls (OISC) has undertaken the establishment, maintenance, and management of an internal Information Security Audit Program. 5.1.2 The WVOT Information Security Audit Program follows the Professional Standards of the Practice of Internal Auditing as issued by the Information Systems Audit and Control Association (ISACA), the Institute of Internal Auditors (IIA), and the International Information Systems Security Certification Consortium (ISC²) Additionally, the WVOT Audit Program adheres to information

Policy No: WVOT-PO1008 Issue Date: 08.01.09 Revised: Page 3 of 12 security standards as published by the Information Standards Organization (ISO). 5.1.3 Confidentiality 5.1.3.1 All WVOT IT Auditors are bound by confidentiality standards, and are required to sign the Department of Administration Confidentiality Statement annually. 5.1.3.2 All WVOT IT Auditors will sign-off on WVOT-PO100, the Information Security policy. 5.1.3.3 Information collected during an audit will only be used for official purposes and not for personal gain, in a manner contrary to law, or detrimental to the legitimate interests of the audited entity or the audit organization. This includes the proper handling of sensitive or classified information or resources. 5.1.3.4 The public s right to the transparency of government information must maintain a balance with the proper use of that information. In addition, many government programs are subject to laws and regulations dealing with the disclosure of information. To accomplish the balance, WVOT IT Auditors will exercise discretion in the use of information acquired in the course of duties in achieving this goal. WVOT IT Auditors will not improperly disclose any such information to third parties under any circumstances. 5.1.4 The WVOT Information Security Audit Program is responsible for providing the following to its customers: 5.1.4.1 Objective, internally independent examination of security controls pertaining to systems, operations, processes, and practices;

Policy No: WVOT-PO1008 Issue Date: 08.01.09 Revised: Page 4 of 12 5.1.4.2 Reasonable assurance that security controls will: (1) safeguard information assets and protect privacy; (2) preserve the integrity and reliability of data; (3) function as intended to achieve the entity s objectives; and (4) operate in accordance with standards, policy, and regulations. 5.1.4.3 Report threats and vulnerabilities found, including unexpected items and/or situations detected during the audit. 5.1.4.4 Provide recommendations to mitigate or resolve risk as identified in the audit findings. 5.1.5 During the period of the audit engagement, in order to obtain accurate and complete information, perform thorough evaluations, and prepare meaningful reports, WVOT Information Security Audit personnel will: 5.1.5.1 Prepare an engagement memo for the customer with details of audit objectives, scope, and schedule; 5.1.5.2 Acquire and maintain complete access, on a need to know basis, to records, property, computer systems, functions, and personnel; 5.1.5.3 Allocate resources, establish schedules, select subjects, determine audit scope, and apply the techniques required to achieve engagement objectives; and 5.1.5.4 Obtain the necessary assistance of personnel within the units/functions of the agency where they provide services. 5.1.6 Prior to internal audit engagements, entities/customer must read, agree to comply with, and sign-off on an engagement memo, all

Policy No: WVOT-PO1008 Issue Date: 08.01.09 Revised: Page 5 of 12 provisions of this policy, and WVOT-PR1008, the Information Security Audit Program procedure. 5.1.7 The draft engagement findings and recommendations will be forwarded to the client Director. 5.1.8 The delivery of the final engagement findings and recommendations will be limited to the CTO, the CISO, the client Director, and other parties as authorized. 5.1.9 The Information Security Audit Program will only release engagement findings and recommendations to additional entities under the following circumstances: by request from the audit client, for peer review, and/or under order of subpoena. Only Information specific to the request will be released. 5.1.10 Internal audit reports are exempt from disclosure under the West Virginia s Freedom of Information Act (West Virginia Code 29B-1-4). Examples of exemptions include internal memoranda or letters received or prepared by any public body; records containing specific or unique vulnerability assessments or specific or unique response plans, data, or databases; computing or telecommunications and network security records, passwords, etc.; security or disaster recovery plans, risk assessments, tests or the results of those tests, etc. 5.1.11 The Information Security Audit Program will present a rolling Three Year Audit Plan to the Information Security Audit Committee. This reporting relationship will provide internal independence from the departments and activities under review, demonstrate administrative support for the Information Security Audit Program, and ensure adequate consideration of audit findings and recommendations. 5.1.12 Information Security Audits may be scheduled in relationship to the following:

Policy No: WVOT-PO1008 Issue Date: 08.01.09 Revised: Page 6 of 12 5.1.12.1 Scheduled at least three (3) to six (6) months in advance (see WVOT-PR1008); 5.1.12.2 On an ad-hoc basis; 5.1.12.3 As a client special request; 5.1.12.4 Post incident; or 5.1.12.5 As a risk assessment; 5.2 Types of Information Security Audits 5.2.1 The types of audits performed by the Program include, but are not limited to the following: Account Management Application Controls Business-Technical Processes Certification and Accreditation Change Control Configuration Management Control Procedures and Practices Data Centers/Facilities Data Management Desktop Practices Disaster Recovery End of Life Procedures Incident Management Internal Controls for Technology Mobile Devices and Media Networks Policy and Regulatory Compliance Servers Technology Acquisitions Telecommunications

Policy No: WVOT-PO1008 Issue Date: 08.01.09 Revised: Page 7 of 12 Other Resources 5.3 Third Party Audits 5.3.1 Agencies engaging in any IT audit activity with third parties are responsible for contacting the WVOT OISC Audit Team as soon as notification of the audit has been received. 5.3.2 The WVOT Information Security Audit Program will coordinate third-party information security audit activities. This coordination will: 5.3.2.1 Determine that audit objectives are clearly defined, and then achieved upon completion. This will include a review of the engagement memo; 5.3.2.2 Ensure that appropriate and accurate information is provided to third-party auditors; 5.3.2.3 Avoid duplicate audits and control audit costs; 5.3.2.4 Ensure that operating units cooperate fully with the third-party auditors; 5.3.2.5 Coordinate communications between Executive Branch personnel and third-party auditors including, but not limited to audit findings and recommendations; 5.3.2.6 Review engagement findings and recommendations; and 5.3.2.7 Facilitate effective follow-up activities and monitor progress in addressing audit recommendations. 5.3.3 Third-party auditors may be required to follow additional and/or more stringent standards and procedures than those mandated by the WVOT.

Policy No: WVOT-PO1008 Issue Date: 08.01.09 Revised: Page 8 of 12 6.0 ENFORCEMENT Any individual or agency found to have violated the provisions of this policy may be subject to an accountability review by Department and/or State leadership. Any action, if determined to be necessary, will be administered by the appropriate authority and may be based on recommendations of the West Virginia Division of Personnel, intended to address severity of the violation and the consistency of sanctions. 7.0 DEFINITIONS 7.1 Chief Technology Officer (CTO) The person responsible for the State s information resources. 7.2 Information Security Audit Committee - A committee, with representation from the GIEST and WVOT, that serves to review significant audit findings and audit plans to ensure that current, information security risks are considered during audit planning and that risks with enterprise-wide impact are adequately addressed. 7.3 Information Security Audit Program - The types of audits performed by the Program include, but are not limited to the following: (1) Applications and systems; (2) Data centers /sites; (3) Data management; (4) Internal technology controls; (5) Investigative and incident follow-up; (6) Mobile and portable devices; (7) Networks and network components; (8) Physical security; (9) Policy and regulatory compliance; (10) Telecommunications; and (11) Technology operations. OISC Auditors serve the Executive Branch by examining, evaluating, and reporting on IT applications, systems, operations, processes, and practices to provide reasonable assurance that security controls: o Safeguard information assets and protect privacy o Preserve the integrity and reliability of data o Function as intended to achieve the entity s objectives o Operate in accordance with standards, policy, and regulations

Policy No: WVOT-PO1008 Issue Date: 08.01.09 Revised: Page 9 of 12 7.4 Information Systems Audit and Control Association (ISACA). An International professional organization that establishes standards for the practice of Information Technology Auditing. ISACA also manages certification/licensing exams, continuing education for Certified Information Security Auditors, Certified Information Security Managers and other security professionals. ISACA is a global organization for information governance, control, security and audit professionals. 7.5 Information Technology (IT) The technology involved with the transmission and storage of information, especially the development, installation, implementation, and management of computer systems and applications. 7.6 Institute of Internal Auditors (IIA) An international professional association, which is recognized throughout the world as the internal audit profession's leader in certification, education, research, and technical guidance. The mission of the association is to provide dynamic leadership for the global profession of internal auditing. Members work in internal auditing, risk management, governance, internal control, information technology audit, education, and security. 7.7 Integrity - Protecting data from unauthorized or unintentional modification or deletion. 7.8 International Information Systems Security Certification Consortium (ISC²) -The International Information Systems Security Certification Consortium, Inc. [(ISC) ²] is a not-for-profit organization incorporated under the laws of the Commonwealth of Massachusetts and the U.S. Internal Revenue Code. As such, all credential holders in good standing are considered members of (ISC) ². (ISC) ² is charged with the responsibility for maintaining the (ISC) ² CBK, a compendium of industry best practices for information security, including those for CISSPs, SSCPs, and CAPs. The CBK is a critical component for certifying the minimum acceptable competence for professionals seeking to hold various credentials. (ISC) ² also provides the information security community with education seminars, examinations and related services. In addition, (ISC) ² acts to safeguard

Policy No: WVOT-PO1008 Issue Date: 08.01.09 Revised: Page 10 of 12 certification standards, and participates in information security conferences, etc., as some of its more important activities. 7.9 Office of Information Security and Controls (OISC) - The functional unit charged with the responsibility to undertake and sustain initiatives to promote, enhance, monitor, and govern actions, standards, and activities necessary to safeguard data and information systems within the Executive Branch of WV, as provided in West Virginia Code 5A-6-4a and the Governor's Executive Order No. 6-06. 7.11 Three-Year Security Audit Plan A rolling plan developed by the Information Security Audit Program to schedule audits and select audit targets. This plan will be reviewed and revised annually by the CISO and the Information Security Audit Committee. 7.12 West Virginia Office of Technology (WVOT) - The division of the Department of Administration established by WV Code 5A-6-4a, et. seq., which is led by the State s CTO and designated to acquire, operate, and maintain the State s technology infrastructure. The WVOT is responsible for evaluating equipment and services, and reviewing information technology contracts. 8.0 LEGAL AUTHORITY The CTO is charged with securing State government information and the data communications infrastructure from unauthorized uses, intrusions, or other security threats. The CTO has authority to issue policies, procedures, and standards to accomplish this mission. This policy will apply across the Executive Branch, with the exclusion of the West Virginia State Police, the Division of Homeland Security and Emergency Management, any constitutional officers, the West Virginia Board of Education, the West Virginia Department of Education, and the county boards of education. To the extent that there are policies in place which provide less security than this policy, they will be superseded by this policy. In instances where existing state and federal laws and regulations are more restrictive than Information Security policies issued by the WVOT, the more restrictive provisions will prevail.

Policy No: WVOT-PO1008 Issue Date: 08.01.09 Revised: Page 11 of 12 9.0 INDEX A Access to Data and Technology Assets... 4 B Background... 1 C Chief Technology Officer... See CTO CISO... 10 Confidentiality... 3 CTO... 1, 2, 8, 10 D Definitions... 8 Delivery of Findings and Recommendations... 5 Disciplinary Action... See Enforcement E Employees... 7 Enforcement... 7 Engagement Letter... 5 Executive... 2 Executive Branch... 1, 7, 8, 9, 10 G Governor's Executive Order No. 6-06... 2 I IIA... 3, 9 Information Resources... 8 Information Security... 10 Information Security Audit Committee... 5, 8, 10 Information Security Audit Program... 1, 2, 3, 5, 7, 8, 10 Customer Expectations... 3, 4 Customer Responsibilities... 5 Internal IT Audits... 2, 8 Responsibilities... 4 Scheduling... 5

Policy No: WVOT-PO1008 Issue Date: 08.01.09 Revised: Page 12 of 12 Third Party Access... 7 Third Party Audits... 7 Types of Audits... 6 Information Systems Audit and Control Association... 2, 8 Information Technology... See IT Institute of Internal Auditors... See IIA Integrity... 9 International Information Systems Security Certification Consortium... 3 ISACA... 3, 8 ISC²... 9 IT..... 1, 8, 9 IT Policy... 1, 2 L Legal Authority... 10 O OISC... 2, 6, 8, 9 P Policy Compliance... 1, 8 Privacy... 1, 8 R Relevant Documents/Material... 2 Responsibility/Requirements... 2 S Safeguarding Data... 1, 8 Scope... 1 Security Threats... 10 T Three-Year Security Audit Plan... 5, 10 W West Virginia Code... 2, 9 West Virginia Division of Personnel... 7 West Virginia Office of Technology... See WVOT WVOT... 1, 2, 3, 5, 6, 7, 8, 10

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information