INFORMATION SECURITY Humboldt State University



Similar documents
INFORMATION SECURITY California Maritime Academy

Specific observations and recommendations that were discussed with campus management are presented in detail below.

SENSITIVE DATA SECURITY AND PROTECTION CALIFORNIA STATE UNIVERSITY, LOS ANGELES. Audit Report January 3, 2012

IDENTITY MANAGEMENT AND COMMON SYSTEM ACCESS HUMBOLDT STATE UNIVERSITY. Audit Report December 21, 2012

The California State University Office of Audit and Advisory Services CSU COLLEGE REVIEWS. Systemwide

BUDGET LETTER PEER-TO-PEER FILE SHARING , , EXECUTIVE ORDER S-16-04

Information Resources Security Guidelines

California State University, Sacramento INFORMATION SECURITY PROGRAM

Information Security Program

Network Security Policy

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

University System of Maryland University of Maryland, College Park Division of Information Technology

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS

Information Security Plan May 24, 2011

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

Cal Poly Information Security Program

HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY CONTROLS

Information Security Program Management Standard

APHIS INTERNET USE AND SECURITY POLICY

933 COMPUTER NETWORK/SERVER SECURITY POLICY

HIPAA Compliance Evaluation Report

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

R345, Information Technology Resource Security 1

TABLE OF CONTENTS Information Systems Security Handbook Information Systems Security program elements. 7

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Data Management Policies. Sage ERP Online

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

Information Security Policy

NSERC SSHRC AUDIT OF IT SECURITY Corporate Internal Audit Division

Supplier Security Assessment Questionnaire

Vulnerability Management Policy

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Responsible Access and Use of Information Technology Resources and Services Policy

NETWORK AND AIS AUDIT, LOGGING, AND MONITORING POLICY OCIO TABLE OF CONTENTS

Marist College. Information Security Policy

UNIVERSITY OF ROCHESTER INFORMATION TECHNOLOGY POLICY

UF IT Risk Assessment Standard

UMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE

Network & Information Security Policy

Utica College. Information Security Plan

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Information Security for Managers

Office of Inspector General

Delphi Information 3 rd Party Security Requirements Summary. Classified: Public 5/17/2012. Page 1 of 11

Standard: Network Security

Antifraud program and controls assessment grid*

Standard: Information Security Incident Management

The Protection Mission a constant endeavor

Guideline on Auditing and Log Management

Encryption Security Standard

TITLE III INFORMATION SECURITY

Music Recording Studio Security Program Security Assessment Version 1.1

Contact: Henry Torres, (870)

Network Security Policy

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections. Evaluation Report

Central Texas College District Human Resource Management Operating Policies and Procedures Manual Policy No. 294: Computer Security Policy

Evaluation Report. Office of Inspector General

Incident Response Plan for PCI-DSS Compliance

1B1 SECURITY RESPONSIBILITY

OFFICE OF AUDITS & ADVISORY SERVICES CLOUD COMPUTING AUDIT FINAL REPORT

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

Ohio Supercomputer Center

CITY UNIVERSITY OF HONG KONG Information Security Incident Management Standard

IT Architecture Review. ISACA Conference Fall 2003

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

Missouri Student Information System Data Governance

Log Management Standard 1.0 INTRODUCTION 2.0 SYSTEM AND APPLICATION MONITORING STANDARD. 2.1 Required Logging

Standard Operating Procedure Information Security Compliance Requirements under the cabig Program

Page 1 of 15. VISC Third Party Guideline

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

INFORMATION TECHNOLOGY SECURITY STANDARDS

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

C. Author(s): David Millar (ISC Information Security) and Lauren Steinfeld (Chief Privacy Officer)

Information Security and Electronic Communications Acceptable Use Policy (AUP)

SUPREME COURT OF COLORADO OFFICE OF THE CHIEF JUSTICE

CHAPTER 1 COMPUTER SECURITY INCIDENT RESPONSE TEAM (CSIRT)

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

Transcription:

CSU The California State University Office of Audit and Advisory Services INFORMATION SECURITY Humboldt State University Audit Report 14-50 October 30, 2014

EXECUTIVE SUMMARY OBJECTIVE The objectives of the audit were to ascertain the effectiveness of existing policies and procedures related to the administration of information security and to determine the adequacy of controls over the related processes, to evaluate adherence to the Integrated California State University Administrative Manual (ICSUAM) information security policy, or where appropriate to an industry-accepted standard, and to ensure compliance with relevant governmental regulations, Trustee policy, Office of the Chancellor directives, and campus procedures. CONCLUSION Based upon the results of the work performed within the scope of the audit, the operational and administrative controls for information security activities in effect as of June 27, 2014, taken as a whole, were sufficient to meet the objectives of this audit. In general, the controls and processes established over information security at Humboldt State University (HSU) provide reasonable assurance that the network, systems, and data are protected and that access privileges are provided in a consistent and controlled manner. In addition, our results indicate that the campus exercises prudent oversight of departments, colleges, and auxiliary organizations and operates in accordance with the California State University (CSU) information security policy. Our audit procedures did identify opportunities to improve the process and methodologies used to administer desktop software and website development. Specific observations, recommendations, and management responses are detailed in the remainder of this report. Audit Report 14-50 Office of Audit and Advisory Services Page 1

OBSERVATIONS, RECOMMENDATIONS, AND RESPONSES 1. SOFTWARE MANAGEMENT OBSERVATION The campus did not remove obsolete versions of some products installed on desktop computers and workstations. ICSUAM 8055, Change Control, dated April, 19, 2010, states that changes to information technology systems, network resources, and applications need to be appropriately managed to minimize the risk of introducing unexpected vulnerabilities and ensure that existing security protections are not adversely impacted. The chief technology officer stated that the system management process included all products purchased by the campus, but that obsolete versions of commonly installed free software had not been considered in that process. Inadequate removal of vulnerable obsolete software products may lead to compromise and potential loss of protected confidential information or inappropriate access to systems. RECOMMENDATION We recommend that the campus enhance its software management process to include removal of all obsolete products installed on desktop computers and workstations. MANAGEMENT RESPONSE We concur. The campus will enhance its software management process to include removal of all obsolete products installed on desktop computers and workstations. Completion date: January 30, 2015 2. WEB APPLICATION DEVELOPMENT OBSERVATION The campus did not have policies or procedures for system development and program change management. We reviewed select campus departments that perform application development and maintenance, and we noted that: Testing criteria for the security of application vulnerabilities were not documented. User acceptance testing and system deployment were not documented. Developers had unlimited access to source code. Developers had the ability to move applications into production. Audit Report 14-50 Office of Audit and Advisory Services Page 2

Written approval was not required for projects put into production. ICSUAM 8070, Information Systems Acquisition, Development and Maintenance, dated April 19, 2010, states that campuses must integrate information security requirements into the software life cycle of information systems that contain protected data. The security requirements must identify controls that are needed to ensure confidentiality, integrity, and availability. These controls must be appropriate, cost-effective, and mitigate risks that may result from unauthorized access, use, disclosure, disruption, modification, or destruction of the protected data. The director of application development stated that formal procedures were used by the information technology services department. She further stated that creation of a formal policy was already under way, and the policy was scheduled for campuswide deployment later this year. The lack of proper system development policy and procedures increases the risk that web application projects may be unauthorized and inconsistent with user expectations, may contain vulnerabilities, and may be modified without management consent. RECOMMENDATION We recommend that the campus: a. Establish and document testing criteria for the security of application vulnerabilities. b. Establish a documented process for user acceptance and deployment of applications. c. Protect application source code by limiting access to only those employees who need it as part of their job responsibilities. d. Limit developers ability to move web applications into production. e. Require written approval of all application projects put into production. MANAGEMENT RESPONSE We concur. The campus will enhance its Enterprise Change Control process to include written documentation of pre go-live security scans, user acceptance testing, and written approval of moves to production. The campus will also implement a version control system to control developer access to code, and that has the ability to move code into production. Completion date: February 27, 2015 Audit Report 14-50 Office of Audit and Advisory Services Page 3

3. WEBSITE VULNERABILITY MANAGEMENT OBSERVATION Website vulnerability scans were not always performed on campus websites when the websites were placed into production, and regularly thereafter, and some websites had technical vulnerabilities. ICSUAM 8050, Configuration Management, dated April 19, 2010, states that campuses must develop, implement, and document configuration standards to ensure that information technology systems, network resources, and applications are appropriately secured to protect confidentiality, integrity, and availability. The director of application development stated that the campus was in the process of developing formal practices for website development and testing. A lack of website vulnerability scans increases the risk that a remote attacker may be able to access protected confidential information or execute malicious programs on the server that could disable additional network resources. RECOMMENDATION We recommend that the campus perform website vulnerability scans on campus websites when the websites are placed into production and regularly thereafter. MANAGEMENT RESPONSE We concur. The campus will perform website vulnerability scans on campus websites when the websites are placed into production and regularly thereafter. Completion date: January 30, 2015 4. E-MAIL SYSTEM POLICY OBSERVATION The campus system usage policy did not specify that e-mail sent or received through the official campus system was part of official campus business and was the property of the campus. Information Standards Organization 27001, Information Security Management System Standard, states that e-mail systems should be configured and managed to conform to established security policies and existing industry standards. Proper configuration and management should ensure that vulnerabilities are not allowed into the network; incidents are properly escalated; campus usage and retention guidelines are followed; and e-mail addresses are maintained in a central location to facilitate campuswide communications. Audit Report 14-50 Office of Audit and Advisory Services Page 4

The chief information officer stated that the CSU had procured the contract for using this outside service provider and that the Information Technology Advisory Committee had developed guidelines for e-mail, but third-party systems under systemwide procurement should be addressed at the system level. The lack of documented e-mail policies increases the risk of unauthorized use of e-mail. RECOMMENDATION We recommend that the campus update its e-mail policy to specify that e-mail sent or received through the official campus system is part of official campus business and is the property of the campus. MANAGEMENT RESPONSE We concur. The campus will update its e-mail policy to specify that e-mail sent or received through the official campus system is part of official campus business and is the property of the campus. Completion date: February 27, 2015 Audit Report 14-50 Office of Audit and Advisory Services Page 5

GENERAL INFORMATION BACKGROUND The CSU Information Security Policy, dated April 19, 2010, states that the Board of Trustees of the CSU is responsible for protecting the confidentiality, integrity, and availability of CSU information assets. Unauthorized modification, deletion, or disclosure of information assets can compromise the mission of the CSU, violate individual privacy rights, and possibly constitute a criminal act. It is the collective responsibility of all users to ensure confidentiality of information that the CSU must protect from unauthorized access; integrity and availability of information stored on or processed by CSU information systems; and compliance with applicable laws, regulations, and CSU/campus policies governing information security and privacy protection. It further states that the CSU Information Security Policy shall apply to the following: All campuses. Central and departmentally managed campus information assets. All users employed by campuses or any other person with access to campus information assets. All categories of information, regardless of the medium in which the information asset is held or transmitted (e.g., physical or electronic). Information technology facilities, applications, hardware systems, and network resources owned or managed by the CSU. Auxiliaries, external businesses, and organizations that use campus information assets must also operate those assets in conformity with the CSU Information Security Policy. The CSU Information Security Policy directs the campus president to appoint an information security officer (ISO) and assign responsibility and authority for administering the information security function. Information security at CSU campuses covers a broad range of sensitive data that requires protection to be in compliance with numerous state and federal regulations. Campuses collect social security numbers for employee personnel and for student financial aid tax reporting, which is regulated by federal and state law. Other forms of data include student grades and academic records that must be protected under federal privacy laws. In addition, CSU campuses that have student health centers, psychological counseling centers, and pharmacies may also have medical and prescription records that must be protected under federal health privacy laws. Campus retail operations for bookstores, convenience stores, restaurants and dining, and student activities involve collection and processing of credit card information that is regulated by the banking industry. Audit Report 14-50 Office of Audit and Advisory Services Page 6

HSU has established formal governance over the information security function, and authority has been adequately communicated to the entire campus community. At HSU, the ISO reports to the campus chief information officer (CIO). The information security function is established with broad campus oversight and in accordance with CSU policy. HSU has a governance oversight committee that has routine involvement in information security initiatives, as well as oversight of campus security incidents and system breaches. In addition, the CIO is a member of the security oversight committee and is a member of the campus executive council. SCOPE Our audit and evaluation included the audit tests we considered necessary in determining whether operational and administrative controls are in place and operative. The audit focused on procedures in effect from June 9, 2014, through June 27, 2014. Specifically, we reviewed and tested: The activities/measures undertaken to protect the confidentiality, integrity, and access/availability of information. Processes for identifying confidential, private, or sensitive information; authorizing access; securing information; detecting security breaches; and evaluating security incident reporting and response. Measures to limit collection of information, control access to data, and assure that individuals with access to data do not utilize the data for unauthorized purposes. Encryption of data in storage and transmission. Physical and logical security measures for all data repositories. We also retained outside contractors to perform a technical security assessment that included running diagnostic software designed to identify improper configuration of selected systems, servers, and network devices. The purpose of the technical security assessment was to determine the effectiveness of technology and security controls governing the confidentiality, integrity, and availability of selected campus assets. Specifically, this configuration testing included assessment of the following technologies: selected operating systems, border firewall settings, network traffic analysis, vulnerability scanning, and website vulnerability assessment. As a result of changing conditions and the degree of compliance with procedures, the effectiveness of controls changes over time. Specific limitations that may hinder the effectiveness of an otherwise adequate system of controls include, but are not limited to, resource constraints, faulty judgments, unintentional errors, circumvention by collusion, and management overrides. Establishing controls that would prevent all these limitations would not be cost-effective; moreover, an audit may not always detect these limitations. Our testing and methodology was designed to provide a managerial level review of key information security practices, which included detailed testing of a limited number of network and computing devices. Our review did not examine all aspects of information security, and Audit Report 14-50 Office of Audit and Advisory Services Page 7

our testing approach was designed to provide a view of the security technologies used to protect only key computing resources. In addition, selected emerging technologies were excluded from the scope of the review. CRITERIA Our audit was based upon standards as set forth in CSU Board of Trustee policies; Office of the Chancellor policies, letters, and directives; campus procedures; and other sound administrative practices. This audit was conducted in conformance with the Institute of Internal Auditors International Standards for the Professional Practice of Internal Auditing. This review emphasized, but was not limited to, compliance with: ICSUAM 8000, Information Security ICSUAM 7000, Identity Management Government Code 11549.3 International Standards Organization 27001, Information Security Management System Standard AUDIT TEAM Senior Director: Mike Caldera Audit Manager: Greg Dove Audit Report 14-50 Office of Audit and Advisory Services Page 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information