GENERAL: The Technology department is responsible for the managing of electronic devices and software for the District, as well as the Help Desk for resolution of employee-created help tickets. The subgroups within the department are Network Infrastructure, Data Management, Student Information Systems, Business Systems, Instruction Technology Support, Administration and Instructional Systems Support, and Help Desk. AUDIT OBJECTIVES: 1) Sensitive data is secured via network security configurations and encryption where necessary. 2) IT vulnerabilities and incidents are monitored and resolved. 3) Software and hardware utilized or stored is inventoried and monitored. 4) There are proper segregations of duties within the Technology department to safeguard sensitive data and prevent fraud or error within key processes. 5) User access is administered appropriately based on job duties. 6) User password requirements appropriately secure user access to systems. 7) Changes to software or program systems are tested in a separate environment from production (the live business environment) and approved prior to implementation. 8) Program or program system changes are reviewed for successful implementation. 9) Scheduled job processes are monitored. 10) Scheduled job process issues are resolved. 11) Backups are performed on a regular basis and tested for recovery at least annually. Page 1
12) Disaster recovery policies and procedures are in place. 13) Reports, inspections, and maintenance data are complete, accurate, and submitted operational purposes. 14) Applicable regulation for IT privacy, security, and operations are followed. 15) Help Desk tickets are tracked and resolved. AUDIT PROCEDURES: 1) General a) Obtain: i. Policies and Procedures for the IT management functions ii. Federal and State Laws governing IT management and security iii. Job Descriptions and Organizational Chart iv. Regulatory Examination Reports v. Copies of all forms used by the department for areas under audit b) Review written policies and procedures for the IT management areas to determine adequacy. c) Review Job Descriptions and Organizational Chart. 2) Map flow of processes and documents for the areas audited. 3) Security and Privacy a) Identify the sensitive data necessary for security and privacy protections. i. Inspect documentation to determine if encryption is used where necessary ii. Inspect documentation to determine if computer networks are configured to prevent unauthorized access b) Identify the IT vulnerability and security incident monitoring processes in place. i. Inspect documentation to determine if IT vulnerabilities are identified Page 2
ii. iii. Walkthrough the security incident monitoring process and observe an intentional attempt to breach IT security, followed by the subsequent identification of the attempt Inspect a sample of security incidents to determine if incidents are monitored and resolved 4) IT Software and Hardware Management a) Identify the process for the inventory of software and hardware under purview of the Technology department. i. Inquire of software and hardware users to determine software and hardware in uses. Reconcile a selection of software and hardware per user inquiry to the inventory of software and hardware per the Technology department 5) Segregation of duties a) Inquire of control owners and inspect job titles and the org chart to determine if job duties are appropriately segregated to prevent the risk of fraud or error in key processes. 6) Access Administration a) Identify the process used for managing user access administration, including the provisioning and deprovisioning of access for new hires, transfers, and terminated employees. i. Inspect documentation for a sample of new hires, transfers, and terminated employees to determine if access was granted or removed appropriately ii. Identify the inherent superuser accounts and determine how access to those accounts is restricted iii. Inspect system generated lists of account access to determine if user access is appropriate based on job duties b) Identify the process for user access authentication, particularly regarding password log-in and pass-through authentication services. i. Inspect system generated reports of password requirements Page 3
ii. Observe user access log-ins and denial of log-ins to confirm authentication processes indentified 7) Program and Program System Changes a) Identify the process for program changes and program system changes, including change need identification, necessary approvals, testing, implementation, and review. i. Inspect or observe test environment configurations to determine if program changes are made on a separate environment than production ii. Inspect documentation for a selection of changes to determine if changes are approved and tested prior to implementation iii. Inspect documentation for a selection of changes to determine if changes are reviewed post-implementation b) Indentify if developers have access to migrate code into production 8) Job Processing a) Identify the process for monitoring job processes and scheduled jobs, including resolution of job errors. i. Inspect documentation of job monitoring for job errors and successful job resolution ii. Inspect documentation for a selection of job errors to determine if job errors are resolved b) Inspect system generated access reports to determine if access to job schedulers is appropriate. 9) Backups and Recovery a) Identify the process for backups of key systems. i. Inspect documentation of the backup schedule ii. Inspect documentation of an example backup and recovery Page 4
10 Disaster Recovery a) Inquire of control owners and inspect documentation to determine if disaster recovery procedures are in place. 11) Application Testing a) Inspect documentation to determine if key applications execute their functions accurately and completely for their operational purposes. 12) Regulation a) Identify applicable regulation for IT privacy, security, and operations and determine if regulations were followed. 13) Help Desk a) Inquire of control owners and inspect documentation to determine how Help Desk tickets are created, tracked, and resolved. b) Inspect documentation for a selection of help desk tickets to determine if problems reported to the help desk are resolved. Page 5