AUSTIN INDEPENDENT SCHOOL DISTRICT INTERNAL AUDIT DEPARTMENT TRANSPORTATION AUDIT PROGRAM



Similar documents
Information Technology General Controls (ITGCs) 101

Domain 1 The Process of Auditing Information Systems

Circular to All Licensed Corporations on Information Technology Management

Information Technology Internal Audit Report #

SAS 70 Exams Of EBT Controls And Processors

PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES

Information Shield Solution Matrix for CIP Security Standards

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

NORTH DAKOTA CLASS DESCRIPTION ND Human Resource Management Services Phone: (701)

ISO COMPLIANCE WITH OBSERVEIT

PDS (The Planetary Data System) Information Technology Security Plan for The Planetary Data System: [Node Name]

Supplier Security Assessment Questionnaire

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

Attachment A. Identification of Risks/Cybersecurity Governance

Security Controls What Works. Southside Virginia Community College: Security Awareness

Information Technology General Controls And Best Practices

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

Client Security Risk Assessment Questionnaire

HIPAA 203: Security. An Introduction to the Draft HIPAA Security Regulations

SRA International Managed Information Systems Internal Audit Report

San Francisco Chapter. Information Systems Operations

University of Central Florida Class Specification Administrative and Professional. Information Security Officer

Attachment E. RFP Requirements: Mandatory Requirements: Vendor must respond with Yes or No. A No response will render the vendor nonresponsive.

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

ISO Controls and Objectives

Payment Card Industry Compliance

HIPAA and Mental Health Privacy:

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

Information Systems and Technology

Why SaaS (Software as a Service) and not COTS (Commercial Off The Shelf software)?

^H 3RD EDITION ITGOVERNANCE A MANAGER'S GUIOE TO OATA SECURITY ANO DS 7799/IS ALAN CALDER STEVE WATKINS. KOGAN PAGE London and Sterling, VA

Internal Control Guide & Resources

Information Technology Internal Audit Report

Audit Report 2015-A-0001 December 23, 2014 Redacted

GREAT AMERICAN TITLE OF HOUSTON, LLC D/B/A GREAT AMERICAN TITLE COMPANY EXAMINATION REPORT NOVEMBER 24, 2015

COLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL

Security from a customer s perspective. Halogen s approach to security

OCIE CYBERSECURITY INITIATIVE

Solution Brief for HIPAA HIPAA. Publication Date: Jan 27, EventTracker 8815 Centre Park Drive, Columbia MD 21045

Cloud Security and Managing Use Risks

VMware vcloud Air HIPAA Matrix

Network and Security Controls

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Master Document Audit Program

by: Scott Baranowski Community Bank Auditors Group Best Practices in Auditing Record Retention, Safeguarding Paper Documents, GLBA and Privacy

I. EXECUTIVE SUMMARY. Date: June 30, Sabina Sitaru, Chief Innovation Officer, Metro Hartford Innovation Services

NOS for IT User and Application Specialist. IT Security (ESKITU04) November 2014 V1.0

PRIVACY OF CONSUMERS' FINANCIAL INFORMATION PART (b) AND BANK MANAGEMENT

Data Center Assistance Group, Inc. DCAG Contact: Tom Bronack Phone: (718) Fax: (718)

HIPAA Information Security Overview

Certified Information Systems Auditor (CISA)

John Essner, CISO Office of Information Technology State of New Jersey

INFORMATION SYSTEMS. Revised: August 2013

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

Can Your Diocese Afford to Fail a HIPAA Audit?

Securing the Service Desk in the Cloud

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

General Computer Controls

MAG DATACENTERS, LLC ( FORTRUST ) Service Organization Controls 3

FORM 20A.9 SAMPLE AUDIT PROGRAM FOR TESTING IT CONTROLS. Date(s) Completed. Workpaper Reference

Office of the State Controller. Self-Assessment of Internal Controls. Computer Security Cycle. Objectives and Risks

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

CHIS, Inc. Privacy General Guidelines

Data Privacy and Gramm- Leach-Bliley Act Section 501(b)

Audit of Policy on Internal Control Information Technology General Controls (ITGCs) Audit

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

State Agency Cyber Security Survey v October State Agency Cybersecurity Survey v 3.4

Residual risk. 3 Compliance challenges (i.e. right to examine, exit clause, privacy acy etc.)

External Supplier Control Requirements

Table Of Contents. - Microsoft Windows - WINDOWS XP - IMPLEMENTING & SUPPORTING MICROSOFT WINDOWS XP PROFESSIONAL...10

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

HIPAA: In Plain English

(Instructor-led; 3 Days)

HIPAA Security & Compliance

security policy Purpose The purpose of this paper is to outline the steps required for developing and maintaining a corporate security policy.

Tackling Medical Device Cybersecurity

Risk Management of Outsourced Technology Services. November 28, 2000

Eballot Software Storage Solutions

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

HIPAA/HITECH Compliance Using VMware vcloud Air

Services Providers. Ivan Soto

An Introduction to HIPAA and how it relates to docstar

Work With Genesis Insurance Company

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

Information Technology Auditing for Non-IT Specialist

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

State of Wisconsin DET File Transfer Protocol Service Offering Definition (FTP & SFTP)

DEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY

HIPAA Compliance Guide

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

Ayla Networks, Inc. SOC 3 SysTrust 2015

CLOUD COMPUTING ISSUES FOR SCHOOL DISTRICTS. Presented to the 2013 BRADLEY F. KIDDER LAW CONFERENCE. October 2, 2013

Transcription:

GENERAL: The Technology department is responsible for the managing of electronic devices and software for the District, as well as the Help Desk for resolution of employee-created help tickets. The subgroups within the department are Network Infrastructure, Data Management, Student Information Systems, Business Systems, Instruction Technology Support, Administration and Instructional Systems Support, and Help Desk. AUDIT OBJECTIVES: 1) Sensitive data is secured via network security configurations and encryption where necessary. 2) IT vulnerabilities and incidents are monitored and resolved. 3) Software and hardware utilized or stored is inventoried and monitored. 4) There are proper segregations of duties within the Technology department to safeguard sensitive data and prevent fraud or error within key processes. 5) User access is administered appropriately based on job duties. 6) User password requirements appropriately secure user access to systems. 7) Changes to software or program systems are tested in a separate environment from production (the live business environment) and approved prior to implementation. 8) Program or program system changes are reviewed for successful implementation. 9) Scheduled job processes are monitored. 10) Scheduled job process issues are resolved. 11) Backups are performed on a regular basis and tested for recovery at least annually. Page 1

12) Disaster recovery policies and procedures are in place. 13) Reports, inspections, and maintenance data are complete, accurate, and submitted operational purposes. 14) Applicable regulation for IT privacy, security, and operations are followed. 15) Help Desk tickets are tracked and resolved. AUDIT PROCEDURES: 1) General a) Obtain: i. Policies and Procedures for the IT management functions ii. Federal and State Laws governing IT management and security iii. Job Descriptions and Organizational Chart iv. Regulatory Examination Reports v. Copies of all forms used by the department for areas under audit b) Review written policies and procedures for the IT management areas to determine adequacy. c) Review Job Descriptions and Organizational Chart. 2) Map flow of processes and documents for the areas audited. 3) Security and Privacy a) Identify the sensitive data necessary for security and privacy protections. i. Inspect documentation to determine if encryption is used where necessary ii. Inspect documentation to determine if computer networks are configured to prevent unauthorized access b) Identify the IT vulnerability and security incident monitoring processes in place. i. Inspect documentation to determine if IT vulnerabilities are identified Page 2

ii. iii. Walkthrough the security incident monitoring process and observe an intentional attempt to breach IT security, followed by the subsequent identification of the attempt Inspect a sample of security incidents to determine if incidents are monitored and resolved 4) IT Software and Hardware Management a) Identify the process for the inventory of software and hardware under purview of the Technology department. i. Inquire of software and hardware users to determine software and hardware in uses. Reconcile a selection of software and hardware per user inquiry to the inventory of software and hardware per the Technology department 5) Segregation of duties a) Inquire of control owners and inspect job titles and the org chart to determine if job duties are appropriately segregated to prevent the risk of fraud or error in key processes. 6) Access Administration a) Identify the process used for managing user access administration, including the provisioning and deprovisioning of access for new hires, transfers, and terminated employees. i. Inspect documentation for a sample of new hires, transfers, and terminated employees to determine if access was granted or removed appropriately ii. Identify the inherent superuser accounts and determine how access to those accounts is restricted iii. Inspect system generated lists of account access to determine if user access is appropriate based on job duties b) Identify the process for user access authentication, particularly regarding password log-in and pass-through authentication services. i. Inspect system generated reports of password requirements Page 3

ii. Observe user access log-ins and denial of log-ins to confirm authentication processes indentified 7) Program and Program System Changes a) Identify the process for program changes and program system changes, including change need identification, necessary approvals, testing, implementation, and review. i. Inspect or observe test environment configurations to determine if program changes are made on a separate environment than production ii. Inspect documentation for a selection of changes to determine if changes are approved and tested prior to implementation iii. Inspect documentation for a selection of changes to determine if changes are reviewed post-implementation b) Indentify if developers have access to migrate code into production 8) Job Processing a) Identify the process for monitoring job processes and scheduled jobs, including resolution of job errors. i. Inspect documentation of job monitoring for job errors and successful job resolution ii. Inspect documentation for a selection of job errors to determine if job errors are resolved b) Inspect system generated access reports to determine if access to job schedulers is appropriate. 9) Backups and Recovery a) Identify the process for backups of key systems. i. Inspect documentation of the backup schedule ii. Inspect documentation of an example backup and recovery Page 4

10 Disaster Recovery a) Inquire of control owners and inspect documentation to determine if disaster recovery procedures are in place. 11) Application Testing a) Inspect documentation to determine if key applications execute their functions accurately and completely for their operational purposes. 12) Regulation a) Identify applicable regulation for IT privacy, security, and operations and determine if regulations were followed. 13) Help Desk a) Inquire of control owners and inspect documentation to determine how Help Desk tickets are created, tracked, and resolved. b) Inspect documentation for a selection of help desk tickets to determine if problems reported to the help desk are resolved. Page 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information