Information Technology Internal Controls Part 2



Similar documents
Information Technology General Controls Review (ITGC) Audit Program Prepared by:

Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite.

PREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date:

Network and Security Controls

Best Practices For Department Server and Enterprise System Checklist

IT - General Controls Questionnaire

Access Control BUSINESS REQUIREMENTS FOR ACCESS CONTROL

Altius IT Policy Collection Compliance and Standards Matrix

Supplier Security Assessment Questionnaire

Password Expiration Passwords require a maximum expiration age of 60 days. Previously used passwords may not be reused.

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING

INFORMATION TECHNOLOGY CONTROLS

Practical Guidance for Auditing IT General Controls. September 2, 2009

April promoting efficient & effective local government

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

Information Technology Security Procedures

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Information Shield Solution Matrix for CIP Security Standards

Critical Controls for Cyber Security.

Walton Centre. Document History Date Version Author Changes 01/10/ A Cobain L Wyatt 31/03/ L Wyatt Update to procedure

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

Information Systems Security Assessment

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

HIPAA Security Alert

Created By: 2009 Windows Server Security Best Practices Committee. Revised By: 2014 Windows Server Security Best Practices Committee

A practical guide to IT security

Putnam/Northern Westchester BOCES Internal Audit Report on Information Technology

Estate Agents Authority

The Practice of Internal Controls. Cornell Municipal Clerks School July 16, 2014

USM IT Security Council Guide for Security Event Logging. Version 1.1

HIPAA Privacy and Security Risk Assessment and Action Planning

HIPAA Information Security Overview

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Network Security Policy

Information Technology Branch Access Control Technical Standard

Name: Position held: Company Name: Is your organisation ISO27001 accredited:

DETAIL AUDIT PROGRAM Information Systems General Controls Review

ISO Controls and Objectives

Retention & Destruction

How To Write A Health Care Security Rule For A University

Security aspects of e-tailing. Chapter 7

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Procedure Title: TennDent HIPAA Security Awareness and Training

Circular to All Licensed Corporations on Information Technology Management

IT Security Standard: Computing Devices

SECURITY DOCUMENT. BetterTranslationTechnology

ULH-IM&T-ISP06. Information Governance Board

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

ICT OPERATING SYSTEM SECURITY CONTROLS POLICY

Intel Enhanced Data Security Assessment Form

Information Systems and Technology

Risk Assessment Guide

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

1 Purpose Scope Roles and Responsibilities Physical & Environmental Security Access Control to the Network...

Supplier Information Security Addendum for GE Restricted Data

Standard CIP 007 3a Cyber Security Systems Security Management

Information Systems Access Policy

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

CHAPTER 11 COMPUTER SYSTEMS INFORMATION TECHNOLOGY SERVICES CONTROLS

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

State of South Carolina Policy Guidance and Training

F G F O A A N N U A L C O N F E R E N C E

Autodesk PLM 360 Security Whitepaper

How To Protect Data From Attack On A Network From A Hacker (Cybersecurity)

1B1 SECURITY RESPONSIBILITY

How To Protect Your School From A Breach Of Security

Hosted Testing and Grading

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

DHHS Information Technology (IT) Access Control Standard

Best Practices for DanPac Express Cyber Security

Client Security Risk Assessment Questionnaire

Access Control Policy

Payment Card Industry (PCI) Compliance. Management Guidelines

Standard CIP Cyber Security Systems Security Management

Lauren Hamill, Information Governance Officer. Version Release Author/Reviewer Date Changes (Please identify page no.) 1.0 L.

IT Security Procedure

Information Technology General Controls (ITGCs) 101

USFSP Network Security Guidelines

IT ACCESS CONTROL POLICY

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Information Technology General Controls And Best Practices

PART 10 COMPUTER SYSTEMS

Security Manual Template Policy and Procedure Manual Compliance Management Made Easy ISO / HIPAA / SOX / CobiT / FIPS 199 Compliant

NETWORK SECURITY GUIDELINES

A Practical Approach to Network Vulnerability Assessment AN AUDITOR S PERSPECTIVE BRYAN MILLER, IT DIRECTOR JOHN KEILLOR, CPA, AUDIT PARTNER

SITECATALYST SECURITY

Strategic Identity Management for Industrial Control Systems

BKDconnect Security Overview

Apollo Education Group Information Security

GE Measurement & Control. Cyber Security for NEI 08-09

MCR Checklist for Automated Information Systems (Major Applications and General Support Systems)

Transcription:

IT Controls Webinar Series Information Technology Internal Controls Part 2 Presented by the Arizona Office of the Auditor General October 23, 2014 Part I Overview of IT Controls and Best Practices Part II Identifying Users and Limiting Access Part III Network Controls Part IV Disaster Recovery Planning IT Control Issues Covered in this Webinar Identifying System Users Establishing Roles and Responsibilities Controls to Limit Access Monitoring Access, Changes & Activity Terminology IT Information technology department personnel within the school district responsible for managing the hardware, software, systems, and networks of the district. System Manager Generally the highest supervisory-level user of a system that determines user access for all users of the system. Decision Makers Those who have the authority to approve and implement any given policy, process, or project within a school district and who are accountable for the outcome.

What are IT Controls? Roles and Responsibilities Defined measures taken to minimize risk and ensure business objectives are being met. Unauthorized Access Theft or Fraud Loss of Data and Hardware Clarify everyone s responsibilities for establishing, operating and monitoring the District s system/network Business Manager Decision Makers Information Technology Human Resources Roles and Responsibilities Identify an IT Administrator for each system and network Manages the system Processes user access request Ideally not a user on the system Roles and Responsibilities Identifying System Users What systems do you have? How are these systems used? Who needs access? What do they need to do in the System?

Roles and Responsibilities District defined process for access setup Employees and contractors HR/Personnel communication of changes Technology User Agreements Manager review of access changes Establish Policies and Procedures Logical Physical Monitoring Secure sensitive information Protect Equipment Limit access to authorized personnel Protect data Setting User Access Concept of Least Privilege Determine which employees require access based on their job responsibilities What data is needed to do the job? What do they need to do with that data? Create New Give Approval Segregation of Duties Authorization Record keeping/reconciliation Asset Custody Make Changes Read Only

Setting User Access Setting User Access (Employees) Segregation of Duties Create a requisition Approve purchase requisitions or purchase orders Receive ordered items Review and process invoices for payment Compensating controls? Role based settings More than one person in the role Similar needs Quicker to do Generic settings in system Extra care to ensure appropriate access only! Employee specific settings Maybe only one person in role Different needs Takes more time No canned settings in system Helps ensure you know the access is appropriate Setting User Access (3 rd Parties) Setting User Access Need to establish: Who will have access? What service will they provide? How will district data be protected? User Agreements-Use of district property: Computers Network Information Confidentiality Lawful use District policy enforcement

Control Points User access can be controlled at: Network Local workstation Application Database/file User Authentication Other Barriers to Unauthorized Access Monitoring User ID and Password Setup 1. Administrators create user accounts Require users to change password on initial login 2. User ID s One User ID per employee Unique Identifiable to user User ID and Password Setup 3. Password Strength Requirements: Minimum of 8 characters Alpha and numeric Upper and lower case characters Special characters (!, @, #, $, etc.)

User ID and Password Setup 4. Confidential Known only to user Not written down by employees 5. Related account secured by lock out after failed login attempts 6. Require passwords to change at least every 90 days Additional Restricted areas Employee work areas work computers, documentation Special facilities data center, wiring closets, controlled access Controls: Logout unattended computers, employee badges, access cards or keys Public areas Conference rooms unsupervised areas, network access Controls: Disable unused access points, monitoring by secretaries Server Room Access to server room Is the room locked? Who can access? Master keys? Key fobs monitor access Climate control Temperature of room Fire detection smoke detectors Fire suppression fire extinguisher, halon, etc. Computer Access Lock computers when not in use Time out after a period of non-use Passwords should not be shared or openly posted

Monitoring Monitoring What to Monitor: User access User activity Changes in user access How to do it: System generated logs/reports Manual access logs Follow the HR paper trail Why do we care? Clear Audit Trail Provide Accountability Detective Controls Corrective Controls Monitoring Monitoring User Access-determine what needs to be monitored 1. Based on segregation of duties 2. Adjust when job duties change 3. Check for removal of terminated employee access 4. Review user accounts periodically Ensure segregation of duties is maintained Ensure user access is appropriate based on current job functions Review to remove unnecessary or inactive accounts User Access 1. Review user access logs for reasonableness Time of access: suspicious activity Users should not review their own logs

User Access User Access Do: Set user access based on job needs (Least Privilege) Use unique user IDs and complex passwords Limit generic, vendor and super users to only what is necessary Re-evaluate user access when job responsibilities change Monitor key activity of users, especially of super users Don t: Automatically use default access set by software packages or vendors Use Admin or generic IDs Assign passwords or share them Make super users unless absolutely necessary for job function Just add more access when people change jobs Set it (access) and forget it Do: Restrict access to servers and work areas Shut down unused ports Lock computers when not in use or inactive Don t: Let just anyone walk up to the server or a live terminal Leave unused ports live to make it easier to expand later Walk away from a logged in computer Where to start? Self evaluation! User Access Does the district have any super users? Are job responsibilities separated to ensure no one person has complete control over a transaction cycle? Do personnel have access to more data or processes than they need to do their jobs? IT Standards and Best Practices Common Best Practice Frameworks COBIT NIST ISO FISCAM ITIL ASET State Policies COSO

Next Webinars Resources Network Controls Security programs Incident response Websites Wireless Remote access Disaster Recovery Plans Development Testing www.azauditor.gov IT FAQs on USFR Contact Us: By phone: 602-553-0333 By email: asd@azauditor.gov

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information