The University of Texas at Brownsville. FY 2013 Audit of Laptops Encryption



Similar documents
THE UNIVERSITY OF TEXAS-PAN AMERICAN OFFICE OF AUDITS & CONSULTING SERVICES LAPTOP ENCRYPTION. Report No

EQUIPMENT INVENTORY AUDIT MAY 21, INTERNAL AUDIT DEPARTMENT BOX ARLINGTON, TX

How To Check If The University Has A Computer System That Is Full Or Full Of Memory Cards

THE UNIVERSITY OF TEXAS-PAN AMERICAN OFFICE OF AUDITS & CONSULTING SERVICES. Department of Rehabilitation Report No

THE UNIVERSITY OF TEXAS AT DALLAS Office of Audit & Compliance 800 West Campbell Rd., ROC 32, RICHARDSON, TX (972)

THE UNIVERSITY OF TEXAS-PAN AMERICAN OFFICE OF AUDITS & CONSULTING SERVICES. Department of Public Affairs & Security Studies Report No.

Human Resources Departmental Summary FY 2012 Department Budget $ 1,193, Number of Employees 17

THE UNIVERSITY OF TEXAS-PAN AMERICAN OFFICE OF AUDITS & CONSULTING SERVICES. Department of Records and Information Management Report No.

THE UNIVERSITY OF TEXAS-PAN AMERICAN OFFICE OF AUDITS & CONSULTING SERVICES. Department of Criminal Justice Report No

Physician Assistant Program

TELECOMMUNICATIONS OPERATIONAL REVIEW/PHYSICAL CONTROLS AUDIT JANUARY 25, 2013

VETERANS SERVICES CENTER

THE UNIVERSITY OF TEXAS-PAN AMERICAN OFFICE OF AUDITS & CONSULTING SERVICES. Office of Alumni Relations Report No

Department of Environmental Health & Safety

July 30, Dr. Hobson Wildenthal, President ad interim Ms. Lisa Choate, Chair of the Institutional Audit Committee:

September 8, Dr. Hobson Wildenthal, President ad interim Ms. Lisa Choate, Chair of the Institutional Audit Committee:

Audit Summary. Departmental Background. Objective and Scope

REVIEW OF CHEMICAL SAFETY INVENTORY SYSTEM FEBRUARY 18, 2014

THE UNIVERSITY OF TEXAS AT DALLAS Office of Audit & Compliance 800 West Campbell Rd., ROC 32, RICHARDSON, TX (972)

Server Management-Scans & Patches

Accounts Payable Audit

January 25, Dr. Hobson Wildenthal, President ad interim Ms. Lisa Choate, Chair of the Institutional Audit Committee:

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

AUDIT REPORT PERFORMANCE AUDIT OF COMPUTER EQUIPMENT INVENTORY DEPARTMENT OF TECHNOLOGY, MANAGEMENT, AND BUDGET. February 2014

Specific observations and recommendations that were discussed with campus management are presented in detail below.

THE UNIVERSITY OF TEXAS-PAN AMERICAN OFFICE OF AUDITS & CONSULTING SERVICES PHYSICAL SECURITY. Report No

Texas A&M University - Commerce: Review of Faculty Human Resources Processes PROJECT SUMMARY. Summary of Significant Results

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL. Doug A. Ringler, CPA, CIA AUDITOR GENERAL DATA SECURITY USING MOBILE DEVICES PERFORMANCE AUDIT OF

University of Oregon Information Technology Risk Assessment. December 2, 2015

Index .700 FORMS - SAMPLE INCIDENT RESPONSE FORM.995 HISTORY

UCLA Policy 360: Internal Control Guidelines for Campus Departments

Southeastern Louisiana University University of Louisiana System

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

Office of Inspector General Evaluation of the Consumer Financial Protection Bureau s Consumer Response Unit

National Automated Clearing House Association Rules echecks

Fixed Assets Management Performance Audit

in The Institute of Internal Auditor's

Audit Follow-up: Mobile Computing Security

Research Administration at the University of Maryland

CHAPTER Asset Management

AUDIT REPORT PERFORMANCE AUDIT OF COMMUNITY HEALTH AUTOMATED MEDICAID PROCESSING SYSTEM (CHAMPS) CLAIMS EDITS

National Automated Clearing House Association (NACHA) Rules echecks

TABLE OF CONTENTS FOR AUDIT, COMPLIANCE, AND MANAGEMENT REVIEW COMMITTEE

RISK-BASED COMPLIANCE PLAN

EXECUTIVE TRAVEL AND ENTERTAINMENT EXPENSES AUDIT SEPTEMBER 18, 2013

Information Security Program

Rowan University Data Governance Policy

Office of Internal Audit

January 12, Dr. Hobson Wildenthal, President ad interim Ms. Lisa Choate, Chair of the Institutional Audit Committee:

Fixed Assets Inventory Procedures

Human ResourcesHuman Resources - Project Overview

PROCUREMENT CARD AUDIT ANALYTICAL REVIEWS OCTOBER 14, 2013

May 2007 Report No

The Commonwealth of Massachusetts

UNIVERSITY OF NEVADA, RENO WOLF PACK MEATS Internal Audit Report July 1, 2009 through February 28, 2011

ISAAC Risk Assessment Training

Report on Practice Acquisition Process- Integrated Audit # and

AUDIT REPORT Audit of Controls over GPO s Fleet Credit Card Program. September 28, 2012

NEW YORK STATE INSURANCE FUND INTERNAL CONTROLS OVER SELECTED FINANCIAL OPERATIONS. Report 2005-S-57 OFFICE OF THE NEW YORK STATE COMPTROLLER

How To Improve Nasa'S Security

SPECIAL AUDIT REPORT GOLF MANAGEMENT DIVISION POINT-OF-SALE SYSTEM PARKS AND RECREATION DEPARTMENT REPORT NO

Department of Human Resources Online Time and Attendance Process Audit Report

PROJECT SUMMARY OBSERVATIONS, RECOMMENDATIONS, AND RESPONSES

STATE OF NORTH CAROLINA

C. Author(s): David Millar (ISC Information Security) and Lauren Steinfeld (Chief Privacy Officer)

Office of the Auditor General Performance Audit Report. Statewide Oracle Database Controls Department of Technology, Management, and Budget

Austin Fire Department Worker Safety Audit

1. Introduction 2. New Responsibilities 3. Transactional Processes 4. Use of PeopleSoft User Role

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

Review research and development activities for compliance with federal regulations. Sponsored Projects Compliance Audit 325

AUDIT REPORT REPORT NUMBER Information Technology Microsoft Software Licenses March 27, 2014

SEATTLE UNIVERSITY POLICY ON INVOLUNTARY LEAVE OF ABSENCE FOR MEDICAL REASONS JANUARY 2015

Overall Conclusion. Summary of Significant Results. Patient Billings and Collections at the Family Medicine Clinic

THE UNIVERSITY OF MICHIGAN IDENTITY THEFT PREVENTION PROGRAM

VA Office of Inspector General

The University of Texas Southwestern Medical Center Decentralized Computing Review - Biophysics. Internal Audit Report 15:26.01

FY 2015 Internal Audit Annual Report

Information Technology Services Guidelines

OFFICE OF THE STATE AUDITOR TWO COMMODORE PLAZA 206 EAST NINTH STREET, SUITE 1900 LAWRENCE F. ALWIN, CPA

Distribution: Sheryl L. Sculley, City Manager Gloria Hurtado, Assistant City Manager Ben Gorzell, Chief Financial Officer Dr.

P Mobile Device Security.

INFORMATION SECURITY California Maritime Academy

Encryption Security Standard

Fixed Assets Policies and Procedures that directly affect

FOLLOW-UP OF HUMAN RESOURCES DEPARTMENT PAYROLL REPORT NO F. City of Albuquerque Office of Internal Audit and Investigations

THE UNIVERSITY OF TEXAS AT TYLER

Office of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget

Network Security Management Phases 1 and 2 Follow up Report

OFFICE OF AUDITS & ADVISORY SERVICES MOBILE DEVICE MANAGEMENT COUNTYWIDE AUDIT FINAL REPORT. County of San Diego Auditor and Controller

PCI General Policy. Effective Date: August Approval: December 17, Maintenance of Policy: Office of Student Accounts REFERENCE DOCUMENTS:

AUDIT OF SBA S LOAN APPLICATION TRACKING SYSTEM AUDIT REPORT NUMBER 4-18 APRIL 5, 2004

Overview. Responsibility

ASU Payroll Audit Number April 2007

Title: Data Security Policy Code: Date: rev Approved: WPL INTRODUCTION

MANAGEMENT AUDIT REPORT ACCOUNTS PAYABLE

Eugene Smith Executive Director of Athletics Department of Intercollegiate Athletics Arizona State University Box Tempe, AZ

Controls Over the SEC s Inventory of Laptop Computers

Northeast Higher Education District Itasca Community College

Arizona State University. HIPAA Compliance. Audit Report Number May 7, 2015

Transcription:

FY 2013 Audit of Laptops Encryption May 29, 2013

OFFICE OF INTERNAL AUDITS The University of Texas at Brownsville Norma L. Ramos, CIA, CGAP Director of Internal Audits May 29, 2013 Dr. Juliet V. Garcia, President The University of Texas at Brownsville 80 Fort Brown Brownsville, Texas 78520 Dear Dr. Garcia: As part of our Audit Plan for fiscal year FY 2013, we completed the FY 2013 Audit of Laptops Encryption at The University of Texas at Brownsville. The objectives of this audit were: Determine whether laptop inventory at UT Brownsville is complete, accurate, and up-to-date; and Determine whether all institutional laptops have been properly encrypted or exempted. Our examination was conducted in accordance with guidelines set forth in The University of Texas System s Policies UTS 129 and the Institute of Internal Auditors International Standards for the Professional Practice of Internal Auditing (Standards). The Standards set criteria for internal audit departments in the areas of independence, professional proficiency, scope and performance of audit work, and management of internal auditing department. UTS 129 requires that we adhere to the Standards. The recommendations in this report represent, in our judgment, those most likely to provide a greater likelihood that management s objectives are achieved. The recommendations differ in such aspects as difficulty of implementation, urgency, visibility of benefits, and required investments in facilities and equipment, or additional personnel. The varying nature of the recommendations, their implementation costs, and their potential impact on operations should be considered in reaching your decision regarding courses of action.

We appreciate the assistance provided by UTB s management and other personnel. We hope the information and analyses presented in our report are helpful. Sincerely, Norma L. Ramos, CIA, CGAP Director of Internal Audits cc: The University of Texas at Brownsville Dr. Alan F. J. Artibise, Provost and Vice President for Academic Affairs Ms. Rosemary Martinez, CPA, Vice President for Business Affairs Dr. Hilda Silva, Vice President for Student Affairs Dr. Silva Leal, Vice President for Enrollment Management Mr. Irvine W. Downing, Vice President for Institutional Advancement and Vice President for Economic Development and Community Services Dr. Luis Colom, Vice President for Research Dr. Clair Goldsmith, Vice President for Information Technology Services and Chief Information Officer Dr. Marilyn Woods, Executive Assistant to the President UT System Administration Dr. Pedro Reyes, Executive Vice Chancellor for Academic Affairs, Ad Interim Mr. Michael Peppers, Chief Audit Executive, UT System Audit Office Ms. Paige Buechley, Assistant Director, UT System Audit Office 80 Fort Brown Oliveira Library 234 Brownsville, Texas 78520 Phone (956) 882 7023 Fax (956) 882 3816

Table of Contents Executive Summary 4 Background Information 5 Audit Objectives 5 Scope of Work 5 Audit Results 6 Conclusion 10 3

Executive Summary The FY 2013 approved audit plan included the FY 2013 Audit of Laptops Encryption. Since 2007, UT System has experienced several incidents of lost or stolen laptops containing confidential or sensitive data. As a result, the Executive Vice Chancellors (EVC s) in Health Affairs and Academic Affairs issued a memo to each institutional president, which required all institutions to report their current state of laptop encryption and their plan to encrypt all laptops. The objectives of the audit were to: Determine whether laptop inventory at UT Brownsville is complete, accurate, and up-to-date; and Determine whether all institutional laptops have been properly encrypted or exempted. We made observations and recommendations over the following areas: Discrepancies between Accounting and Finance Inventory List and User Support Services-ITS SharePoint lists Laptops not encrypted Violation of Security Procedures Bulletin 1- "using products and/or methods approved by the Entity s Chief Information Security Officer Refusal of encryption mandate by user We concluded that the laptop inventory at UT Brownsville is not complete, accurate, and up-todate due to the discrepancies between the Accounting and Finance Inventory List and the ITS Sharepoint List. In addition, not all institutional laptops have been properly encrypted or exempted in accordance with the UT System Encryption requirement. Failure to properly encrypt laptops could expose sensitive University data and could lead to costly remediation efforts and negative publicity. 4

Background Information In 2007, The University of Texas System (Administration) issued a bulletin, Encryption Practices for Storage of Confidential University Data on Portable and Non-University Owned Computing Devices (SPB-1), which lays out the basic expectations and requirements for the encryption of laptop computers at UT System. However, in 2007 no single solution was available to encrypt all laptop platforms and many institutions did not readily adopt a solution. Since 2007, UT System has experienced several incidents of lost or stolen laptops containing confidential or sensitive data. As a result, the Executive Vice Chancellors (EVC s) in Health Affairs and Academic Affairs issued a memo to each institutional president, which required all institutions to report their current state of laptop encryption and their plan to encrypt all laptops. The memo required each institution to report this information by July 1, 2012. For FY 2013, the System Audit office asked each institution to include audit plan hours to report on the status of encryption at their institution. Audit Objectives The objectives of the audit were to: Determine whether laptop inventory at your UT Brownsville is complete, accurate, and upto-date; and Determine whether all institutional laptops have been properly encrypted or exempted. Scope of Work All institutional laptop computers (including personal computers that faculty or staff may use to conduct any university business), and policies and procedures related to laptop encryption process at UTB. We did not include any desktop computers in our scope. Our examination was conducted in accordance with guidelines set forth in The University of Texas System s Policies UTS 129 and the Institute of Internal Auditors International Standards for the Professional Practice of Internal Auditing (Standards). The Standards set criteria for internal audit departments in the areas of independence, professional proficiency, scope and performance of audit work, and management of internal auditing department. UTS 129 requires that we adhere to the Standards. 5

Audit Results The Office of Information Security is responsible for coordinating and verifying the encryption of laptops at the University of Texas at Brownsville. The User Support Services (USS) of the Information Technology Services Division (ITS) is responsible for the actual encryption of university laptops. The process consists of ITS sending communications and collecting laptops from departments, encrypting and logging encryption status, and finally returning laptop to the departments. A SharePoint site is maintained by User Support Services (USS - ITS Division) where all laptops encrypted or pending encryption are logged. In addition, the console (Secure Doc, Safeboot) shows the encryption status for laptops and the last time the laptop logged into the network. Accounting and Finance also maintains an inventory list of assets. Laptops are added to this list when they are purchased. In addition ITS, Standard Operating Procedure SOP 1.1.1 will be updated to include the new process to order laptops and ensure encryption software is installed before delivering the laptop to end user. Inventory Lists: We compared the laptop inventory lists provided by Accounting and Finance and ITS SharePoint to determine accuracy and completeness of the laptop encryption process. Both Accounting and Finance inventory listing and ITS Sharepoint lists contained records for assets that were listed more than once: Accounting and Finance - 17 duplicate records ITS - 74 duplicate records. Discrepancies between Accounting & Finance Inventory List and ITS Sharepoint List: Per A&F Per ITS Matched by IA Not listed on ITS SharePoint Discrepancies Listed on ITS but not listed on A&F Laptops 2,150 1,166 1,023 1,127 143 At the beginning of the encryption process, ITS identified laptops on their original SharePoint list that were already encrypted or in storage. Even though we requested ITS to identify the laptops removed from the original SharePoint list, ITS was not able to produce this list of laptops; therefore, Internal Audit cannot determine if the 1,127 records mentioned above are included in those records removed from their original list. Reconciliation between the Accounting and Finance Laptop Inventory and ITS SharePoint 6

information has not been performed to ensure that all laptops have been properly identified and encrypted. Recommendation 1: We recommend that the Information Security Officer (ISO) coordinate with Accounting and Finance and User Support-ITS: To work together to reconcile the two asset lists and remove any duplicate records from their lists; To determine if the encryption process can be incorporated into the Asset Management module in PeopleSoft to improve efficiency, eliminate redundancy and reduce the possibility of errors by utilizing one asset management application. Management s Response: The maintenance of multiple lists is not an effective solution as a remediation. OIS will consult with Accounting and Finance the official steward of asset inventory at UTB to develop a consolidated solution for recording the encryption status of laptops. The list maintained by ITS is to be considered a work paper to keep track of laptop encryption services and is not to be considered a document of record. Implementation Date: Office of Information Security needs to meet with Accounting & Finance to determine the project timeline. Not able to verify encryption: We selected a sample of 62 laptops; 50 (80%) were verified as status reported by ITS, 1 (2%) was reported as encrypted and we noted it was not (see Violation of SPB 1), and we were not able to verify the status of 11 (18%) laptops. Encryption Status Per ITS Selected Verified Not Verified Encrypted 40 36 4 Missing/Stolen 6 5 1 Pending Encryption 11 5 6 Decommissioned/Hard drive destroyed 3 3 0 Storage 2 2 0 TOTAL 62 51 11 Encryption Status Per ITS Reason Internal Audit Not Able to Verify Encryption Status 1 Encrypted User has laptop and is currently on FMLA. 2 Encrypted Professor is out of state conducting research. Will return in June 2013. 3 Pending Encryption Department loaned out to ex student. Messages left to return laptop. Laptop not returned at the end of audit fieldwork 7

4 Encrypted Laptop boxed due to recent office move and department unable to identify which box stores laptop. 5 Pending Encryption Laptop not found need to file police report 6 Pending Encryption Laptop not found need to file police report 7 Pending Encryption Laptop not found need to file police report 8 Encrypted Laptop not found need to file police report 9 Pending Encryption 10 Reported Missing/Stolen per Laptop not found. Possibly same laptop; only transposition of Tag Numbers Dept. 11 Pending Encryption Has laptop at home. Has refused to have laptop encrypted. At the beginning of this audit, 66 laptops were reported as pending encryption on the ITS inventory list, of which we selected 11 laptops for verification; however, we requested an updated status at the end of fieldwork to determine if these laptops were encrypted. Of the 66 laptops initially reported by ITS as not encrypted: 1 laptop selected in our sample the user refuses to encrypt the laptop 5 laptops selected in our sample are in the process of getting encrypted 4 laptops selected in our sample have not been found and departments will file police reports 1 laptop selected in our sample is loaned out to a student 5 laptops not in our sample have Police Report 1302-00156 dated 5/6/2013 50 laptops are still pending encryption at the end of audit fieldwork: Academic Affairs 44 Provost 1 Research 4 Economic Development 1 See Recommendation 3 in this report. Violation of Security Procedures Bulletin 1: One laptop reported as encrypted on August 10, 2012 was selected for verification. Auditor asked user to reboot his laptop and noticed the encryption software used by the institution was not installed on the laptop. When asked about the different encryption software, the user indicated the laptop has a UNIX operating system and he had personally installed the encryption software. SecureDoc is the encryption software used by the institution that supports both Windows and UNIX/Linux operating systems. 8

The user did not request an exemption or authorization to remove the encryption software installed by the institution, nor was he allowed to install unauthorized encryption software for UNIX/Linux. The user violated Security Procedures Bulletin (SPB) 1, which states encryption should be installed "using products and/or methods approved by the Entity s Chief Information Security Officer (CISO or ISO)." Recommendation 2: We recommend the Information Security Officer coordinate with USS- ITS to ensure that user's laptop is re-encrypted with software authorized by the Information Security Officer. Management s Response: Office of Information Security will contact the user and coordinate with USS-ITS the re-encryption of the laptop with approved encryption software. All measures will be taken to accommodate the user s needs where compliance can be possible. Implementation Date: : July 1, 2013 See Recommendation 3 in this report. Violation of Encryption Mandate: For one laptop in our sample listed as pending encryption, we contacted the user to verify the laptop encryption status. The user stated he had his laptop at home, it was not encrypted, and would not bring it to get encrypted because encryption would interfere with his laptop s dual boot system (Windows and Linux operating systems). We informed the user about the need and importance of encrypting his laptop. He had been denied an exemption from UT System and was presented with the available solutions offered by the institution, which other UNIX/Linux users had accepted. The user still refused to have the laptop encrypted. The user is in violation of the requirement to encrypt all University laptops, stated on the memorandum from the Executive Vice Chancellor of Academic Affairs dated June 20, 2012. Recommendation 3: We recommend the Provost/VPAA evaluate the course of action to enforce information security mandates, polices, and procedures, and take appropriate disciplinary action in accordance with UTB HOP and Regents Rules and Regulations. Management s Response: The Office of the Provost and VPAA concurs with the recommendation. The Provost and VPAA will coordinate with the Office of Human Resources and the Office of General Counsel to insure that all information security mandates, policies and procedures are applied. 9

Implementation Date: Effective Immediately Conclusion The laptop inventory at UT Brownsville is not complete, accurate, and up-to-date due to the discrepancies between the Accounting and Finance Inventory List and the ITS Sharepoint List. In addition, not all institutional laptops have been properly encrypted or exempted in accordance with the UT System Encryption requirement. We could not determine the number of laptops that should be encrypted due to the inaccuracy of the inventory information. Failure to properly encrypt laptops could expose sensitive University data and could lead to costly remediation efforts and negative publicity. 10

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information