AUDIT REPORT. Corporate Access and Identity Management Project Audit Opinion: Satisfactory. July 31, 2015



Similar documents
AUDIT REPORT. Service Desk and Problem Management Audit Opinion: Satisfactory. November 14, Report Number: 2014-IT-04

AUDIT REPORT. Cloud Software as a Service (SaaS) Procurement and Governance Audit. June 9, 2016

AUDIT REPORT. Citizens Insurance Suite Check Printing Audit Opinion: Needs Improvement. June 11, 2015

AUDIT REPORT. Citizens Data Warehouse Audit Opinion: Needs Improvement. Date: June 9, Report Number: 2014-AUD-IT-01

FLORIDA COMMISSION ON OFFENDER REVIEW (formerly Florida Parole Commission)

Audit of Business Continuity Planning

Cumbria Constabulary. Business Continuity Planning

May 2012 Report No

March 2007 Report No

How To Manage Risk At Atb Financial

SENSITIVE DATA SECURITY AND PROTECTION CALIFORNIA STATE UNIVERSITY, LOS ANGELES. Audit Report January 3, 2012


How To Be A Compliant Customs Organization

State Web Server Security Audit

Major IT Projects: Continue Expanding Oversight and Strengthen Accountability

Internal Controls and Risk Management Report

EPA Policy on Assessing Capabilities of Non-Profit Applicants for Managing Assistance Awards

DISTRIBUTION: ASSISTANT G-1 FOR CIVILIAN PERSONNEL POLICY, DEPARTMENT OF THE ARMY DIRECTOR, PLANS, PROGRAMS, AND DIVERSITY, DEPARTMENT OF THE NAVY

ADVISORY MEMORANDUM REPORT ON DEVELOPMENT OF THE LOAN MONITORING SYSTEM ADVISORY REPORT NUMBER A1-03 FEBRUARY 23, 2001

IDENTITY MANAGEMENT AND COMMON SYSTEM ACCESS HUMBOLDT STATE UNIVERSITY. Audit Report December 21, 2012

03/14/2013 Compensation Update Citizens Property Insurance Corporation Board of Governors Meeting March 22, 2013

STATE OF NORTH CAROLINA

Risk/Issue Management Plan

Status Report of the Auditor General of Canada to the House of Commons

Governmental Oversight and Accountability Committee

State of Minnesota. Enterprise Security Program Policy. Office of Enterprise Technology. Enterprise Security Office Policy. Version 1.

ESM Management Comments on Board of Auditors Annual Report to the Board of Governors for the period ended 31 December 2014

Charter of the Audit Committee of the Board of Directors

Guide for Conducting Peer Reviews of Audit Organizations of Federal Offices of Inspector General. September 2014

COSO 2013: WHAT HAS CHANGED & STEPS TO TAKE TO ENSURE COMPLIANCE

Office of Inspector General

Board of Directors Meeting 12/04/2010. Operational Risk Management Charter

John Keel, CPA State Auditor. An Audit Report on The Dam Safety Program at the Commission on Environmental Quality. May 2008 Report No.

Administrative Guidelines on the Internal Control Framework and Internal Audit Standards

CHAPTER 18 OF THE CONSOLIDATED LAWS EXECUTIVE LAW ARTICLE 45 INTERNAL CONTROL RESPONSIBILITIES OF STATE AGENCIES

The Federal Financial Management Improvement Act (C)

THE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK

CHAPTER Committee Substitute for Committee Substitute for Committee Substitute for House Bill No. 1033

Mapping COBIT 5 with IT Governance, Risk and Compliance at Ecopetrol S.A. By Alberto León Lozano, CISA, CGEIT, CIA, CRMA

July 2012 Report No An Audit Report on The ReHabWorks System at the Department of Assistive and Rehabilitative Services

Public Sector Pension Investment Board

OFFICE OF FINANCIAL REGULATION COLLECTION AGENCY REGISTRATIONS MORTGAGE-RELATED AND CONSUMER COLLECTION AGENCY COMPLAINTS PRIOR AUDIT FOLLOW-UP

VA HEALTH CARE. Actions Needed to Improve Administration of the Provider Performance Pay and Award Systems. Report to Congressional Requesters

The University of Texas Southwestern Medical Center TAC 202 Compliance. Internal Audit Report 15:31

How quality assurance reviews can strengthen the strategic value of internal auditing*

Compliance. Group Standard

Note The amendments described in this circular will be published in the Immigration New Zealand Operational Manual in due course.

Standards for the Professional Practice of Internal Auditing

Audit Report for South Lakeland District Council. People and Places Directorate Neighbourhood Services. Audit of Grounds Maintenance

Audit of the Department of State Information Security Program

Annual Governance Statement 2013/14

AUDIT REPORT OFFICE OF INSPECTOR GENERAL IG PROPERTY CONTROL SYSTEM ANALYSIS REPORTING ON SPACE FLIGHT OPERATIONS CONTRACT SUBCONTRACTORS

Audit of the Policy on Internal Control Implementation

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

INFORMATION MANAGEMENT

Contract management: renewal and transition. Report to Parliament 10 :

SOCIAL SECURITY. July 19, 2004

Internal Audit of the Sport Canada Hosting Program

Management of NEC3 Compensation Events (IA ) Andrew Wolstenholme, Chief Executive. Audit Conclusion: Adequately Controlled and Audit Closed

PRACTICE GUIDE. Formulating and Expressing Internal Audit Opinions

AUDITOR-GENERAL S AUDITING STANDARD 4 (REVISED) THE AUDIT OF SERVICE PERFORMANCE REPORTS. Contents

J u n e N a t i o n a l R e s e a r c h C o u n c i l C a n a d a. I n t e r n a l A u d i t, N R C. Audit of Risk Management.

Transcription:

AUDIT REPORT Corporate Access and Identity Management Project Audit Opinion: Satisfactory July 31, 2015 Report Number: 2015-IT-02 Corporate Access and Identity Management Project

Table of Contents: Page Executive Summary Background 1 Objectives and Scope 1 Audit Opinion 2 Appendices Definitions 3 Distribution 4 Audit Performed By 4 Report Number: 2015-IT-02 Corporate Access and Identity Management Project

Executive Summary Background During May 2014, Citizens commenced with establishing a corporate Access and Identity Management (AIM) program to develop stronger governance, process ownership and improved processes across our widely distributed application security environment. Conceptually, identity management refers to the management of the entire life cycle of user and system accounts so that users can be uniquely identified to IT systems before being granted access to sensitive IT assets. Processes in place include: user provisioning; maintenance; deprovisioning; monitoring; and reporting on accounts and related access permissions. During 2010, a Computer Access Management program was developed by IT Security that divided user application access processes between business areas and IT Security for applications considered as high risk. This program has not been effective mainly due to the lack of automation and assignment of resources required to comply with the program requirements from both a business and information technology perspective. With the current project, a renewed emphasis is being applied in the management of access throughout Citizens vast systems infrastructure with the intent to fully distribute user access management processes to the appropriate business areas. Going forward, instead of being the custodian of access management, IT Security will be providing governance oversight and compliance validation functions. The primary objectives of the AIM project are to: Develop a governance framework that provides guidance in security access management as well as a business user access process document to capture and understand processes currently in place. (A more over-arching IT Security Policy is being developed as part of another initiative, which will further strengthen governance and control over system access.) Document and assess current application identity management processes for applications containing data classified as restricted and sensitive. Assess gaps in processes and user access reporting and define improvements needed to effectively manage and monitor these processes. Remediate gaps where necessary to comply with the minimum standards contained in the framework. Results from this project are not intended to provide assurance that single user access is addressed with proper separation of duties across multiple systems. It has a single focus on an application by application basis. Audit Objectives and Scope We evaluated the adequacy and effectiveness of the governance structure associated with the project in accordance with project management best practices as defined in the Global Technology Audit Guide 12, Auditing IT Projects and the Control Objectives for Information and related Technology (COBIT ) 4.1. We also evaluated compliance to the Citizens Enterprise Project Management Methodology. The scope of the audit included the following components that were identified as integral parts of the governance process: Report Number: 2015-IT-02 Corporate Access and Identity Management Project Page 1

Executive Summary A sound project governance structure has been established (project team and stakeholders group), objectives have been clearly defined and communicated and a clear escalation path is implemented. Required project artifacts are created and stored in the required location in line with the Project Methodology. Appropriate approvals are obtained for artifacts and significant project decisions. Roles and responsibilities have been delineated and communicated to business application owners and contacts. Tasks, resources and target dates are maintained up to date and periodically reported to the project owner and sponsor. Project risks are being identified as part of project progression. Status reports are being generated and distributed in line with the required Project Methodology time frame. Audit Opinion Based upon our audit work, the overall effectiveness of the governance processes and Citizens Enterprise Project Management Methodology policy compliance evaluated during the audit is rated as Satisfactory. We found that the project governance structure is designed well with an escalation path to a stakeholders group and an executive sponsor. Monthly stakeholder meetings are held to review project status and issues. Appropriate approvals have been obtained for documents requiring such by policy. Primary project team members are available to business owners and application contacts for assistance in completing the current state assessment documents. Formalized status checkpoints have been installed with application owners as the User Access Process documents are being completed between May and November, 2015. We would like to thank management and staff in IT Security and the Program Management Office for their cooperation and professional courtesy throughout the course of this audit. Report Number: 2015-IT-02 Corporate Access and Identity Management Project Page 2

Appendix 1 Definitions Audit Ratings Satisfactory: Critical internal control systems are functioning in an acceptable manner. There may be no or very few minor issues, but their number and severity relative to the size and scope of the operation, entity, or process audited indicate minimal concern. Corrective action to address the issues identified, although not serious, remains an area of focus. Needs Improvement: Internal control systems are not functioning in an acceptable manner and the control environment will require some enhancement before it can be considered as fully effective. The number and severity of issues relative to the size and scope of the operation, entity, or process being audited indicate some significant areas of weakness. Overall exposure (existing or potential) requires corrective action plan with priority. Unsatisfactory: One or more critical control deficiencies exist which would have a significant adverse effect on loss potential, customer satisfaction or management information. Or the number and severity of issues relative to the size and scope of the operation, entity, or process being audited indicate pervasive, systemic, or individually serious weaknesses. As a result the control environment is not considered to be appropriate, or the management of risks reviewed falls outside acceptable parameters, or both. Overall exposure (existing or potential) is unacceptable and requires immediate corrective action plan with highest priority. Report Number: 2015-IT-02 Corporate Access and Identity Management Project Page 3

Appendix 2 Distribution Addressees Copies Mitch Brockbank, Director IT Security and Risk Juan Cocuy, Citizens Audit Committee Chairman Bette Brown, Citizens Audit Committee Member Jim Henderson, Citizens Audit Committee Member Barry Gilway, President/CEO/Executive Director Kelly Booten, Chief Systems and Operations Curt Overpeck, Chief Information Officer John Rollins, Chief Risk Officer Dan Sumner, Chief Legal Officer and General Counsel Christine Ashburn, VP, Legislative and External Affairs and Communications Robert Owens, Director, Program Management Office Bruce Meeks, Inspector General Following Audit Committee Distribution The Honorable Rick Scott, Governor The Honorable Jeff Atwater, Chief Financial Officer The Honorable Pam Bondi, Attorney General The Honorable Adam Putnam, Commissioner of Agriculture The Honorable Andy Gardiner, President of the Senate The Honorable Steve Crisafulli, Speaker of the House of Representatives Audit Performed By Audit Director Under the Direction of Karen Wittlinger, Director IT Audit Joe Martins Chief of Internal Audit Report Number: 2015-IT-02 Corporate Access and Identity Management Project Page 4

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information