Technology Audit Plan ----BCSY University Team Member: Marsha Billups Qiyu Chen Ping Sun Ruby (Qianru) Yang

1.Background 2.Audit scope 3.Findings 4.conclusion Agenda 1.Background 2.Audit scope 3.Findings 4.conclusion

Background BCSY University is a private university located in Downtown Boston. There is a Intensive English Language Program (IELP) department in BCSY university attracts students from all over the world to the historic city of Boston, a cultural and culinary center. The objective of this audit is to review Temple University Intensive English Language program’s Enterprise Database security controls. The Database mainly store student PII information. This audit shall focus primarily on Vulnerability Management, Change Management, Access Control and Data Loss Prevention. We shall explore current control processes, find the weakness and access the control environment.

Audit scope Database integrity and consistency System development life cycle process Physical and logical access to database servers Data Protection Data Accuracy Analysis Data Backup and recovery processes

Finding 1:Unauthorized Physical Access Fact – Lack of adequate security measures that prevents and limits entry points physical access to the servers. Standards – NIST SP 800-116 presents that how and why organizations should deploy PACS (Physical Access Control Systems). Root Cause of the issue - Lack of pay attention to data security control beside technology field. Impact - High Recommendations - 1. Using physical individual ID cards to unlock the data center door. 2. Using cameras to secure the data rooms.

Finding 2: Weak Change Management Implementation FACTS: IT Change Review Board approved all changs, however, for 26 of 30 samples selected, the business approval was a blanket approval for as many changes required for the overall project, as opposed to individual changes For 25 of 30 samples selected, the change request was not formally documented with the BCSY’s IT Tracking (ITRAC) system prior to System Owner approval For 29 of 30 samples selected, evidence of business User Acceptance Testing (UAT) was not formally documented Although Emergency Change procedures are formally documented, there is no time frame documented for obtaining IT Change Board approval, in the event that verbal approval is obtained.

Finding 2: Weak Change Management Implementation STANDARDS: BCSY IT Change Management Procedures BCSY IT Internal Control Handbook IELP System Change Management Work Instructions (CMWI) Change Management SOX Controls ROOT CAUSE: IELP System Change Management Work Instructions did not address all areas identified in the BCSY IT Change Management Procedures IELP CMWI not followed

Finding 2: Weak Change Management Implementation IMPACT: Strong change control procedures such as proper approvals, formally documenting UAT, and time frames for obtaining formal approval for emergency changes, helps to ensure only authorized and proper changes that are in line with university needs are transferred into production and allow for traceability of changes. RECOMMENDATIONS: Update the IELP System Change Management Work Instructions to clearly document the requirement the Business approval for each individual change, & immediately communicate and ensure adherence to this procedure. Ensure that all Change request are formally documented within within ITRAC prior to obtaining System Owner approval. Formally document & retain evidence of UAT for all System Owner related changes, & update the CMWI to retain evidence of testing within ITRAC or provide traceability to evidence. Update the CMWI to include a time frame for obtaining formal Change Board approval, in the event that verbal approval is obtained for emergency changes.

Finding 3: Removable Devices Using Fact – Students’ PII were copied from the database via portable USB devices which were not Encrypt. Standards -NIST Special Publication 800-124 Revision 1 Root Cause of the issue - Student workers were not fully educated about policy. Impact - High Recommendations- Training for every student workers. Limitation of access to sensitive data NIST Special Publication 800-124 Revision 1 Guidelines for Managing the Security of Mobile Devices in the Enterprise Student workers were not fully educated about policy. student workers are mostly unaware of the dangers of using unapproved removable portable devices on the network to copy and transfer data. The impact is high because sensitive data leakage occurrence especially regarding to PII， and sensitive data exposure that may occur if these devices gets lost or stolen.

Finding 4: Bad backup policy Fact – The data stored in the database from half year ago did not have a backup Standards – According to NIST 800-34, system data should be backed up regularly. Policies should specify the minimum frequency and scope of backups (e.g., daily or weekly, incremental or full) based on data criticality and the frequency that new information is introduced. ) Root Cause of the issue: the administrator of database backup data randomly Impact to the business:high, losing data bring huge damage to student and bring bad reputation to the university. Recommendations: backup the data every two months.

Conclusion Overall overall rating for effectiveness of the processes and controls: Unsatisfactory Four high risk rating finding: 1.Unauthorized Physical Access 2.Weak Change Management Implementation 3.Removable Devices Using 4.Bad backup policy