GALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG123 Dotting Your I’s and Crossing Your T’s: Preparing for an IT Audit David.

Slides:



Advertisements
Similar presentations
Overview This session is aimed at both PeopleSoft Financials users and Security Administrators. We will discuss plans for the 9.2 upgrade including.
Advertisements

Identity, Governance and Administration as forefront of IT Security model: European and North American Experience Vladislav Shapiro Director of Identity.
Information Systems Audit Program (cont.). PHYSICAL SECURITY CONTROLS.
Auditing Computer Systems
9 - 1 Computer-Based Information Systems Control.
MSIA Introduction to Information Systems Security Training and Policy Week 1 Live Session Presentation.
The Islamic University of Gaza
OMB Circular A-123 – Management’s Responsibility for Internal Control Policy Applicability Sources of Information Assessment, Documentation and Reporting.
Security Controls – What Works
Chapter 5 IT Processes Presented by Dr. Mohamed Sammouda.
Data Security Issues in IR Eileen Driscoll Institutional Planning and Research Cornell University
Managing the Information Technology Resource Jerry N. Luftman
Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
Internal Control Concepts A Guide for Deans, Directors, and Department Chairs.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Factors to be taken into account when designing ICT Security Policies
Overview of IS Auditing n Need for control and Audit of Computers –Org cost of data loss –cost of incorrect decision –Value of hardware, software, personnel.
Auditing Auditing & Automated Systems Chapter 22 Auditing & Automated Systems Chapter 22.
Network security policy: best practices
Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.
Incident Response Updated 03/20/2015
GALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG123 Welcome to the eProcurement & Purchasing Jungle: Navigate your way through.
Auditors: Why do they ask all those questions? LGC Resource April 2015 Penny Austin, Assistant Director – IS Local Government Audit.
Security of Data. Key Ideas from syllabus Security of data Understand the importance of and the mechanisms for maintaining data security Understand the.
Overview of Systems Audit
HIPAA PRIVACY AND SECURITY AWARENESS.
Concepts of Database Management Sixth Edition
Identifying Segregation of Duties Issues in a PeopleSoft Environment
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
GALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG123 When Audit, Policy and Shared Governance met Dr. Curtis A. Carver Jr.
Chapter 16 Designing Effective Output. E – 2 Before H000 Produce Hardware Investment Report HI000 Produce Hardware Investment Lines H100 Read Hardware.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Security Architecture
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Chapter 6 of the Executive Guide manual Technology.
IT Service Delivery And Support Week Eleven – Auditing Application Control IT Auditing and Cyber Security Spring 2014 Instructor: Liang Yao (MBA MS CIA.
Information Systems Security Operational Control for Information Security.
Evaluation of Internal Control System
Auditing Information Systems (AIS)
Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,
BACKNEXT Georgia State University --- Expenditure Review Executive Summary -- Online Training Online Training for Georgia State University Expenditure.
I.Information Building & Retrieval Learning Objectives: the process of Information building the responsibilities and interaction of each data managing.
Fiscal Affairs Accounting and Reporting Update September 16, 2015 Claire Arnold, CPA Creating A More Educated Georgia 1.
Evaluation of Internal Control System. Learning Objective 1 Contrast management’s need for internal control with the auditor’s need to consider internal.
Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.
Incident Security & Confidentiality Integrity Availability.
College Reviews An Overview Presented by Howard Lutwak, CIA Director of Internal Audit January 2004.
SECURITY OF DATA By: ADRIAN PERHAM. Issues of privacy; Threats to IT systems; Data integrity; Standard clerical procedures; Security measures taken to.
Chapter 2 Securing Network Server and User Workstations.
Incident Security & Confidentiality Integrity Availability.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.
Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills.
“Creating A More Educated Georgia” GALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet Technology Communities of Practice Curtis.
WESTERN PA CHAPTER OF THE AMERICAN PAYROLL ASSOCIATION – NOVEMBER 4, 2015 Risk Management for Payroll.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Chapter 15 Telecommunication Department Management.
Welcome. Contents: 1.Organization’s Policies & Procedure 2.Internal Controls 3.Manager’s Financial Role 4.Procurement Process 5.Monthly Financial Report.
EECS David C. Chan1 Computer Security Management Session 1 How IT Affects Risks and Assurance.
SECURITY AND ELECTRONIC COMMUNICATIONS WHAT YOU NEED TO KNOW FOR YOUR AUDIT.
Review of IT General Controls
Managing the IT Function
Audit Findings: SQL Database
Chapter 3: IRS and FTC Data Security Rules
What a non-IT auditor needs to know about IT & IT controls
County HIPAA Review All Rights Reserved 2002.
Information Security Awareness
IS4680 Security Auditing for Compliance
Internal Control Internal control is the process designed and affected by owners, management, and other personnel. It is implemented to address business.
Presentation transcript:

GALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG123 Dotting Your I’s and Crossing Your T’s: Preparing for an IT Audit David Nisbet & Shelia Sloan Information Technology Services Board of Regents of the University System of Georgia

GALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG123 Agenda Why Audits Matter Learning from the Past Two Years’ Audits Knowing What Auditors are Looking For ITS-developed Tools and Processes How You Can Prepare for Your Next IT Audit Q&A

GALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG123 University of Hawaii faces lawsuit after a security breach in 2009 Names, academic performance, disabilities, and other sensitive information of 40,000 former University of Hawaii students was online for nearly a year. Why Do Audits Matter?

GALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG123 Ohio State University is notifying up to 760,000 students, professors and others that their names and Social Security numbers might have made it to cyberspace in one of the largest and most costly breaches to hit a college campus. Why Do Audits Matter? Ohio State expects to spend about $4 million to pay for the forensic investigation and credit-protection services for those whose personal information was on a server that was hacked.

GALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG123 University of Texas at Austin acknowledged that the names, addresses and Social Security numbers of some 59,000 students, alumni and employees were obtained through a brute force attack on a University database. According to the University, the incident could have been prevented if additional security measures were taken. Why Do Audits Matter?

GALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG123 Headline: Two Charged with Hacking PeopleSoft to Fix Grades Why Do Audits Matter? Two California men are facing 20 years in prison on charges they hacked into a California state university's PeopleSoft system to change their grades. IT staff finally caught wind of the problem during a routine audit.

GALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG123 An examination of the checks and balances, or controls, within an information technology (IT) group Collects and evaluates "evidence" of an organization's information systems, practices, and operations Determines if the information systems are: -safeguarding the information assets -maintaining data integrity -operating effectively and efficiently to achieve the organization's business goals or objectives What is an IT Audit?

GALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG focused on: Change management issues – Supporting documentation – Approvals Terminated employee access in PeopleSoft Financials 2011 focused on: Security forms and approvals for user access More concentrated campus focus PeopleTools access Shift in focus to Banner Previous Years’ Audits

GALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG123 Auditors are looking for: General and application controls Backup procedures Monitored and documented job scheduling Auditors are interested in insuring data integrity, availability and confidentiality.

GALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG123 General and Application Controls include Logical Access, Change Management, and IT Operations. ways to help maintain general and application controls… There are

GALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG123 1.Strong Password Settings Minimum lengths Complex password composition Lock accounts Frequently force changes Nine General and Application Controls

GALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG Limit Privilege Functions to appropriate personnel Review your security administrators on campus. Look at users with full access. Do users have access to system utilities/resources such as database tools, sql tools and crystal reports? Nine General and Application Controls

GALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG123 3.Maintain Segregation of Duties by separating the following roles: Requesting Access Approving Access Setting up Access Monitoring Access and Violations Performing Rights as a privileged user, and Monitoring a privileged user Nine General and Application Controls

GALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG Ensure Appropriate User Access and Authorization Is there an authorization form on file with the appropriate approvals in place? Are these periodically reviewed for changes or updates? Are terminated employee accounts locked or removed? Nine General and Application Controls

GALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG123 5.Maintain General Security Settings Firewalls Anti-Virus software Re-authentication Encryption Time-outs Nine General and Application Controls

GALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG123 6.Control Access Physical access of computer hardware Access to the data center Environmental controls such as fire suppression, temperature control, and UPS Nine General and Application Controls

GALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG Change Management Are the changes to the application approved, tested, monitored, and authorized? What are the types of changes? Updates Bugs Functionality Report changes Nine General and Application Controls

GALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG Change Management - Maintain Separation of Duties Requester of change Developer of change System Tester of change Person who migrates the change in and out of production Person who monitors the program development and changes Nine General and Application Controls

GALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG Testing should involve User Testing F89UAT was created for the purpose of user testing. Changes are migrated here after system testing is complete. Users validate the changes in a test environment and provide approval that it has met their requirements. Nine General and Application Controls

GALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG123 Ensure Back up Procedures are in Place Frequency location Testing Monitoring Backup Procedures

GALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG123 Have a Disaster Recovery Plan Procedures for restoration Key personnel/processes Vendor for equipment How to return to normal operations Backup Procedures

GALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG123 Job Scheduling includes: Backup Processes Batch Processes Responsible Personnel Resolution procedures Requirements Job Scheduling

GALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG123 Monthly, ITS performs an internal security review. This review focuses on: Super User Access – Security Admins Terminations – Are the accounts locked and base role removed? – Uses query BOR_SEC_TERMINATED_USERS User Access – User Page Access report: Main Menu > BOR Menus > BOR Utilities > User Access Report – There is also a ROLE PAGE access report to cross reference ITS-developed Tools and Processes

GALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG123 Locking Accounts ITS-developed Tools and Processes

GALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG123 Remove the Base Role ITS-developed Tools and Processes

GALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG123 Review documentation and security request form Is there a security request form on file for all users, and does it match their access in the system? fin/documentation/job_aids/category/security/ fin/documentation/job_aids/category/security/ Update PeopleSoft and security forms for users whose jobs have changed Ensure appropriate approvals are in place Review terminations Prepare for an Audit with Monthly Monitoring

GALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG123 Review user preferences and role assignments for control and segregation of duty issues. Review budget security Limit approvals to certain individuals Prepare for an Audit with Monthly Monitoring

GALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG123

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.