Information Technology Audit Process Business Practices Seminar Paul Toffenetti, CISA Internal Audit 29 February 2008.

Slides:



Advertisements
Similar presentations
IT Web Application Audit Principles Presented by: James Ritchie, CISA, CISSP….
Advertisements

All Rights Reserved, Duke Medicine 2007 IT Security Presented by: Trisha Craig and Don Elsner Principal Auditors – IT Audit Duke University 1.
Computer Security II Lecturer – Lynn Ackler – Office – CSC 222 – Office Hours 9:00 – 10:00 M,W Course – CS 457 – CS 557.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
1 Figure 6-16: Advanced Server Hardening Techniques Reading Event Logs (Chapter 10)  The importance of logging to diagnose problems Failed logins, changing.
Security Controls – What Works
Information Security Policies and Standards
Group Presentation Design and Implementation of a company- wide networking & communication technologies strategy 9 th December 2003 Prepared By: …………
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
YNG Solutions Website Usability Review Prepared by Josepha Rood December 19, 2008.
1 Secure Your Business PATCH MANAGEMENT STRATEGY.
1 Pertemuan 9 Network Security and E-Commerce Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi: >
Patching MIT SUS Services IS&T Network Infrastructure Services Team.
External Quality Assessments
1 USAID/Peru Risk Assessment In-Briefing February 19, 1999 PRIME Principal Resource for Information Management Enterprise-wide USAID PRIME.
A Feature-Based Analysis & Comparison of IT Automation Tools: Comparing Kaseya to Developed By: & Advisor : Dr. S. Masoud Sadjadi School of Computing and.
University of Missouri System 1 Security – Defending your Customers from Themselves StateNets Annual Meeting February, 2004.
Ensuring Information Security
Communication is Between People. The Rest is Technology. How to Prepare for and Survive an IT Audit.
School Technology Solutions, LLC Technology Audits What's in it for you? 4 th Annual SW/WC Technology Conference March 11, 2010 Presenter: Lee Whitcraft.
PRIME Principal Resource for Information Management Enterprise-wide USAID PRIME 1 USAID/Peru Risk Assessment In-Briefing February 19, 1999 PRIME Principal.
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
MnSCU Audit Reports Presentation to the MnSCU Audit Committee Office of the Legislative Auditor September 21, 2004.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.
CIS 460 – Network Design Seminar Network Security Scanner Tool GFI LANguard.
The Microsoft Baseline Security Analyzer A practical look….
Chapter 6 of the Executive Guide manual Technology.
U of Maryland, Baltimore County Risk Analysis of Critical Process –Financial Aid Adapted STAR model –Focus on process and information flow –Reduced analysis.
Natick Public Schools Technology Update April 23, 2007 Dennis Roche, CISA Director of Technology.
Blueberry Software IT Security Audit Results. Results: Good.
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
Appendix C: Designing an Operations Framework to Manage Security.
Security Assessment Tools Paula Kiernan Senior Consultant Ward Solutions.
1 Chapter Nine Conducting the IT Audit Lecture Outline Audit Standards IT Audit Life Cycle Four Main Types of IT Audits Using COBIT to Perform an Audit.
Note1 (Admi1) Overview of administering security.
Training and Dissemination Enabling Grids for E-sciencE Jinny Chien, ASGC 1 Training and Dissemination Jinny Chien Academia Sinica Grid.
GCSC August Backup Exec Critical Vulnerability Cannot offer tcp/6101, tcp/6106 & tcp/10000 to offsite Will be scanning from offsite soon Strongly.
Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.
College Reviews An Overview Presented by Howard Lutwak, CIA Director of Internal Audit January 2004.
Small Business Security Keith Slagle April 24, 2007.
EECS 4482 Fall 2014 Session 8 Slides. IT Security Standards and Procedures An information security policy is at a corporate, high level and generally.
Frontline Enterprise Security
5/18/2006 Department of Technology Services Security Architecture.
IT Security Policy: Case Study March 2008 Copyright , All Rights Reserved.
Rob Davidson, Partner Technology Specialist Microsoft Management Servers: Using management to stay secure.
Defense in Depth. 1.A well-structured defense architecture treats security of the network like an onion. When you peel away the outermost layer, many.
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.
11 IMPLEMENTING AND MANAGING SOFTWARE UPDATE SERVICES Chapter 7.
IPv6 security for WLCG sites (preparing for ISGC2016 talk) David Kelsey (STFC-RAL) HEPiX IPv6 WG, CERN 22 Jan 2016.
Strategic Agenda We want to be connected to the internet……… We may even want to host our own web site……… We must have a secure network! What are the.
~ pertemuan 4 ~ Oleh: Ir. Abdul Hayat, MTI 20-Mar-2009 [Abdul Hayat, [4]Project Integration Management, Semester Genap 2008/2009] 1 PROJECT INTEGRATION.
How to Mitigate Stay Safe. Patching Patches Software ‘fixes’ for vulnerabilities in operating systems and applications Why Patch Keep your system secure.
INFORMATION SECURITY AND CONTROL. SECURITY: l Deter l Detect l Minimize l Investigate l Recover.
By the end of this lesson you will be able to: 1. Determine the preventive support measures that are in place at your school.
SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #
By: Mark Reed.  Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.
Appendix A: Designing an Acceptable Use Policy. Overview Analyzing Risks That Users Introduce Designing Security for Computer Use.
Information Systems Security
IT SYSTEM CONTROL AND AUDIT
CompTIA Security+ SY0-401 Real Exam Question Answer
Leverage What’s Out There
Security Securing IS.
IS4680 Security Auditing for Compliance
Level 2 Diploma Unit 11 IT Security
Implementing Client Security on Windows 2000 and Windows XP Level 150
Designing IIS Security (IIS – Internet Information Service)
Presentation transcript:

Information Technology Audit Process Business Practices Seminar Paul Toffenetti, CISA Internal Audit 29 February 2008

Overview What is Internal Audit IT Audit Process Common IT Audit Observations So What Should We Do Questions

Authority and Policies What is Internal Audit? Internal auditing is an independent, objective assurance and advisory activity designed to add value and improve an organization’s operations. Internal Audit helps organizations accomplish their objectives by evaluating business risk and controls and where appropriate, offer recommendations to improve risk management and governance processes.

Audit Process Planning Testing Reporting Follow-up

Planning Annual Risk Assessment Annual Risk Assessment Preliminary Audit Plan Preliminary Audit Plan Board of Visitors Approval Board of Visitors Approval Notification and Request for Information Notification and Request for Information Understand Your Risks and Controls Understand Your Risks and Controls Opening Conference Opening Conference

Testing Security Security Backup & Recovery Backup & Recovery Resource Management Resource Management Web Site Web Site

Security Testing Remote Vulnerability Scans Servers Printers Routers Workstations Laptops If it’s on the network we scan it! Nmap & Nessus

Security Testing On-Site, Follow-up Vulnerability Tests Workstations LaptopsServers We Test Computers That May Have Security Vulnerabilities! WinAudit MSBA CIS Tools & Benchmarks

Backup & Recovery Testing You Must Have Effective Controls to Backup & Recover “Critical Data”

Resource Management Testing Computer Hardware & Software Procurement through Surplus

Web Site Testing University Relations Web Guidelines & Procedures Web Development Best Practices Content Recommendations Templates Privacy Statement (Policy 7030) Web Server & Application Security

Reporting Observations When Unexpected Results are Noted We Solicit Your Comments

Reporting Recommendations We May Recommend Opportunities To Improve Your Controls

Reporting Management Action Plans You Develop Plans, Schedules, and Priorities To Implement Solutions

Reporting A Final Report is Sent to The Board of Visitors

Follow-Up Follow-Up Actions are Based on Your “Management Action Plan” Follow-Up Actions are Based on Your “Management Action Plan” Progress is Monitored Progress is Monitored Some Re-Testing May be Necessary Some Re-Testing May be Necessary Board of Visitors is Updated Board of Visitors is Updated Audit is closed Audit is closed

Common Audit Observations Weak Security Settings Windows Operating System

Common Audit Observations Missing Security Patches Operating Systems ApplicationsDatabases

Common Audit Observations Misconfigured Anti-Malware Tools Out-of-Date Threat Signatures Scans Not Scheduled

Common Audit Observations Inadequate Access Controls Weak Passwords & File Permissions

Common Audit Observations Open Communication Ports The Hacker’s Point of Entry

Common Audit Observations “The System Administrator’s Dilemma” How Much Risk is Senior Management Willing to Accept? SecurityConvenience

So What Should We Do? Harden Security Settings Keep Everything Patched Install and Use Anti-Malware Tools Enforce Strong Passwords Close or Filter Communication Ports Test Your Systems Support Your System Administrator!

Questions “Success Redefined”