Auditor of Public Accounts1 How Safe is Your State’s Data? Virginia’s Common-Sense approach to Assessing Security.

Slides:



Advertisements
Similar presentations
How Safe is Your States Data? Virginias Common-Sense approach to Assessing Security.
Advertisements

1 IT Risk Management in Government Jonathan Smith Sr. Risk Manager Commonwealth Security and Risk Management October 1,
North Carolina Office of the State Auditor Honesty Integrity Professionalism.
Enterprise Resource Planning It is not the end, it is just the beginning Mary Avery Finance Manager Nebraska Auditor of Public Accounts 2006 Joint NSAA/NASC.
Massachusetts Department of Elementary & Secondary Education
Central Valley Flood Protection Board Meeting – Agenda Item No. 5C Central Valley Flood Protection Board.
NSAA Information Technology Conference Planning the Scope of Your IT Audit _____________________________________ October 1, 2014 Jennifer Schreck, Audit.
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Photo by Karl Steinbrenner Fiscal Officer Training 2008 Payroll Presented By: Lora George, Director, State Payroll Operations and Charge Card Administration.
The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.
Data Ownership Responsibilities & Procedures
Summer IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.
Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works
1 July 08, 2010 Information Security Officer Meeting.
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
Computer Security: Principles and Practice
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Report on Internal Audit and Investigation activities
Schools’ Data Collection for National Partnerships Agreements (NPA) Educational Measurement and School Accountability Directorate (EMSAD)
Information Security Governance in Higher Education Policy2004 The EDUCAUSE Policy Conference Gordon Wishon EDUCAUSE/Internet 2 Security Task Force This.
Network security policy: best practices
Change Advisory Board COIN v1.ppt Change Advisory Board ITIL COIN June 20, 2007.
Peer Information Security Policies: A Sampling Summer 2015.
Information Security Governance 25 th June 2007 Gordon Micallef Vice President – ISACA MALTA CHAPTER.
IT Project Management in Virginia IT Project Management Audits in Virginia _____________________________________ NSAA IT Conference.
Title I Technical Assistance Training Federal and State Programs.
What is Chapter Affairs? Global View and Support –Leadership Forum –Chapter Executive Workshop –Chapter Awards Program Liaison between Chapters and ACC.
FY2010 PEMP Notable Outcomes October 15, FRA, LLC Board of Directors 10/15-16/2009 Office of Quality and Best Practices Performance Evaluation Management.
Case Study: Department of Revenue Data Breach National Association of State Auditors, Comptrollers and Treasurers March 21, 2013.
Training Module 4. What You’ll Learn In This Module What the characteristics are of a successful Director? What the duties are of District Directors?
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Agency Risk Management & Internal Control Standards (ARMICS)
© OECD A joint initiative of the OECD and the European Union, principally financed by the EU. Quality Assurance José Viegas Ribeiro IGF, Portugal SIGMA.
Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.
GGF Fall 2004 Brussels, Belgium September 20th, 2004 James Marsteller Pittsburgh Supercomptuing Center
1 expect the best Jeff Deason Chief Information Security Officer Virginia Information Technologies Agency Joint Commission on Technology.
BACKNEXT Georgia State University --- Expenditure Review Executive Summary -- Online Training Online Training for Georgia State University Expenditure.
Information Assurance Policy Tim Shimeall
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.
A PRACTICAL GUIDE TO RESPONDING TO A HEALTHCARE DATA SECURITY BREACH May 19, 2011 | State College, PA Matthew H. Meade Stephanie Winer-Schreiber.
Patient Confidentiality and Electronic Medical Records Ann J. Olsen, MBA, MA Information Security Officer and Director, Information Management Planning.
Pertemuan 3-4 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
PUBLIC SCHOOL FINANCE UPDATE July, 2011 Leanne Emm Assistant Commissioner
IT Summit November 4th, 2009 Presented by: IT Internal Audit Team Leroy Amos Sue Ann Lipinski Suzanne Lopez Janice Shelton.
1 expect the best Lemuel C. Stewart, Jr. CIO of the Commonwealth Information Technology Investment Board February 9, 2006 CIO Status.
Organizing a Privacy Program: Administrative Infrastructure and Reporting Relationships Presented by: Samuel P. Jenkins, Director Defense Privacy Office.
High Assurance Products in IT Security Rayford B. Vaughn, Mississippi State University Presented by: Nithin Premachandran.
Lincoln Trail District Health Department Strategic Plan Our Foundation Strategic Goals & Objectives Measures of Success Mission: The Lincoln Trail District.
PROGRESS ON THE IMPLEMENTATION OF AUDIT RECOMMENDATIONS FOR 2014/15: INFORMATION AND COMMUNICATION TECHNOLOGY (ICT) 1 Briefing presentation to the Portfolio.
Resources for Meeting Internet Safety Requirements Cheryl Elliott James Madison University Bill Johnsen Virginia Beach City Public Schools Educational.
Office of Research & Development (ORD) Local Accountability of Research 2009 Baltimore, Maryland January 13-14, 2009 “Meeting the Current Challenges of.
Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.
Federal Information Security Management Act (F.I.S.M.A.) [ Justin Killian ]
HHS Security and Improvement Recommendations Insert Name CSIA 412 Final Project Final Project.
Program Overview and 2015 Outlook Finance & Administration Committee Meeting February 10, 2015 Sheri Le, Manager of Cybersecurity RTD.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
Risk Controls in IA Zachary Rensko COSC 481. Outline Definition Risk Control Strategies Risk Control Categories The Human Firewall Project OCTAVE.
Shared Services and Third Party Assurance: Panel May 19, 2016.
EECS David C. Chan1 Computer Security Management Session 1 How IT Affects Risks and Assurance.
Information Security Officer Meeting
Iowa Communications Alliance
The Federal programs department September 26, 2017
BUILDING A PRIVACY AND SECURITY PROGRAM FOR YOUR NON-PROFIT
Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.
for the year ended 31 December 2016
Performance based planning and programming
Presentation transcript:

Auditor of Public Accounts1 How Safe is Your State’s Data? Virginia’s Common-Sense approach to Assessing Security

Auditor of Public Accounts 2 Virginia’s Common-Sense Approach to Assessing Security Why did we choose to assess the Commonwealth of Virginia’s systems and data security? What was the timeframe from inception to completion? What approach did we use to gather the data? How did we evaluate the data?

Auditor of Public Accounts 3 Virginia’s Common-Sense Approach to Assessing Security How did we report the results? What were the lessons learned and what would we have done differently? What was the response to the report we issued?

Auditor of Public Accounts 4 Virginia’s IT Governance Virginia has had information technology security standards since 1990 Creation of Virginia Information Technologies Agency (VITA) in 2003 Commonwealth’s Chief Information Officer is responsible for information technology security

Auditor of Public Accounts 5 Virginia’s IT Governance VITA is responsible for information technology security audits, however they had not been doing them! –Funding issues –Efforts focused on Northrop Grumman public private partnership for IT infrastructure

Auditor of Public Accounts 6 Why did we choose to assess the Commonwealth of Virginia’s systems and data security? Security Breaches Virginia Organization Jan. 10, 2005 – George Mason University (Fairfax, VA) Names, photos, and Social Security numbers of 32,000 students and staff were compromised because of a hacker attack on the university’s main ID server. Public Organization On May 22, 2006, the U.S. Department of Veterans Affairs issued a statement that one of their analyst’s laptops was stolen containing 26.5 million names, social security numbers, dates of birth, and health records of active and retired veterans and spouses. Private Organization Financial services company ING had a laptop stolen from the Washington home of one of its employees on June 12, 2006 containing sensitive data, such as social security numbers, of 13,000 District of Columbia employees and retirees.

Auditor of Public Accounts 7 Why did we choose to assess the Commonwealth of Virginia’s systems and data security? Virginia General Assembly passed Senate Joint Resolution 51 (SJR51) Which basically said “APA you will assess the health of the security of the Commonwealth’s data.”

Auditor of Public Accounts 8 APA Audits We had been covering IT security related to our financial and performance audits for some time We had been issuing findings related to IT security in individual audit reports Interpretation of SJR 51 was that we would review security of all data (not just financial or data that resides in a database)

Auditor of Public Accounts 9 What was the timeframe from inception to completion? Senate Joint Resolution 51 passed by House on March 9, 2006 Checklist developed July 18, 2006 Pilot study completed August 10, 2006 Final agency checklist received October 23, 2006 Report issued December 1, 2006

Auditor of Public Accounts 10 What approach did we use to gather the data? We developed a Checklist/Questionnaire based on four criteria: –Commonwealth of Virginia Security Standards –International Standards (ISO 17799) –Federal Government Standards (FISCAM/NIST) –Private Sector Standards (CobiT)

Auditor of Public Accounts 11 Our Checklist An example from APA Auditor Core Checklist Has the agency completed and documented a Risk Assessment (RA) relating to its IT infrastructure? Is the RA reviewed at least annually to check compliance with the Commonwealth of Virginia security standard? Is the RA updated at least every three years? Does the agency require all components of its IT infrastructure to be rated in the RA?

Auditor of Public Accounts 12 What approach did we use to gather the data? Checklist/Questionnaire addressed four major areas: –Security Management Structure –Data protection, integrity, availability and confidentiality –IT System Configuration and change management –Monitoring and Logging

Auditor of Public Accounts 13 What approach did we use to gather the data? Checklist/Questionnaire was distributed to a select (pilot) group of nine state agencies and institutions: –Based on diversity in terms of number of staff and size of budget (included both large and small agencies and higher education institutions)

Auditor of Public Accounts 14 What approach did we use to gather the data? A core group of Audit Directors and Senior Audit staff members were identified and trained on the checklist and how to interpret/evaluate results This included staff from non-IT related teams within the office

Auditor of Public Accounts 15 What approach did we use to gather the data? Approach was to test for the existence of IT policies and procedures IT related teams developed the checklist (identifying best practices) Do not need to be an IT expert to evaluate the existence of policies and procedures identified in the checklist

Auditor of Public Accounts 16 What approach did we use to gather the data? After the pilot group responded to the checklist: –Checklist/Questionnaire was revised to ensure clarity –An APA audit staff member was assigned to each agency –Mass distribution to all agencies/institutions (104 agencies including judicial and legislative branch)

Auditor of Public Accounts 17 What approach did we use to gather the data? Agencies were given five business days to complete the checklist/questionnaire and supply supporting documentation Once the documentation was received by APA, two reviews were done  one by the assigned auditor  second by an a member of the Information Systems Security Team

Auditor of Public Accounts 18 What approach did we use to gather the data? Once the initial review was completed –Agency was given two additional days to respond to those questions where the APA determined the documentation to be inadequate –Mandatory participation was assured by legislative order (SJR51)

Auditor of Public Accounts 19 What approach did we use to gather the data? Security was achieved by either hand delivery of the checklist to/from the agency Or, the APA provided a secure FTP site which could be used by the agencies to upload/download the checklist and supporting documentation

Auditor of Public Accounts 20 How did APA evaluate the data? Eleven topics were identified as key evaluation criteria Four of the eleven we titled the Big Four and included: –Business Impact Analysis –Risk Assessment –Business Continuity Plan –Disaster Recovery Plan

Auditor of Public Accounts 21 How did APA evaluate the data? The Questions that APA considered as Key Performance Indicators (KPIs) 1.Does the organizational structure include the assignment of an Information Security Officer (ISO)? 2.Does the agency have a Security Awareness Training program? 3.Has the agency completed and documented a Risk Assessment relating to its IT infrastructure? 4.Does the agency have a documented Business Impact Analysis?

Auditor of Public Accounts 22 How did APA evaluate the data? The Questions that APA considered as Key Performance Indicators (KPIs) 1.Does the organizational structure include the assignment of an Information Security Officer (ISO)? 2.Does the agency have a Security Awareness Training program? 3.Has the agency completed and documented a Risk Assessment relating to its IT infrastructure? 4.Does the agency have a documented Business Impact Analysis?

Auditor of Public Accounts 23 How did APA evaluate the data? The Questions that APA considered as Key Performance Indicators (KPIs) 1.Does the organizational structure include the assignment of an Information Security Officer (ISO)? 2.Does the agency have a Security Awareness Training program? 3.Has the agency completed and documented a Risk Assessment relating to its IT infrastructure? 4.Does the agency have a documented Business Impact Analysis?

Auditor of Public Accounts 24 How did APA evaluate the data? The Questions that APA considered as Key Performance Indicators (KPIs) 1.Does the organizational structure include the assignment of an Information Security Officer (ISO)? 2.Does the agency have a Security Awareness Training program? 3.Has the agency completed and documented a Risk Assessment relating to its IT infrastructure? 4.Does the agency have a documented Business Impact Analysis?

Auditor of Public Accounts 25 How did APA evaluate the data? The Questions that APA considered as KPIs 5. Does the agency have a documented Business Continuity Plan? 6.Does the agency have a documented Disaster Recovery Plan? 7.Does the agency have policies and procedures for approving logical access? 8.Are users required to be authenticated for access to all systems and are exceptions approved by management and have risks of those exceptions been evaluated and accepted?

Auditor of Public Accounts 26 How did APA evaluate the data? The Questions that APA considered as KPIs 5. Does the agency have a documented Business Continuity Plan? 6.Does the agency have a documented Disaster Recovery Plan? 7.Does the agency have policies and procedures for approving logical access? 8.Are users required to be authenticated for access to all systems and are exceptions approved by management and have risks of those exceptions been evaluated and accepted?

Auditor of Public Accounts 27 How did APA evaluate the data? The Questions that APA considered as KPIs 5. Does the agency have a documented Business Continuity Plan? 6.Does the agency have a documented Disaster Recovery Plan? 7.Does the agency have policies and procedures for approving logical access? 8.Are users required to be authenticated for access to all systems and are exceptions approved by management and have risks of those exceptions been evaluated and accepted?

Auditor of Public Accounts 28 How did APA evaluate the data? The Questions that APA considered as KPIs 5. Does the agency have a documented Business Continuity Plan? 6.Does the agency have a documented Disaster Recovery Plan? 7.Does the agency have policies and procedures for approving logical access? 8.Are users required to be authenticated for access to all systems and are exceptions approved by management and have risks of those exceptions been evaluated and accepted?

Auditor of Public Accounts 29 How did APA evaluate the data? The Questions that APA considered as KPIs 9. Are there policies and procedures regarding password controls? 10. Does all the critical and sensitive assets have the appropriate physical safe guards in place to protect against unauthorized access and is it documented who approves these controls? 11. Does the Agency monitor their systems, applications and databases?

Auditor of Public Accounts 30 How did APA evaluate the data? The Questions that APA considered as KPIs 9. Are there policies and procedures regarding password controls? 10. Does all the critical and sensitive assets have the appropriate physical safe guards in place to protect against unauthorized access and is it documented who approves these controls? 11. Does the Agency monitor their systems, applications and databases?

Auditor of Public Accounts 31 How did APA evaluate the data? The Questions that APA considered as KPIs 9. Are there policies and procedures regarding password controls? 10. Does all the critical and sensitive assets have the appropriate physical safe guards in place to protect against unauthorized access and is it documented who approves these controls? 11. Does the Agency monitor their systems, applications and databases?

Auditor of Public Accounts 32 How did APA evaluate the data? Final evaluation categories were: –Non-Existent (did not have any of the Big Four checked as yes) –Inadequate (had at least one of the Big Four but did not have all eleven checked as yes) –Adequate (had all eleven checked yes)

Auditor of Public Accounts 33 How did APA report the results? Formal report to the General Assembly and to the Governor Posted to the Auditor of Public Accounts website We structured the report to reflect history, current practices, best practices and recommendations

Auditor of Public Accounts 34 How did APA report the results? APA made four recommendations: 1)VITA should develop a plan to communicate infrastructure information and standards to agencies that it supports  Provide assistance and expertise to agencies  Assume responsibility for ensuring IT infrastructure meets agencies’ needs and is secure

Auditor of Public Accounts 35 How did APA report the results? APA made four recommendations: 2) The General Assembly may wish to consider granting the Commonwealth’s Chief Information Officer authority over the judicial and legislative information security programs

Auditor of Public Accounts 36 How did APA report the results? APA made four recommendations: 3) The CIO and Information Technology Investment Board should consider supplementing the Commonwealth’s security standard with the additional processes (industry best practices) identified in this report

Auditor of Public Accounts 37 How did APA report the results? APA made four recommendations: 4) The Commonwealth needs to adopt a strategy to provide sufficient resources to develop a proper information security plan  Need to utilize a central resource such as VITA to assist small to medium sized agencies that do not have sufficient internal resources to develop a plan

Auditor of Public Accounts 38 How did APA report the results? Then of course we added in all of the graphics which showed how many were adequate (21), inadequate (66), and non- existent (17) We added the checklist in its entirety We added the Best Practice Comparisons

Auditor of Public Accounts 39 What were the lessons learned and what would we have done differently? Checklist questions should all be phrased so that a positive answer is always “YES” We focused on the existence of policies and procedures, to follow up we would expand this to include implementation We learned that our approach “to not identify the critical questions in advance” was a crucial decision and the right one

Auditor of Public Accounts 40 How have we used the report? Using results as a baseline in audit planning Where adequate, we are incorporating tests to ensure policies and procedures have been implemented Where inadequate, we are following up on agencies efforts to address issues Currently performing follow-up review

Auditor of Public Accounts 41 What was the response to the report we issued? New Legislation New Executive Orders Improved Commonwealth Standards, Policies and Procedures Increased awareness

Auditor of Public Accounts 42 Va. report: Sensitive data put at risk Auditor says most state agencies have inadequate, porous security programs BY PETER BACQUE, TIMES-DISPATCH STAFF WRITER, Dec 13, 2006 The majority of Virginia government agencies are doing an unacceptable job of protecting the huge amounts of sensitive information entrusted to them, according to a state report. Of 104 state agencies and institutions surveyed by the Auditor of Public Accounts, 80 percent had inadequate security programs, the report said.

Auditor of Public Accounts 43 Virginia Bill Would Require Notice When Personal Data Is Lost or Stolen By Larry O'Dell January 16, 2007 Two Virginia lawmakers said this week that they will introduce legislation requiring government agencies and businesses to notify Virginians if their personal information is lost or stolen. Brink also noted that an investigation by Virginia's Auditor of Public Accounts last year found that a majority of state agencies are doing an unacceptable job protecting citizens' private information.

Auditor of Public Accounts 44 Virginia Governor Signs Consumer Privacy, Security Orders Jan 09, 2007 News Release Governor Kaine signed Executive Order 43 (2007) directing Virginia's Secretary of Technology, Aneesh Chopra, to oversee efforts to examine state government data security policies and to ensure that they are enforced. The Executive Order follows a recent report from the Virginia Auditor of Public Accounts that concluded a majority of state government agencies in Virginia could do more to protect personal consumer information.

Auditor of Public Accounts 45 Contact Information J Kenneth Magee (804) Ext 6450 Staci Henshaw (804) Ext 352 If you want a copy of the checklist please leave me a business card and write CHECKLIST on the back of it.

Auditor of Public Accounts 46 LINKS National Institute of Standards and Technology Federal Information System Controls and Audit Manual CobiT ISO Virginia Standards

Auditor of Public Accounts 47 QUESTIONS

Auditor of Public Accounts48 Thank you!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.