Audit Challenges and Best Practices in a Research University Environment NSAA Annual Conference Jeffrey Huskamp Vice President and CIO.

Slides:



Advertisements
Similar presentations
FMS. 2 Fires Terrorism Internal Sabotage Natural Disasters System Failures Power Outages Pandemic Influenza COOP/ Disaster Recovery/ Emergency Preparedness.
Advertisements

Security Education and Awareness Workshop January 15-16, 2004 Baltimore, MD.
CANHEIT | On the EDGE | June 15-18, 2008 | University of Calgary Collaborative Computing on an Institutional Level Steve Breeck, Harold Esche, Bill Richardson.
CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.
Eastern Illinois University September 23, 2002 A Presentation to the Illinois Board of Higher Education.
Pratt Institute Statistical Presentation.
Security and Personnel
David A. Brown Chief Information Security Officer State of Ohio
Data Ownership Responsibilities & Procedures
Copyright 2004 Turning Point Solutions Establishing Lines Of Communication Before a Crisis.
Alabama Geospatial Office Established May 2007 Mike Vanhook State GIS Coordinator.
President’s Cabinet April 12,  Process review  The “why” for the plan  The draft plan  Q & A  Implementation.
Just Think State of the University Address Presented by Chancellor Thomas F. George September 17, 2003.
Process Management Robert A. Sedlak, Ph.D Provost and Vice Chancellor, UW-Stout Education Community of Practice Conference At Tusside in Turkey September.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Chapter 10 Information Systems Management. Agenda Information Systems Department Plan the Use of IT Manage Computing Infrastructure Manage Enterprise.
Innovative Instruction Transformation Team Jeffrey Bartkovich, Monroe Community College Kim Scalzo, SUNY Center for Professional Development Carey Hatch,
1 IS112 – Chapter 1 Notes Computer Organization and Programming Professor Catherine Dwyer Fall 2005.
The Necessity of Collaboration A State-Wide Plan Ray Walker CIO UVU.
Pam Downs Ajay Gupta The Pennsylvania Prince George’s State University Community College "Copyright Penn State University This work is the intellectual.
Higher Education Cybersecurity Strategy, Programs, and Initiatives Rodney Petersen Policy Analyst & Security Task Force Coordinator EDUCAUSE.
Systemic Barriers to IT Security Findings within The University of Texas System Clair Goldsmith, Ph.D., Associate Vice Chancellor and CIO Lewis Watkins,
Breakout Session 2: Awareness and Training. B2: Awareness and Education Identification of constituencies Identification of challenge Inventory of existing.
User Services. Services Desktop Support Technical Support Help Desk User Services Customer Relationship Management.
NCCI/ACE Strategic Collaborations Partnering Across Boundaries to Leverage Impact and Resources David Gift, Vice Provost, Libraries, Computing and Technology.
CougarNet Dennis Fouty, Ph.D. Associate Vice Chancellor, University of Houston System Associate Vice President, University of Houston Mary Dickerson, MCSE.
Windows 2000 Windows 2000 Project Team Division of Information Technology Mary Dickerson, MCSE, Project Leader University of Houston Windows 2000 University.
SEC835 Database and Web application security Information Security Architecture.
1. Agenda Service Utilization Service Level Metrics Service Performance Review Incident Review Current / Future Service Plan Service Improvement Plan.
Collin County’s Doing More with Less How Collin County’s ITIL Framework has worked to do more with less.
Managing Your Grant Roberta Teliska Vice President for Sponsored Programs Operations The Research Foundation of SUNY October 6, 2008.
Value & Excitement University Technology Services Oakland University Information Technology Strategic Planning Theresa Rowe October 2004 Copyright Theresa.
Doing More with TeamTrack May 1, /17/2015 6:14 PM Goals and Objectives Increased Reuse of Critical Assets Increased Productivity and Effectiveness.
Information Technology and Enterprise Planning Status Report for The University of Georgia UGA President’s Cabinet April 21, 2005.
Implementation and Management of an Information Systems Practicum in a Graduate Computer Information Technology Curriculum S amuel C onn, Asst. Professor.
1 Strategic Thinking for IT Leaders View from the CFO Seminars in Academic Computing Executive Leadership Institute.
SUNY System Administration Federation Overview Gavin Hogan July 15th, 2009 A work in progress….
Best Practices: Enrollment Management Plan Lorie Hach Director of Student Success Lisa McLaughlin Institutional Data Coordinator.
Information Technology Study Fiscal Crisis and Management Assistance Team (FCMAT) Las Virgenes Unified School District Presented By: Leslie Barnes Steve.
FERPA: What you Need to Know The Family Educational Rights and Privacy Act & SEI.
SAM for Virtualizatio n Presenter Name. Virtualization: a key priority for business decision makers Technavio forecasts that the global virtualization.
1 User Policy (slides from Michael Ee and Julia Gideon)
Fall 2007 Internet2 Meeting The Xavier Story Catherine J. Lewis Vice President Office of Technology Administration October 9, 2007 Xavier University Of.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Managing Security Risks in the Federal Reserve System Marianne Emerson, Deputy Director Information Technology Division Board of Governors of the Federal.
EDUCAUSE 2005 Annual Conference October 19, 2005.
Office of Faculty Affairs August 25, Office of Faculty Affairs August 25, 2015 Professional.
Pennsylvania State University. We Are …. Penn State! Brett BixlerPhil CoolickLynn GarrisonBill MyersCarl Seybold.
Pro-active Security Measures
Core IT Assessment Approach Common Solutions Group IT Governance and Funding Workshop January, 2006 Philip Long Yale University.
Chapter 3 Pre-Incident Preparation Spring Incident Response & Computer Forensics.
Quickly Establishing A Workable IT Security Program EDUCAUSE Mid-Atlantic Regional Conference January 10-12, 2006 Copyright Robert E. Neale This.
Resources for Meeting Internet Safety Requirements Cheryl Elliott James Madison University Bill Johnsen Virginia Beach City Public Schools Educational.
Installation and Maintenance of Health IT Systems Unit 8a Troubleshooting; Maintenance and Upgrades; and Interaction with Vendors, Developers, and Users.
Information Security tools for records managers Frank Rankin.
ITIL® Service Asset & Configuration Management Foundations Service Transition Thatcher Deane 02/17/2010.
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
IT Governance Purpose: Information technology is a catalyst for productivity, creativity and community that enhances learning opportunities in an environment.
UAB SCHOOL OF MEDICINE NEW FACULTY ORIENTATION October 19, 2011 September 30, 2009 Kathleen G. Nelson, MD Senior Associate Dean for Faculty Development.
MS in IT Auditing, Cyber Security, and Risk Assessment
Chapter 1 Computer Technology: Your Need to Know
Strategic Planning Update
INFORMATION TECHNOLOGY NEW USER ORIENTATION
Overview of IT Auditing
Best Practices: Enrollment Management Plan
Welcome to Penn State and University Overview
Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.
INFORMATION TECHNOLOGY NEW USER ORIENTATION
INFORMATION TECHNOLOGY NEW USER ORIENTATION
Information Technology Organization Overview RFP #220-05
Presentation transcript:

Audit Challenges and Best Practices in a Research University Environment NSAA Annual Conference Jeffrey Huskamp Vice President and CIO

Audit Challenges and Best Practices in a Research University Environment University of Maryland, College Park Carnegie Doctoral/Research University – Extensive 18 th ranked public university (US News) Celebrated 150 th anniversary in 2006 Total budget $1.4B Enrollment Undergraduate – 25,857 Graduate – 10,157

Audit Challenges and Best Practices in a Research University Environment University of Maryland, College Park (cont’d) Employees Faculty – 3,752 (full-time and part-time) Staff – 4,829 Graduate assistants – 3,873 University structure and degrees 1250 acres Land grant institution for the State of Maryland 13 colleges/schools (no medical school) 127 undergraduate majors 112 graduate degrees

Audit Challenges and Best Practices in a Research University Environment The Research University Environment Academic ingenuity reigns (universities understand and teach chaos theory) Decentralized information technology environment for education and research >130 systems, separate IT groups in every large unit Loose federation for IT direction Strict accountability for central IT Complex, multivendor environment not conforming to one grand plan Stovepipes are woven into the history

Audit Challenges and Best Practices in a Research University Environment Campus Systems and Facilities Administrative system environment Locally written administrative systems Mostly mainframe based Vendor solutions around the edges (e.g. student recruitment) Networking 3500 wireless access points Host institution for the Mid-Atlantic Crossroads Member of Internet2 Data centers Two main central IT data centers Contracted mainframe disaster recovery site

Audit Challenges and Best Practices in a Research University Environment Old School Method of Audit Performance Improvement Central IT 0 Central IT 1.0 Audit Findings Audit Findings Central IT 2.0 Audit Findings Central IT 3.0 …

Audit Challenges and Best Practices in a Research University Environment Case Study State audit report published in September Findings including 3 repeated findings State audit began in October 2004 State audit report published in January Findings including 6 repeated findings Obviously moving in the wrong direction

Audit Challenges and Best Practices in a Research University Environment Motivation for Change Auditors are a “free” consulting service Expect decreased number of security incidents Expect decreased risk External perception of institution Professional pride Points of light in every organization Long term payoffs (with short term pain)

Audit Challenges and Best Practices in a Research University Environment New School Method of Audit Performance Improvement Central IT 0 Central IT 1.0 USM Guidelines Minor Audit Findings Central IT 1.1 Minor Audit Findings Central IT 1.2 …

Audit Challenges and Best Practices in a Research University Environment Do The Hard Work Step 1: Start with the goal of conforming to all aspects of the USM guidelines Step 2: Create a set of deliverables that will accomplish the goal Step 3: Create a project plan that results in accomplishing all deliverables and assigns responsibility (98 deliverables, 503 line items) Step 4: Track progress Step 5: Make mid-course corrections as needed

Audit Challenges and Best Practices in a Research University Environment Track Progress

Audit Challenges and Best Practices in a Research University Environment Does it work?????

Audit Challenges and Best Practices in a Research University Environment Does it work – part 2 The jury is out – the auditors are on campus and not finished

Audit Challenges and Best Practices in a Research University Environment Future Method of Audit Performance Improvement Central IT 0 Central IT 1.00 FISCAM ITIL Really Minor Audit Findings Central IT 1.01 Central IT 1.02 … Really Minor Audit Findings

Audit Challenges and Best Practices in a Research University Environment Pursue a Comprehensive Approach Get the institution involved NSA Academic Center of Excellence in Information Assurance Create the next generation of audit analysts for the institution Make it easy for units to reduce risk Look for software that can be campus site licensed Whole disk encryption to be available campus-wide Put campus policies in place that give responsibility for critical systems (e.g. networks, administrative systems) squarely on central IT Provide audit consulting to other units throughout the year

Audit Challenges and Best Practices in a Research University Environment If A Research University Wants To Be Better… Create an infrastructure for success Hire an internal IT auditor to be part of the central IT security staff, the point of contact for external auditors and consultant for all university units Create an ethics organization Establish a solid working relationship with the external auditors Raise awareness on campus Conduct formal audits of campus units with their cooperation Set a goal, develop a plan, recognize the implementation will take years, and there will be a budget impact

Audit Challenges and Best Practices in a Research University Environment If A Research University Wants To Be WAAAY Better… Information Technology Infrastructure Library Applications management Change management Asset and configuration management Incident management Operations management Problem management Release and deployment management Service continuity management …

Audit Challenges and Best Practices in a Research University Environment Mission: to promote responsible use of information technology through user education and policy enforcement Web site: Project NEThics Internet + Ethics = NEThics

Audit Challenges and Best Practices in a Research University Environment I’m Here To Help… Proactive “best practices” pointers High level analysis of the public audits from other agencies/units Prioritization of audit areas to address Citing the good things, even informally

Audit Challenges and Best Practices in a Research University Environment Future Technology Challenges WiMAX high speed connectivity Mobile devices containing sensitive data Grid/distributed computing

Audit Challenges and Best Practices in a Research University Environment Future Software Challenges Open source Kuali Foundation Source code modifications by other institutions Service Oriented Architecture for distributed computing The rise of open systems The fall of the mainframe Virtual teams Beyond the firewall Log overload Too many systems generating too many logs that need expensive log analysis tools to make any sense of the data

Audit Challenges and Best Practices in a Research University Environment Contact Information Dr. Jeff Huskamp Vice President and CIO University of Maryland 1122 Patuxent Building College Park, MD