Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security and Internal Audit

Published byDarren Tracy Townsend Modified over 7 years ago

Similar presentations

Presentation on theme: "Information Security and Internal Audit"— Presentation transcript:

1 Information Security and Internal Audit
Working Together

2 Copyright Copyright Paul Lepkowski This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

3 Summary There are many ways whereby both Information Security and Internal Audit departments can work together. This session explores the successful model that Rochester Institute of Technology (RIT) has used to drive several IT security audits.

4 Session Outcomes At the end of the session, an audience member would be able to: Identify the steps needed to utilize both audit and information security departments in an audit Design a plan for their next IT security audit Implement their next IT security audit in a more efficient manner

5 Topics Areas of discussion include:
Using Infosec resources to complement audit resources Handling the politics of both groups working together Audit planning Technical interpretation and advisement Vulnerability and penetration testing Benefits of this relationship will be explored in-depth

6 About the Speaker Paul Lepkowski Specializations
Enterprise Information Security Lead Engineer Rochester Institute of Technology (RIT) Certifications: CISSP, GIAC-GPEN Experience: 19 years in both network engineering and security Worked in both university and corporate environments Specializations Network and systems security Vulnerability assessment Penetration testing Private Information (PI) protection Professional Organizations ISSA Rochester Infragard – Vice President IEEE Audit Role Provide technical assistance regarding all aspects of IT audits to RIT Internal Audit

7 Special Acknowledgment
Elisa Cockburn, CPA Senior Internal Auditor RIT’s Institute Audit, Compliance, and Advisement Specializes in accounting and information systems auditing MBA in MIS Member of Association of Colleges and University Auditors (ACUA), Institute of Internal Auditors (IIA), and Information Systems Control and Audit Association (ISACA)

8 About RIT Rochester Institute of Technology Founded in 1829
Rochester, NY 17,500 active students 11th largest private university in US 3,600 faculty and staff Undergraduate and graduate level Information Security programs

9 Organizational Considerations
At RIT - separate and independent groups: Chief Financial Officer Board of Directors – Audit Committee Internal Audit Global Risk Management Information and Technology Services (ITS) Information Security Office (ISO)

10 The Problem Often the internal audit department does not have the time, technical expertise, or budget to properly handle IT security audits. Audit groups consist of a small group of people and some part-time auditors Audit needs to be as cost effective and efficient as possible Audit needs specialized technical expertise for IT security audits

11 The Problem (Con’t) Finding people with both audit and highly technical skill sets can be challenging Funding for external auditors is limited At a high tech university, assistance is especially needed for: Planning Interviewing Gathering data Interpreting data Reporting

12 The Problem (Con’t) The Institute of Internal Auditors (IIA) International Professional Practices Framework (IPPF) requires the following: 1100 – Independence and Objectivity - The internal audit activity must be independent, and internal auditors must be objective in performing their work. 1210.A1 – Proficiency – The chief audit executive must obtain competent advice and assistance if the internal auditors lack the knowledge, skills, or other competencies needed to perform all or part of the engagement.

13 A Solution (for RIT anyways)
The Information Security Office can provide assistance to fill in these gaps. Both departments can be used for a successful audit given the close synergies of audit and security. External auditors may be used on a limited basis for cost efficiency. Synergetic work with ISO and Internal Audit complies with the international standards for the internal audit profession when they both are independent organizations

14 Planning the Audit Risk assessments Politics Where to audit?
Previous incidents or high risk areas with known issues ISO can provide valuable information especially with types of incidents, knowledge of the environment and technology Politics Make sure groups being audited understand that you have the best interests of the university in mind for the audit Audits could be used to help an IT group move forward with processes and justification for projects and/or much needed hardware/software

15 Planning the Audit (Con’t)
Setting expectations Scope Timelines Plan resource time (estimated number of hours for both audit and ISO personnel) Roles and responsibilities Internal Audit runs the audit ISO assists with all phases of the audit and acts in an advisory role ISO is a member of the audit team ISO is technical resource (i.e. vulnerability scanning, pen testing, etc.)

16 Planning the Audit (Con’t)
Internal or external? Gaps in expertise or specialties needed? Workload and cost considerations RFP’s for external assistance Non-disclosure In place between Internal Audit and ISO Include co-ops, student employees, external auditors Handling work papers and sensitive documents Audit is the authoritative source for work papers

17 Planning the Audit (Con’t)
Audit format Define the audit steps Use frameworks such as COBIT, ISO 27001, ITIL Use best practices such as NIST, DISA STIGs, PCI, others Time estimates for all steps Define procedures that will be done by each office Interviews – Internal Audit and ISO Vulnerability scans, pen testing – ISO Code reviews – external auditor Tools needed

18 Fieldwork Interviewing Standards checklists (internal standards)
Audit and ISO both take notes and compare Gather screenshots for supporting data Standards checklists (internal standards) Configuration review Gather configuration files Show me “xyz” settings Testing Vulnerability scanning Penetration testing Configuration scanning and reporting

19 Analysis Benchmarking other universities and the industry
Prioritization Risk Impact Probability Ease of remediation Technical interpretation Consensus between ISO and Internal Audit

20 Presentation Findings – major issues
Discussion topics – low risk issues Periodic status reports to the group being audited so there are no surprises Both Internal Audit and ISO in the final presentation

21 Impact and Lessons Learned
This effort has had a very positive impact on the university. It clearly shows the benefits that a teamwork based approach has provided the university. Cost savings in both people time and external consulting time were substantial (estimated to be $50,000+ per audit). It also builds trust amongst the groups. Achieved greater alignment between Risk Management, ISO, and Internal Audit departments. Helps to “jump start” the audit process since ISO is already familiar with the environment and allows the audit to get to greater level of depth quickly.

22 Impact and Lessons Learned (Con’t)
Audits can help the IT groups to obtain funding and resources that they need to fill gaps Acquired expertise stays in house Integration with external consultants can work well especially with clearly defined tasks (i.e. code review) Allows easy follow-up on audit issues and audit responses

23 Questions? ???

Download ppt "Information Security and Internal Audit"

Similar presentations

. . . a step-by-step guide to world-class internal auditing

. . . a step-by-step guide to world-class internal auditing
Copyright Kathy J. Lang and Ed Mahon, 2006. This work is the intellectual property of the authors. Permission is granted for this material to be shared.

Copyright Kathy J. Lang and Ed Mahon, This work is the intellectual property of the authors. Permission is granted for this material to be shared.
PRESENTATION ON MONDAY 7 TH AUGUST, 2006 BY SUDHIR VARMA FCA; CIA(USA) FOR THE INSTITUTE OF INTERNAL AUDITORS – INDIA, DELHI CHAPTER.

PRESENTATION ON MONDAY 7 TH AUGUST, 2006 BY SUDHIR VARMA FCA; CIA(USA) FOR THE INSTITUTE OF INTERNAL AUDITORS – INDIA, DELHI CHAPTER.
A Consultative Approach to Auditing

A Consultative Approach to Auditing
Internal Audit Awareness

Internal Audit Awareness
QUALITY ASSURANCE AND IMPROVEMENT PROGRAM (QAIP)

QUALITY ASSURANCE AND IMPROVEMENT PROGRAM (QAIP)
CCSU’s E-portfolio Initiative and the IT Career Ladder Jo Kinnard, Ph.D. Clayton College and State University, Morrow, GA.

CCSU’s E-portfolio Initiative and the IT Career Ladder Jo Kinnard, Ph.D. Clayton College and State University, Morrow, GA.
Preparing for an External Quality Assessment of your Quality Assurance and Improvement Program Institute of Internal Auditors El Paso Chapter August 29,

Preparing for an External Quality Assessment of your Quality Assurance and Improvement Program Institute of Internal Auditors El Paso Chapter August 29,
Serving the Research Mission: An Approach to Central IT’s Role Matthew Stock University at Buffalo.

Serving the Research Mission: An Approach to Central IT’s Role Matthew Stock University at Buffalo.
Advancing Security Programs through Partnerships Cathy HubbsShirley Payne IT Security Coordinator Director for Security Coordination & Policy George Mason.

Advancing Security Programs through Partnerships Cathy HubbsShirley Payne IT Security Coordinator Director for Security Coordination & Policy George Mason.
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Dr. Julian Lo Consulting Director ITIL v3 Expert

Dr. Julian Lo Consulting Director ITIL v3 Expert
IS Audit Function Knowledge

IS Audit Function Knowledge
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
Quality evaluation and improvement for Internal Audit

Quality evaluation and improvement for Internal Audit
Purpose of the Standards

Purpose of the Standards
David Sweeney, Director Brooke Woodruff, IT Manager

David Sweeney, Director Brooke Woodruff, IT Manager
Information Security Governance in Higher Education Policy2004 The EDUCAUSE Policy Conference Gordon Wishon EDUCAUSE/Internet 2 Security Task Force This.

Information Security Governance in Higher Education Policy2004 The EDUCAUSE Policy Conference Gordon Wishon EDUCAUSE/Internet 2 Security Task Force This.
EDUCAUSE April 25, 2006Enforcing Compliance with Security Policies … Enforcing Compliance of Campus Security Policies Through a Secure Identity Management.

EDUCAUSE April 25, 2006Enforcing Compliance with Security Policies … Enforcing Compliance of Campus Security Policies Through a Secure Identity Management.
Page 1 Copyright Jill M. Forrester 2007. This work is the intellectual property of the author. Permission is granted for this material to be shared for.

Page 1 Copyright Jill M. Forrester This work is the intellectual property of the author. Permission is granted for this material to be shared for.

Similar presentations

Ads by Google