Presentation is loading. Please wait.

Presentation is loading. Please wait.

IT Audit Processes and Audit

Published byMargaretMargaret Hawkins Modified over 6 years ago

Similar presentations

Presentation on theme: "IT Audit Processes and Audit"— Presentation transcript:

1 IT Audit Processes and 2016 Email Audit
2017

2 What is an IT Audit? an examination of the practices, procedures, and management controls within an information technology (IT) infrastructure.

3 Auditing Agencies Federal Louisiana Legislative LSU Internal
Typically grant-related Reports go to granting federal agency Louisiana Legislative Reports go to Legislature LSU Internal Reports go to University leadership

4 Process for Addressing IT Audits
Receive audit findings from Internal Audit. Draft management response to audit findings. CFO and Provost approve management response. Communicate audit findings, responses, and initial timetable to departmental Technology Support Personnel (TSP) so they can absorb and respond. Develop draft policy language through security advisory committee. Submit draft policy to Academic Affairs for formal process and review by affected stakeholders. Receive and merge concerns from TSP’s and stakeholders. Determine which concerns can be addressed relative to the findings and how.  Develop strategy or strategies to address. Surface identified issues and strategies with ITS Faculty IT Advisory Council and other groups with interest. Revisit with internal audit and senior departmental admins to evolve strategies. Iterate to step 7 until all issues resolved or decisions rendered.

5 2016 Email Audit Conducted by LSU Internal Audit in early 2016
Areas of Focus Proper retention of Disaster recovery and business continuity planning Logical and physical security Initial findings presented in July of 2016 Management response and final report in November 2016

6 2016 Email Audit Findings 5 Findings
3 Findings affect the Baton Rouge campus

7 Finding 1 Finding Response
LSU management should revise PS 6.15, “ Use Policy” to recognize the institution's responsibility for ensuring compliance with retention requirements. Response The LSU IT Security and Policy Group will convene an advisory group and begin the process of revising PS and possibly other information security policies in the current fiscal year (FY17).

8 Finding 2 Finding Response
LSU should take steps to implement the legal hold or archival controls of s as soon as possible. LSU ITS has tested and is prepared to deploy legal hold controls for the campus-wide Office 365 system. The legal hold controls provided will ensure that s are retained as required. Response Implemented August 1, 2016 (for central systems).

9 Finding 3 Finding Response Notes
All departments currently operating independent systems, with the exceptions noted below, should begin migration of users to the LSU Office365 system. All employees on the LSU campus are provided with an LSU account within the Office 365 system deployed by LSU ITS. This recommended action would provide services at no additional cost to departments and would eliminate unnecessary duplication of services. The migration of to the LSU Office 365 system will also provide the necessary controls to address the legal requirements for retention following the implementation of Recommendation 2. Response The LSU IT Security and Policy Group will begin developing a tentative plan for migrating unit services to the central Office 365 service in the current fiscal year. Notes Louisiana Revised Statutes, Title 44

10 Status of the Mitigation Process for the 2016 Email Audit
Receive audit findings from Internal Audit. Draft management response to audit findings. CFO and Provost approve management response. Communicate audit findings, responses, and initial timetable to departmental Technology Support Personnel (TSP) so they can absorb and respond. Develop draft policy language through security advisory committee. Submit draft policy to Academic Affairs for formal process. Receive and merge concerns from TSP’s and senior departmental admins. Determine which concerns can be addressed relative to the findings and how.  Develop strategy or strategies to address. Surface issues and strategies with ITS Faculty IT Advisory Council and other groups with interest. Revisit with internal audit and senior departmental admins to evolve strategies. Iterate to step 7 until all issues resolved.

11 Draft Policy Language General Policy
LSU owns all LSU.EDU addresses/ accounts/ boxes. addresses/ accounts/ boxes are assigned to individuals as a tool for facilitating teaching, research, and conducting University business.    Primary accounts are not to be transferred to any other person; however, primary accounts may be shared with another individual, based on business requirements.

12 Draft Policy Language Naming Convention (email accounts)
Employees and affiliated individuals who are granted an LSU account will receive an address in a format and design determined by the University that is distinguishable, as well as unique. Departmental Services The University is required to comply with Louisiana R.S.Title 44 which outlines the requirements for retention or archiving of . Thus, University departments shall not operate their own departmental services in order to facilitate compliance and public records requests.

13 Draft Policy Language Email Retraction
The University’s Information Security Team may also retract messages from University accounts that have been identified to be malicious and intended to cause harm to the University community, systems and/or network. Any retraction to be conducted by the Information Security Team shall be provided to the Chief Information Security Officer (CISO) in writing and approved prior to being implemented. 

14 What’s next? Formal review of policy language through Academic Affairs established process Documentation and validation of any business requirements surfaced by TSP’s and reviewers University decision on the question of branding Selection and implementation of new Identity and Access Management System (IAM) and other IT solutions to address identified and accepted business requirements.

15 Questions?

Download ppt "IT Audit Processes and Audit"

Similar presentations

EMS Checklist (ISO model)

EMS Checklist (ISO model)
Identification and Disposition of Official University Records University of Texas at Arlington Records Management.

Identification and Disposition of Official University Records University of Texas at Arlington Records Management.
Document Control DAP Quality Conference May 12, 2008 Debbie Penn.

Document Control DAP Quality Conference May 12, 2008 Debbie Penn.
E-Discovery New Rules of Civil Procedure Presented by Lucy Isaki January 23, 2007.

E-Discovery New Rules of Civil Procedure Presented by Lucy Isaki January 23, 2007.
BUSINESS PROCESS IMPROVEMENT INITIATIVES Chad Cleveland June 18, 2014 BAAF Meeting.

BUSINESS PROCESS IMPROVEMENT INITIATIVES Chad Cleveland June 18, 2014 BAAF Meeting.
OFFICE OF PROGRAM POLICY ANALYSIS & GOVERNMENT ACCOUNTABILITY The Legislative Sunset Review Process Darwin Gamble, Senior Legislative Analyst OPPAGA February.

OFFICE OF PROGRAM POLICY ANALYSIS & GOVERNMENT ACCOUNTABILITY The Legislative Sunset Review Process Darwin Gamble, Senior Legislative Analyst OPPAGA February.
Institute of Municipal Finance Officers & Related Professions

Institute of Municipal Finance Officers & Related Professions
Session 6: Data Integrity and Inspection of e-Clinical Computerized Systems May 15, 2011 | Beijing, China Kim Nitahara Principal Consultant and CEO META.

Session 6: Data Integrity and Inspection of e-Clinical Computerized Systems May 15, 2011 | Beijing, China Kim Nitahara Principal Consultant and CEO META.
April 2, 2013 Longitudinal Data system Governance: Status Report Alan Phillips Deputy Director, Fiscal Affairs, Budgeting and IT Illinois Board of Higher.

April 2, 2013 Longitudinal Data system Governance: Status Report Alan Phillips Deputy Director, Fiscal Affairs, Budgeting and IT Illinois Board of Higher.
Agenda 1. Definition and Purpose of Data Governance

Agenda 1. Definition and Purpose of Data Governance
Electronic Records Management: What Management Needs to Know May 2009.

Electronic Records Management: What Management Needs to Know May 2009.
Wetlands Reserve Program Case Study An Overview of the External Audit Process Helping People Help The Land.

Wetlands Reserve Program Case Study An Overview of the External Audit Process Helping People Help The Land.
Creating an Effective Email Policy Central Missouri Chapter Jesse Wilkins April 16, 2009.

Creating an Effective Policy Central Missouri Chapter Jesse Wilkins April 16, 2009.
Agency Risk Management & Internal Control Standards (ARMICS)

Agency Risk Management & Internal Control Standards (ARMICS)
Best Practices: Financial Resource Management February 2011.

Best Practices: Financial Resource Management February 2011.
Internal Risk Assessments and Corrective Action Planning IT Decentralized Risk Assessment Corrective Action Planning Workgroup February, 2010.

Internal Risk Assessments and Corrective Action Planning IT Decentralized Risk Assessment Corrective Action Planning Workgroup February, 2010.
CORPORATE RECORDS RETENTION POLICY TRAINING By: Diana C. Toman, Corporate Counsel & Assistant Secretary.

CORPORATE RECORDS RETENTION POLICY TRAINING By: Diana C. Toman, Corporate Counsel & Assistant Secretary.
U.S. Department of Education Safeguarding Student Privacy Melanie Muenzer U.S. Department of Education Chief of Staff Office of Planning, Evaluation, and.

U.S. Department of Education Safeguarding Student Privacy Melanie Muenzer U.S. Department of Education Chief of Staff Office of Planning, Evaluation, and.
Expectations and Accountability in Regional Accreditation Ellie A. Fogarty, EdD – Vice President Debra G. Klinman, PhD – Vice President Middle States Commission.

Expectations and Accountability in Regional Accreditation Ellie A. Fogarty, EdD – Vice President Debra G. Klinman, PhD – Vice President Middle States Commission.
ITCC / IT Retreat Data Access Procedure December 10, 2009 Karl F. Lutzen Information Security Officer.

ITCC / IT Retreat Data Access Procedure December 10, 2009 Karl F. Lutzen Information Security Officer.

Similar presentations

Ads by Google