Presentation is loading. Please wait.

Presentation is loading. Please wait.

IT Audit Response A cross-discipline approach

Published byJune Elliott Modified over 6 years ago

Similar presentations

Presentation on theme: "IT Audit Response A cross-discipline approach"— Presentation transcript:

1 IT Audit Response A cross-discipline approach
Stephen C. Gay CISSP Information Security Officer Kennesaw State University

2 Copyright Stephen C. Gay, 2010
Copyright Stephen C. Gay, This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

3 Presentation Outline Prologue
The Georgia Department of Audits & Accounts 2008 IT Audit Summary of Findings Response Current Status Closing Thoughts / Discussion

4 Presentation Format For each section… Narrative of KSU’s experience
In-depth examination of select points Lessons Learned \ Tools Discussion!

5 IT Audit Response A cross-discipline approach Section I: Prologue

6 Kennesaw State University
Founded in 1963 3rd largest university in Georgia 22,500 undergraduate & graduate students 2,500 faculty & staff 70 bachelor’s, master’s and doctorate degree programs Information Security Office founded 2006

7 To Do…

8 Prologue: Lessons Learned
Be careful what you wish for…

9 IT Audit Response A cross-discipline approach Section II: The Georgia Department of Audits & Accounts 2008 IT Audit

10 The Georgia Department of Audits & Accounts 2008 IT Audit
April 2008 – December 2008 3-member team Scope: “The information systems and applications that were publically accessible and those that included or interacted with Kennesaw State University’s Banner Student Information System”

11 The Georgia Department of Audits & Accounts 2008 IT Audit
April 2008 – December 2008 3-member team Scope: “The information systems and applications that were publically accessible and those that included or interacted with Kennesaw State University’s Banner Student Information System”

12 2008 IT Audit - Domains evaluated
Systems Security & Protection Data & Systems integrity Change Management Identification & Authentication Access Control Education & Awareness Contingency Planning Policy & Procedures Systems & Services Acquisition Auditing Incident Response

13 2008 IT Audit - Domains evaluated (w/ 27001 mapping)
Systems Security & Protection – Asset management Data & Systems integrity – Communication & Operations Mgmt Change Management - Systems development & maintenance Identification & Authentication – Access Control Access Control – Access Control Education & Awareness – Human Resources Security Contingency Planning – Business Continuity Plan Policy & Procedures – Security Policy Systems & Services Acquisition – Asset management Auditing - Compliance Incident Response – Information Security & Incident Mgmt

14 2008 IT Audit - Timeline May 2008 June 2008 July 2008 August 2008
Initial document request June 2008 Results from (external) network scan Audit team arrives at KSU July 2008 Interviews with KSU IT Staff Results from (internal) network scan August 2008 Audit team leaves KSU November 2008 Final Report DRAFT submitted to KSU Feedback Meeting Final Report published to DOAA website

15 Incident Response… Let’s look at a couple of examples
2008 IT Audit - Timeline Incident Response… Let’s look at a couple of examples

16 2008 IT Audit – In-depth examination: Banner numerical login
OwlExpress Login, Pre-October 2008 KSU ID & DOB or NetID & Password DOAA Audit team Collected Student Athlete DOB’s from KSU Athletics website Collected KSU ID from NetID search page Result: Account compromise

17 Lessons Learned In-depth examination: Banner numerical login
OwlExpress Login, Pre-October 2008 KSU ID & DOB or NetID & Password DOAA Audit team Collected Student Athlete DOB’s from KSU Athletics website Collected KSU ID from NetID search page Result: Account compromise

18 2008 IT Audit – In-depth examination: FERPA data in public web space
A pair of data sources Text file hosted on faculty member’s KSU homepage KSU ID & Test Score Oracle Web Cache KSU ID & SSN matrix SSN <> KSU ID <> Test Score Result: Potential FERPA disclosure for 32 students & Audit Finding 1.8

19 Lessons Learned In-depth examination: FERPA data in public web space
A pair of data sources Text file hosted on faculty member’s KSU homepage KSU ID & Test Score Oracle Web Cache KSU ID & SSN matrix SSN <> KSU ID <> Test Score Result: Potential FERPA disclosure for 32 students & Audit Finding 1.8

20 IT Audit Response A cross-discipline approach Section III: Summary of Findings

21 Summary of Findings “Inadequate security controls leave personal information and critical systems vulnerable to possible attack or exploitation.”

22 Initial Summary of Findings
Systems Security & Protection – 9 Data & Systems integrity - 1 Change Management - 5 Identification & Authentication -7 Access Control - 5 Education & Awareness - 1 Contingency Planning - 4 Policy & Procedures - 3 Systems & Services Acquisition – 1 Auditing - 4 Incident Response - 0 Total: 40

23 A closer examination of findings for a single domain
Systems Security & Protection 1.1 – No DMZ 1.2 – No review of firewall rules before implementation 1.3 – No annual review of existing firewall rules 1.4 – FTP & Telnet usage at KSU 1.5 – Application log files found in public directories 1.6 – Web Directory indexing enabled on critical servers 1.7 – Redundant copies of web pages found in public web space 1.8 – Potential FERPA disclosure (as discussed earlier) 1.9 – No scheduled vulnerability scans of KSU servers

24 IT Audit Response A cross-discipline approach Section IV: Response

25 Response November 2008 – CIO & Stakeholder Meeting
ITS Information Security Office assigned coordination responsibilities Commitment to the security of university data and the closure of all findings.

26 Response No findings are to be closed without necessary documentation to support closure & maintenance A cross-discipline approach Quarterly update reports to USG, via KSU Internal Audit Department Balance the mission of the University with the need to resolve audit findings “It’s not about saying no, it’s about saying how” David Rowan, Chief Security Officer SunTrust Banks

27 Response December 2008 Residual Risk Mitigation Form
Individual assigned primary responsibility for EACH finding Supporting staff documented Closure requires primary and one supporting staff sign-off, followed by ITS Information Security Office review

28 Response: Q3 FY09 14 findings closed, including: FW rule documentation
Web Directory Indexing Scheduled Server Scans Default Passwords Incident Responses Policy heading revisions

29 Response: Q4 FY09 7 findings closed, including: Annual Firewall review
FTP & Telnet Usage Redundant web copies Default files & directories on web servers SETA for new hires

30 Response: Q1 FY10 5 findings closed, including:
Inventory of system configurations SDLC for production servers Banner Procedures SDLC usage documentation

31 Response: Q2 FY10 Zero findings closed…why? Focus on maintenance tasks
Concentrated efforts in the domains of disaster recovery & auditing Other responsibilities…

32 Response: Q3 FY10 4 findings closed, including: Modular IT DR Plan
IT DR Plan testing Auditable data definition

33 IT Audit Response A cross-discipline approach Section V: Current Status

34 Current Status 30 of 40 findings closed (75%)
Reexamination & maintenance of findings previously closed Approaching anticipated return of DOAA Audit team

35 IT Audit Response A cross-discipline approach Section VI: Closing Thoughts & Lessons Learned

36 Closing Thoughts / Lessons Learned
A formal engagement meeting is a necessity Audit scope is clearly defined Procedures for reporting critical findings Single point of contact, with backup A formal response meeting is a necessity Match stakeholders to specific findings Procedures for reporting responses Single point for response coordination, with backup It is critical to develop quantitative measures for all projects or tasks. Especially maintenance / reoccurring tasks

37 Closing Thoughts / Lessons Learned (cont)
An information security framework is critical To better communicate the overarching impact of a finding To match appropriate safeguards. A collaborative relationship between the audit team and the university is crucial to reap the most benefit from the audit work performed

38 Questions or Comments about IT Audit Response?
Feel free to contact me! Stephen C. Gay Kennesaw State University

39 What did you think? Your input is important to us!
Click on “Evaluate This Session” on the EDUCAUSE Security program page.

Download ppt "IT Audit Response A cross-discipline approach"

Similar presentations

Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide.

Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide.
Making the Case for Security: An Application of the NIST Security Assessment Framework to GW January 17, 2003 David Swartz Chief Information Officer Guy.

Making the Case for Security: An Application of the NIST Security Assessment Framework to GW January 17, 2003 David Swartz Chief Information Officer Guy.
The Power of the Core Service Catalog Michele Morrison and Brian Hosier EDUCAUSE – Wednesday, October 19, 2005 Copyright Michele Morrison 2005. This work.

The Power of the Core Service Catalog Michele Morrison and Brian Hosier EDUCAUSE – Wednesday, October 19, 2005 Copyright Michele Morrison This work.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
UWM CIO Office A Collaborative Process for IT Training and Development Copyright UW-Milwaukee, 2007. This work is the intellectual property of the author.

UWM CIO Office A Collaborative Process for IT Training and Development Copyright UW-Milwaukee, This work is the intellectual property of the author.
Unraveling Web Development PRESENTERS: Bob Nakles and Paras Kaul, George Mason University.

Unraveling Web Development PRESENTERS: Bob Nakles and Paras Kaul, George Mason University.
Moving Out of The Shadows: Shining a Light on Data David Rotman Director of Computer Services Mark Mazelin Web Development Coordinator Copyright David.

Moving Out of The Shadows: Shining a Light on Data David Rotman Director of Computer Services Mark Mazelin Web Development Coordinator Copyright David.
Risk Assessment 101 Kelley Bradder VP and CIO Simpson College.

Risk Assessment 101 Kelley Bradder VP and CIO Simpson College.
Achieving and Sustaining HIPAA Compliance October 4, 2002 David Swartz George Washington University Melissa Glynn PricewaterhouseCoopers LLP.

Achieving and Sustaining HIPAA Compliance October 4, 2002 David Swartz George Washington University Melissa Glynn PricewaterhouseCoopers LLP.
Cheryl Ast Project Team Leader, Administrative Computing Services (949) 824-7367 2003 EDUCAUSE Southwest Regional Conference University of.

Cheryl Ast Project Team Leader, Administrative Computing Services (949) EDUCAUSE Southwest Regional Conference University of.
Copyright Dr. Thomas L. Franke, Ms. Candace F. Benson, and Ms. Dixie L. Lawson (2003). This work is the intellectual property of the authors. Permission.

Copyright Dr. Thomas L. Franke, Ms. Candace F. Benson, and Ms. Dixie L. Lawson (2003). This work is the intellectual property of the authors. Permission.
Information Security Governance in Higher Education Policy2004 The EDUCAUSE Policy Conference Gordon Wishon EDUCAUSE/Internet 2 Security Task Force This.

Information Security Governance in Higher Education Policy2004 The EDUCAUSE Policy Conference Gordon Wishon EDUCAUSE/Internet 2 Security Task Force This.
Intellectual Property Protocol and Assessment for Distance Learning Liz Johnson Project Manager Advanced Learning Technologies Board of Regents of the.

Intellectual Property Protocol and Assessment for Distance Learning Liz Johnson Project Manager Advanced Learning Technologies Board of Regents of the.
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
Collaborative Course Development Educause Southeast Regional Conference 2002 Libby V. Morris, Associate Professor, UGA Wendy Bedwell, Project Coordinator,

Collaborative Course Development Educause Southeast Regional Conference 2002 Libby V. Morris, Associate Professor, UGA Wendy Bedwell, Project Coordinator,
EDUCAUSE April 25, 2006Enforcing Compliance with Security Policies … Enforcing Compliance of Campus Security Policies Through a Secure Identity Management.

EDUCAUSE April 25, 2006Enforcing Compliance with Security Policies … Enforcing Compliance of Campus Security Policies Through a Secure Identity Management.
Page 1 Copyright Jill M. Forrester 2007. This work is the intellectual property of the author. Permission is granted for this material to be shared for.

Page 1 Copyright Jill M. Forrester This work is the intellectual property of the author. Permission is granted for this material to be shared for.
Information Technology Services 1 Copyright Copyright Marc Wallman and Theresa Semmens, 2006. This work is the intellectual property of the authors. Permission.

Information Technology Services 1 Copyright Copyright Marc Wallman and Theresa Semmens, This work is the intellectual property of the authors. Permission.
Network Vulnerability Assessment Methodology Lesson 6.

Network Vulnerability Assessment Methodology Lesson 6.
Managing Intellectual Property for Distance Learning Liz Johnson Project Manager Advanced Learning Technologies Board of Regents of the University System.

Managing Intellectual Property for Distance Learning Liz Johnson Project Manager Advanced Learning Technologies Board of Regents of the University System.

Similar presentations

Ads by Google