Presentation is loading. Please wait.

Presentation is loading. Please wait.

Technology Audit Plan ----BCSY University

Published bySeweryn Małecki Modified over 6 years ago

Similar presentations

Presentation on theme: "Technology Audit Plan ----BCSY University"— Presentation transcript:

1 Technology Audit Plan ----BCSY University
Team Member: Marsha Billups Qiyu Chen Ping Sun Ruby (Qianru) Yang

2 1.Background 2.Audit scope 3.Findings 4.conclusion
Agenda 1.Background 2.Audit scope 3.Findings 4.conclusion

3 Background BCSY University is a private university located in Downtown Boston. There is a Intensive English Language Program (IELP) department in BCSY university attracts students from all over the world to the historic city of Boston, a cultural and culinary center. The objective of this audit is to review Temple University Intensive English Language program’s Enterprise Database security controls. The Database mainly store student PII information. This audit shall focus primarily on Vulnerability Management, Change Management, Access Control and Data Loss Prevention. We shall explore current control processes, find the weakness and access the control environment.

4 Audit scope Database integrity and consistency
System development life cycle process Physical and logical access to database servers Data Protection Data Accuracy Analysis Data Backup and recovery processes

5 Finding 1:Unauthorized Physical Access
Fact – Lack of adequate security measures that prevents and limits entry points physical access to the servers. Standards – NIST SP presents that how and why organizations should deploy PACS (Physical Access Control Systems). Root Cause of the issue - Lack of pay attention to data security control beside technology field. Impact - High Recommendations - 1. Using physical individual ID cards to unlock the data center door. 2. Using cameras to secure the data rooms.

6 Finding 2: Weak Change Management Implementation
FACTS: IT Change Review Board approved all changs, however, for 26 of 30 samples selected, the business approval was a blanket approval for as many changes required for the overall project, as opposed to individual changes For 25 of 30 samples selected, the change request was not formally documented with the BCSY’s IT Tracking (ITRAC) system prior to System Owner approval For 29 of 30 samples selected, evidence of business User Acceptance Testing (UAT) was not formally documented Although Emergency Change procedures are formally documented, there is no time frame documented for obtaining IT Change Board approval, in the event that verbal approval is obtained.

7 Finding 2: Weak Change Management Implementation
STANDARDS: BCSY IT Change Management Procedures BCSY IT Internal Control Handbook IELP System Change Management Work Instructions (CMWI) Change Management SOX Controls ROOT CAUSE: IELP System Change Management Work Instructions did not address all areas identified in the BCSY IT Change Management Procedures IELP CMWI not followed

8 Finding 2: Weak Change Management Implementation
IMPACT: Strong change control procedures such as proper approvals, formally documenting UAT, and time frames for obtaining formal approval for emergency changes, helps to ensure only authorized and proper changes that are in line with university needs are transferred into production and allow for traceability of changes. RECOMMENDATIONS: Update the IELP System Change Management Work Instructions to clearly document the requirement the Business approval for each individual change, & immediately communicate and ensure adherence to this procedure. Ensure that all Change request are formally documented within within ITRAC prior to obtaining System Owner approval. Formally document & retain evidence of UAT for all System Owner related changes, & update the CMWI to retain evidence of testing within ITRAC or provide traceability to evidence. Update the CMWI to include a time frame for obtaining formal Change Board approval, in the event that verbal approval is obtained for emergency changes.

9 Finding 3: Removable Devices Using
Fact – Students’ PII were copied from the database via portable USB devices which were not Encrypt. Standards -NIST Special Publication Revision 1 Root Cause of the issue - Student workers were not fully educated about policy. Impact - High Recommendations- Training for every student workers. Limitation of access to sensitive data NIST Special Publication Revision 1 Guidelines for Managing the Security of Mobile Devices in the Enterprise Student workers were not fully educated about policy. student workers are mostly unaware of the dangers of using unapproved removable portable devices on the network to copy and transfer data. The impact is high because sensitive data leakage occurrence especially regarding to PII, and sensitive data exposure that may occur if these devices gets lost or stolen.

10 Finding 4: Bad backup policy
Fact – The data stored in the database from half year ago did not have a backup Standards – According to NIST , system data should be backed up regularly. Policies should specify the minimum frequency and scope of backups (e.g., daily or weekly, incremental or full) based on data criticality and the frequency that new information is introduced. ) Root Cause of the issue: the administrator of database backup data randomly Impact to the business:high, losing data bring huge damage to student and bring bad reputation to the university. Recommendations: backup the data every two months.

11 Conclusion Overall overall rating for effectiveness of the processes and controls: Unsatisfactory Four high risk rating finding: 1.Unauthorized Physical Access 2.Weak Change Management Implementation 3.Removable Devices Using 4.Bad backup policy

Download ppt "Technology Audit Plan ----BCSY University"

Similar presentations

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
Course Material Overview of Process Safety Compliance with Standards

Course Material Overview of Process Safety Compliance with Standards
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
CIP Cyber Security – Security Management Controls

CIP Cyber Security – Security Management Controls
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
Information Systems Audit Program (cont.). PHYSICAL SECURITY CONTROLS.

Information Systems Audit Program (cont.). PHYSICAL SECURITY CONTROLS.
Auditing Computer Systems

Auditing Computer Systems
Information Systems Audit Program. Benefit Audit programs are necessary to perform an effective and efficient audit. Audit programs are essentially checklists.

Information Systems Audit Program. Benefit Audit programs are necessary to perform an effective and efficient audit. Audit programs are essentially checklists.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Pertemuan 20 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Pertemuan 20 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
NIST framework vs TENACE Protect Function (Sestriere, 21-23 Gennaio 2015)

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
SOX & ISO 27001 Protect your data and be ready to be audited!!!

SOX & ISO Protect your data and be ready to be audited!!!
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Security Information Management Firewall Management, Intrusion Detection, and Intrusion Prevention Intrusion Detection Busters Katherine Jackowski Elizabeth.

Security Information Management Firewall Management, Intrusion Detection, and Intrusion Prevention Intrusion Detection Busters Katherine Jackowski Elizabeth.
1 LOGICAL ACCESS FOR University Medical Group Saint Louis University Click the Speaker Icon for Audio.

1 LOGICAL ACCESS FOR University Medical Group Saint Louis University Click the Speaker Icon for Audio.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
ISMS for Mobile Devices Page 1 ISO/IEC 27001 Information Security Management System (ISMS) for Mobile Devices Why apply ISMS to Mobile Devices? Overview.

ISMS for Mobile Devices Page 1 ISO/IEC Information Security Management System (ISMS) for Mobile Devices Why apply ISMS to Mobile Devices? Overview.

Similar presentations

Ads by Google