Presentation is loading. Please wait.

Presentation is loading. Please wait.

2011-2012 IT Audit Summary Bruce Patrou Chief Information and Technology Officer St. Johns County School District

Published byMarylou Hunt Modified over 9 years ago

Similar presentations

Presentation on theme: "2011-2012 IT Audit Summary Bruce Patrou Chief Information and Technology Officer St. Johns County School District"— Presentation transcript:

1 2011-2012 IT Audit Summary Bruce Patrou Chief Information and Technology Officer St. Johns County School District Email: patroub@stjohns.k12.fl.uspatroub@stjohns.k12.fl.us Rick Laneau Data Center Manager, Information Services School District of Hillsborough County Email: rick.laneau@sdhc.k12.fl.usrick.laneau@sdhc.k12.fl.us

2 User Account Mgt User Account Mgt Develop system to provision user accounts Develop system to provision user accounts Document your methods Document your methods Ensure your system handles account revocation Ensure your system handles account revocation Link accounts to your Directory System (if able) Link accounts to your Directory System (if able) Project at St. Johns: Project at St. Johns: Working to employ Microsoft FIM (for employees) Auto Provision accounts when new/changed in HR System Auto account rights revocation/lockout Groups and rights tied to role Accounts cross multiple systems Accounts tied to MS Active Directory

3 User Access Rights User Access Rights Limit Users to Role based system rights Limit Users to Role based system rights Review Users rights Review Users rights Document Results Make changes from findings Perform as often as practical Document Account approval procedures Document Account approval procedures Avoid exceptions to your rules Avoid exceptions to your rules

4 Data Loss Prevention Data Loss Prevention School Districts handle lots of sensitive data School Districts handle lots of sensitive data Student Academic Records (many elements) Staff sensitive data (SSN, Medical, etc.) Loss or unauthorized disclosure can be damaging Loss or unauthorized disclosure can be damaging Identify what is sensitive and where it’s located Identify how it is accessed and via what systems Identify how to control its transmission Policies, Procedures Monitoring Encryption User Awareness and Training

5 Data Loss Prevention Data Loss Prevention Supported by multiple Documents: Supported by multiple Documents: Employee Acceptable Use Policy Procedures for Handling Student Directory Information IT Procedures Handbook Procedures for handling and transmitting sensitive data Location and security of sensitive/critical data Data Inventory Data Backup Training and awareness

6 Disaster Recovery and Testing Identify critical processes Identify critical processes Identify key staff to participate Identify key staff to participate Cold or Hot remote site Cold or Hot remote site Annual testing Annual testing Daily log file updates Daily log file updates Dedicated connection preferred Dedicated connection preferred

7 User Authentication Security Settings Password length (minimum 8) Password length (minimum 8) Password complexity enabled Password complexity enabled Password history Password history Password lockout after x number of attempts Password lockout after x number of attempts Password expiration (60 days) Password expiration (60 days) Document your settings Document your settings

8 Incident Response Procedures Procedures for reporting the unauthorized release of sensitive Student or Staff dataProcedures for reporting the unauthorized release of sensitive Student or Staff data Include who will do what and whenInclude who will do what and when

9 IT Procedures Manual Mission/GoalMission/Goal DefinitionsDefinitions Documentation StandardsDocumentation Standards Org Chart (IT Dept) (include roles)Org Chart (IT Dept) (include roles) Major Software AcquisitionMajor Software Acquisition Project approval, selection and monitoringProject approval, selection and monitoring Operational ProceduresOperational Procedures Security Awareness ProgramSecurity Awareness Program Security and AccessSecurity and Access System BackupsSystem Backups

10 Security Risk Assessment Security Risk Assessment Survey and Mitigation Plan (see template)Security Risk Assessment Survey and Mitigation Plan (see template) External/Internal penetration assessmentExternal/Internal penetration assessment Helpful links to NIST and Florida AEITHelpful links to NIST and Florida AEIT https://aeit.myflorida.com/sites/default/files/files /Security/2011FloridaITRiskAssessmentFinal.pdf https://aeit.myflorida.com/sites/default/files/files /Security/2011FloridaITRiskAssessmentFinal.pdf https://aeit.myflorida.com/sites/default/files/files /Security/2011FloridaITRiskAssessmentFinal.pdf https://aeit.myflorida.com/sites/default/files/files /Security/2011FloridaITRiskAssessmentFinal.pdf NIST SP800-30 Revision 1 (Sept 2011 Draft) NIST SP800-30 Revision 1 (Sept 2011 Draft) http://csrc.nist.gov/publications/PubsSPs.html http://csrc.nist.gov/publications/PubsSPs.html http://csrc.nist.gov/publications/PubsSPs.html

11 Security Awareness ProgramSecurity Awareness Program Publish SA notes for employeesPublish SA notes for employees Publish notice of changesPublish notice of changes Provide training to staff on changesProvide training to staff on changes Security Training (log via PD system)Security Training (log via PD system) ExampleExample

12 Questions

Download ppt "2011-2012 IT Audit Summary Bruce Patrou Chief Information and Technology Officer St. Johns County School District"

Similar presentations

1 COMPUTER GENERATED & STORED RECORDS CONTROLS Presented by COSCAP-SA.

1 COMPUTER GENERATED & STORED RECORDS CONTROLS Presented by COSCAP-SA.
Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna 412-396-4419.

Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
Privacy, Security, Confidentiality, and Legal Issues

Privacy, Security, Confidentiality, and Legal Issues
Security Controls – What Works

Security Controls – What Works
 Controls that provide security against internal and external threats  2 Types of access controls: › Physical controls › Logical controls.

 Controls that provide security against internal and external threats  2 Types of access controls: › Physical controls › Logical controls.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
University of Guelph IT Security Policy Doug Blain Manager, IT Security ISC, April 27th.

University of Guelph IT Security Policy Doug Blain Manager, IT Security ISC, April 27th.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Policies and Implementation Issues.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Policies and Implementation Issues.
Network security policy: best practices

Network security policy: best practices
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Audit – Proof Information System Security Controls Wednesday, August 18, 2010 John R. Robles Tel: 787-647-3961.

Audit – Proof Information System Security Controls Wednesday, August 18, 2010 John R. Robles Tel:
Information Security Technological Security Implementation and Privacy Protection.

Information Security Technological Security Implementation and Privacy Protection.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.

Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
Information Security Training for Management Complying with the HIPAA Security Law.

Information Security Training for Management Complying with the HIPAA Security Law.

Similar presentations

Ads by Google