STATE OF NORTH CAROLINA

Similar documents
STATE OF NORTH CAROLINA

STATE OF NORTH CAROLINA

STATE OF NORTH CAROLINA

STATE OF NORTH CAROLINA

UNIVERSITY OF NORTH CAROLINA CHARLOTTE

UNIVERSITY OF NORTH CAROLINA CHAPEL HILL

STATE OF NORTH CAROLINA

STATE OF NORTH CAROLINA

STATE OF NORTH CAROLINA

STATE OF NORTH CAROLINA OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA FAYETTEVILLE STATE UNIVERSITY

STATE OF NORTH CAROLINA

STATE OF NORTH CAROLINA

STATE OF NORTH CAROLINA

STATE OF NORTH CAROLINA

STATE OF NORTH CAROLINA

General Information Technology Controls Follow-up Review

STATE OF NORTH CAROLINA

Subject: Audit Report 18-84, IT Disaster Recovery, California State University, Sacramento

Review of the Feasibility Plan for Coordinating Operations of the North Carolina Research and Education Network and the State Network Infrastructure

I n f o r m a t i o n S y s t e m s C y b e r s e c u r i t y A s s e s s m e n t

National Defense University and IRMC. National Defense University

Office of Inspector General Office of Professional Practice Services

Any observations not included in this report were discussed with your staff at the informal exit conference and may be subject to follow-up.

COUNTY AUDIT HILLSBOROUGH COUNTY, FLORIDA CONSULTANT COMPETITIVE NEGOTIATION ACT (CCNA) PROCUREMENT PROCESS AUDIT REPORT # 251

Any observations not included in this report were discussed with your staff at the informal exit conference and may be subject to follow-up.

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

Subject: Audit Report 16-50, IT Disaster Recovery, California State University, Fresno

Postal Inspection Service Mail Covers Program

Statewide Information Technology Contingency Planning

New Jersey State Legislature Office of Legislative Services Office of the State Auditor. November 16, 2015 to November 30, 2017

THE UNIVERSITY OF TEXAS-PAN AMERICAN OFFICE OF AUDITS & CONSULTING SERVICES. Computer Administrative Rights Report No

STATE OF NORTH CAROLINA

Information Technology General Control Review

DATA CENTER OPERATIONS CALIFORNIA STATE UNIVERSITY, DOMINGUEZ HILLS. Audit Report June 15, 2012

Number: USF System Emergency Management Responsible Office: Administrative Services

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

The Texas A&M University System Internal Audit Department MONTHLY AUDIT REPORT

SECTION.0900 LEAD-BASED PAINT HAZARD MANAGEMENT PROGRAM FOR RENOVATION, REPAIR AND PAINTING

North Carolina Fire and Rescue Commission Certification Programs POLICY FOR TESTING

**The Florida Lottery is not a State Personnel System Employer** TECHNICAL ANALYST II - POSITION NUMBER

The Texas A&M University System Internal Audit Department MONTHLY AUDIT REPORT

The University of British Columbia Board of Governors

Information Technology Disaster Recovery Planning Audit Redacted Public Report

Office of MN.IT Services Data Centers

Subject: University Information Technology Resource Security Policy: OUTDATED

Privacy Breach Policy

REPORT Bill Bradbury, Secretary of State Cathy Pollino, Director, Audits Division

CT Director Credential

REPORT 2015/010 INTERNAL AUDIT DIVISION

ALABAMA STATE BOARD OF PUBLIC ACCOUNTANCY ADMINISTRATIVE CODE

Internal Audit Report. Electronic Bidding and Contract Letting TxDOT Office of Internal Audit

SPECIAL REVIEW - SURPLUS COMPUTER EQUIPMENT DATA REMOVAL SPECIAL REPORT OCTOBER 2003

FOLLOW-UP REPORT Industrial Control Systems Audit

NORTH CAROLINA NC MRITE. Nominating Category: Enterprise IT Management Initiatives

Federal Acquisition Service Authorized Federal Supply Schedule Price List

BOARD OF COUNTY COMMISSIONERS

Internal Audit Follow-Up Report. Multiple Use Agreements TxDOT Office of Internal Audit

Policy Document. PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy

PFE Online Application Help File

Leslie W. Hicks! 221 Pasture Lane! Winchester, VA 22602! (540) (540) !

Development of your Company s Record Information System and Disaster Preparedness. The National Emergency Management Summit

Requirements for NCOWCICB certification with Business Succession Exemption Please read and follow carefully.

NORTH CAROLINA EMERGENCY MANAGEMENT CERTIFICATION PROGRAM

ART CENTER AND SATELLITE PLANT

KENYA SCHOOL OF GOVERNMENT EMPLOYMENT OPORTUNITY (EXTERNAL ADVERTISEMENT)

STRATEGIC PLAN. USF Emergency Management

DISASTER PREPAREDNESS IN THE COUNTY: IMPROVEMENTS NEEDED

The Texas A&M University System. Internal Audit Department. Fiscal Year 2014 Audit Plan

Department Of Public Utilities Multi Vendor Reading System (MVRS) 12 Months ended December 31, 2011

Investigation. City of Edmonton Office of the City Auditor. ETS Workforce Development. January 14, 2019

GEORGIA CYBERSECURITY WORKFORCE ACADEMY. NASCIO 2018 State IT Recognition Awards

REPORT 2015/149 INTERNAL AUDIT DIVISION

Taking the Mystery Out of Counting CPE. Opening Remarks

Application for Certification

California Code of Regulations TITLE 21. PUBLIC WORKS DIVISION 1. DEPARTMENT OF GENERAL SERVICES CHAPTER 1. OFFICE OF THE STATE ARCHITECT

RECORDS MANAGEMENT RECORDS MANAGEMENT SERVICES

SAMPLE REPORT. Business Continuity Gap Analysis Report. Prepared for XYZ Business by CSC Business Continuity Services Date: xx/xx/xxxx

Office of Internal Audit

Computer Security Incident Response Plan. Date of Approval: 23-FEB-2014

I. PURPOSE III. PROCEDURE

Public Notification Letter

Instructions Please read and follow carefully. KEEP THIS PAGE FOR YOUR REFERENCE

NASCIO Recognition Award Nomination. Title: Central Issuance of State Drivers Licenses. Category: Digital Government Government to Citizen

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

SENATE, No STATE OF NEW JERSEY. 217th LEGISLATURE INTRODUCED DECEMBER 12, 2016

Global Statement of Business Continuity

INFORMATION SECURITY- DISASTER RECOVERY

DATA CENTER OPERATIONS CALIFORNIA STATE UNIVERSITY, LONG BEACH. Audit Report July 24, 2012

TITLE 595. DEPARTMENT OF PUBLIC SAFETY CHAPTER 10. CLASS D DRIVER LICENSES AND IDENTIFICATION CARDS AND MOTOR LICENSE AGENT PROCEDURES

Information Security for Mail Processing/Mail Handling Equipment

December 21, 1998 BY ELECTRONIC MAIL AND HAND DELIVERY

Full Name of Centre:... Date of establishment:... Address: Telephone No:... Fax No: (Please include area codes)

ALABAMA STATE BOARD OF PUBLIC ACCOUNTANCY ADMINISTRATIVE CODE

STEP BY STEP HOW TO COMPLETE THE ELECTRONIC BGC FORM

Policies & Regulations

Business Continuity Planning

North Carolina Department of State Treasurer

CompTIA Mobility+ Certification

ANRC II. Eligibility requirements Authority Requirements for accreditation Review of application...

REVIEW OF MANAGEMENT AND OVERSIGHT OF THE INTEGRATED BUSINESS MANAGEMENT SYSTEM (IBMS) January 16, 2009

Transcription:

STATE OF NORTH CAROLINA AUDIT OF THE INFORMATION SYSTEMS GENERAL CONTROLS CARTERET COMMUNITY COLLEGE OCTOBER 2007 OFFICE OF THE STATE AUDITOR LESLIE MERRITT, JR., CPA, CFP STATE AUDITOR

AUDIT OF THE INFORMATION SYSTEMS GENERAL CONTROLS CARTERET COMMUNITY COLLEGE OCTOBER 2007

STATE OF NORTH CAROLINA Office of the State Auditor Leslie Merritt, Jr., CPA, CFP State Auditor 2 S. Salisbury Street 20601 Mail Service Center Raleigh, NC 27699-0601 Telephone: (919) 807-7500 Fax: (919) 807-7647 Internet http://www.osa.state.nc.us AUDITOR S TRANSMITTAL The Honorable Michael F. Easley, Governor Members of the North Carolina General Assembly The Board of Directors of Carteret Community College Dr. Joseph T. Barwick, President Ladies and Gentlemen: We have completed our audit of Carteret Community College. This audit was conducted during the period from August 2, 2007, through September 6, 2007. The audit was conducted in accordance with Government Auditing Standards and Information Systems Audit Standards. The primary objective of this audit was to evaluate information systems (IS) general controls at Carteret Community College. The scope of our IS general controls audit included general security, access controls, systems software, physical security, and disaster recovery. Other IS general control topics were reviewed as considered necessary. This report contains an executive summary and audit results which detail the areas where Carteret Community College has performed satisfactorily relevant to our audit scope, where improvements should be made, and where further study is necessary. We wish to express our appreciation to the staff of Carteret Community College for the courtesy, cooperation and assistance provided to us during this audit. North Carolina General Statutes require the State Auditor to make audit reports available to the public. Copies of audit reports issued by the Office of the State Auditor may be obtained through one of the options listed in the back of this report. Respectfully submitted, Leslie Merritt, Jr., CPA, CFP State Auditor

TABLE OF CONTENTS EXECUTIVE SUMMARY... 1 AUDIT OBJECTIVES, SCOPE, AND METHODOLOGY... 3 BACKGROUND INFORMATION... 5 AUDIT RESULTS... 7 ORDERING INFORMATION... 9 PAGE

EXECUTIVE SUMMARY We conducted an Information Systems (IS) audit at the Carteret Community College from August 2, 2007, through September 6, 2007. The primary objective of this audit was to evaluate the IS general controls in place during that period. Based on our objective, we report the following conclusions: General security involves the establishment of a reasonable security program that addresses the general security of information resources. Carteret Community College has established a reasonable security program that addresses the general security of information resources. We did not identify any significant weaknesses in general security during our audit. The access control environment consists of access control software and information security policies and procedures. We found several weaknesses in access controls. Due to the sensitive nature of the conditions found in these weaknesses, we have conveyed these findings to management in a separate letter pursuant to the provision of North Carolina G.S. 147-64.6(c)(18). Systems software is the collection of programs that drive the computer. The selection of systems software should be properly approved and the software should be maintained by the computer center. We did not identify any significant weaknesses in systems software during our audit. Physical security primarily involves the inspection of the agency s computer center for the controls that should reasonably secure the operations of the computer center from foreseeable and preventable threats from fire, water, electrical problems, and vandalism. We did not identify any significant weaknesses in the physical security. A complete disaster recovery plan that is tested periodically is necessary to enable Carteret Community College to recover from an extended business interruption due to the destruction of the computer center or other Carteret Community College assets. We did not identify any significant weaknesses in the Disaster Recovery. 1

[ This Page Left Blank Intentionally ] 2

AUDIT OBJECTIVES, SCOPE, AND METHODOLOGY OBJECTIVES Under the North Carolina General Statutes 147-64.6, the State Auditor is responsible for examining and evaluating the adequacy of operating and administrative procedures and practices, systems of accounting, and other elements of State agencies. IS general control audits are examinations of controls which effect the overall organization and operation of the IS function. This IS audit was designed to ascertain the effectiveness of general controls at Carteret Community College. SCOPE General controls govern the operation and management of computer processing activities. The scope of our IS general controls audit was to review general security issues, access controls, systems software, physical security, and disaster recovery which directly affect Carteret Community College s computing operations. Other IS general control topics were reviewed as considered necessary. METHODOLOGY We audited policies and procedures, interviewed key administrators and other personnel, examined system configurations, toured the computer facility, tested on-line system controls, reviewed appropriate technical literature, reviewed computer generated reports, and used security evaluation software in our audit of general controls. We conducted our audit in accordance with the standards applicable to performance audits contained in Government Auditing Standards issued by the Comptroller General of the United States and Information Systems Audit Standards issued by the Information Systems Audit and Control Association. 3

[ This Page Left Blank Intentionally ] 4

BACKGROUND INFORMATION Carteret Community College is a leader in improving the quality of life for all citizens of Carteret County, and Eastern North Carolina by offering high-quality education, training, enrichment, and support to all who need and value these services. Carteret Community College, located at 3505 Arendell Street, Morehead City, North Carolina, was founded in 1962. Carteret Community College received accreditation from the Southern Association of Colleges and Schools to award associates degrees, diplomas, and certificates. The College was most recently re-accredited by the Southern Association of Colleges and Schools in December 1999. Carteret Community College offers up-to-date vocational technological training and features programs that prepare students for the skills they need in the fast-paced information age, where computers and the Internet are changing the way business is conducted. At Carteret Community College, the Information Technology (IT) department provides a total source, single point resource for computer support in accordance with the mission of Carteret Community College. The IT department is organizationally structured in the Administrative Services Division of the College. The IT department consists of three Directors and three support staff employees. The Director of Administrative Computing Services is also the UNIX Systems Administrator and he has an Assistant UNIX Systems Administrator that reports to him. The Director of Software Solutions and Web Development is the College Webmaster and is responsible for software, database, and web design and development. The Director of Network Technologies has a Senior Information Technology Specialist and an Information Technology Specialist who report to him. All of the Directors report to the Vice President of Administrative Services who reports to the President of the College. The IT department is designed to provide administrative and instructional support for the College to allow for the most effective, efficient, and economical utilization of computer systems while at the same time providing protection of equipment and data. 5

[This Page Left Blank Intentionally ] 6

AUDIT RESULTS The following audit results reflect the areas where Carteret Community College has performed satisfactorily and where recommendations have been made for improvement. GENERAL SECURITY ISSUES General security issues involve the maintenance of a sound security management structure. A sound security management structure should include a method of classifying and establishing ownership of resources, proper segregation of duties, a security organization and resources, policies regarding access to the computer systems and a security education program. Carteret Community College has established a reasonable security program that addresses the general security of information resources. Our audit did not identify any significant weaknesses in general security. ACCESS CONTROLS The most important information security safeguard that Carteret Community College has is its access controls. The access controls environment consists of Carteret Community College s access control software and information security policies and procedures. An individual or a group with responsibility for security administration should develop information security policies, perform account administration functions and establish procedures to monitor and report any security violations. We noted a number of weaknesses in access controls. Due to the sensitive nature of the conditions found in the weaknesses, we have conveyed these findings to management in a separate letter pursuant to the provision of North Carolina G.S. 147-64.6(c)(18). SYSTEMS SOFTWARE Systems software is the collection of programs that the computer center uses to run the computer and support the application systems. This software includes the operating system, utility programs, compilers, database management systems and other programs. The systems programmers have responsibility for the installation and testing of upgrades to the system software when received. Systems software changes should be properly documented and approved. Our audit did not identify any significant weaknesses in system software. PHYSICAL SECURITY Controls over physical security are designed to protect a computer center from service interruptions resulting from fire, water, electrical problems, vandalism, and other causes. Carteret Community College s physical security controls ensure that the computer service center is reasonably secure from foreseeable and preventable threats to its physical continuity. Our audit did not identify any significant weaknesses in physical security. 7

AUDIT RESULTS (CONCLUDED) DISASTER RECOVERY Disasters such as fire and flood can destroy a computer service center and leave its users without computer processing support. Without computer processing, Carteret Community College would grind to a halt. To reduce this risk, computer service centers develop business continuity plans. Business continuity procedures should be tested periodically to ensure the recoverability of the data center. Our audit did not identify any significant weaknesses in Disaster Recovery. 8

ORDERING INFORMATION Audit reports issued by the Office of the State Auditor can be obtained from the web site at www.ncauditor.net. Also, parties may register on the web site to receive automatic email notification whenever reports of interest are issued. Otherwise, copies of audit reports may be obtained by contacting the: Office of the State Auditor State of North Carolina 2 South Salisbury Street 20601 Mail Service Center Raleigh, North Carolina 27699-0601 Telephone: 919/807-7500 Facsimile: 919/807-7647 9

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback