Information Security Program Audit Introduction and Survival Guide

Similar documents
IT Audit Process Prof. Liang Yao Week Six IT Audit Planning

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

BHBIA New Data Protection Rules. Pharma Company Perspective. Guy Murray Director, Market Research & Analytics, GC&BI MR Operations and Compliance, MSD

STATE OF NORTH CAROLINA OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA FAYETTEVILLE STATE UNIVERSITY

Service Level Agreements: An Approach to Software Lifecycle Management. CDR Leonard Gaines Naval Supply Systems Command 29 January 2003

t a Foresight Consulting, GPO Box 116, Canberra ACT 2601, AUSTRALIA e foresightconsulting.com.

HITRUST CSF Assurance Program HITRUST, Frisco, TX. All Rights Reserved.

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

CASA External Peer Review Program Guidelines. Table of Contents

EEI Fall 2008 Legal Conference Boston, Massachusetts Stephen M. Spina November 1,

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

Public Safety Canada. Audit of the Business Continuity Planning Program

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

Altius IT Policy Collection Compliance and Standards Matrix

OFFICE OF INTERNAL AUDIT Information Technology (IT) Audit Plan

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

SCO Audit Tales. Chapter II Sonoma State University

Article II - Standards Section V - Continuing Education Requirements

Chapter 8: SDLC Reviews and Audit Learning objectives Introduction Role of IS Auditor in SDLC

Altius IT Policy Collection Compliance and Standards Matrix

DUNS CAGE 5T5C3

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

IT-CNP, Inc. Capability Statement

Certified Information Systems Auditor (CISA)

01.0 Policy Responsibilities and Oversight

NYDFS Cybersecurity Regulations

Certified Information Security Manager (CISM) Course Overview

Exploring Emerging Cyber Attest Requirements

United States Government Cloud Standards Perspectives

Request for Qualifications for Audit Services March 25, 2015

Level 5 Award in Understanding the Management of Physical and Cyber Asset Security in the Water and Environmental Industries

Aboriginal Affairs and Northern Development Canada. Internal Audit Report Summary. Audit of Information Technology Security.

NORTH CAROLINA NC MRITE. Nominating Category: Enterprise IT Management Initiatives

Certification Program

Physical Security Reliability Standard Implementation

NW NATURAL CYBER SECURITY 2016.JUNE.16

OPUC Workshop March 13, 2015 Cyber Security Electric Utilities. Portland General Electric Co. Travis Anderson Scott Smith

Program Review for Information Security Management Assistance. Keith Watson, CISSP- ISSAP, CISA IA Research Engineer, CERIAS

SECURITY & PRIVACY DOCUMENTATION

COURSE BROCHURE CISA TRAINING

Audit and Compliance Committee - Agenda

Application for Certification

Service Description: CNS Federal High Touch Technical Support

Table of Contents. Preface xvii PART ONE: FOUNDATIONS OF MODERN INTERNAL AUDITING

Standard Development Timeline

HITRUST CSF: One Framework

VMware BCDR Accelerator Service

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

COPYRIGHTED MATERIAL. Index

Managed Security Services - Endpoint Managed Security on Cloud

Securing the cloud ISACA Korea. Han Ther, Lee CISA, CISM, CISSP, CRISC, ITILF, MCSA

locuz.com SOC Services

SME License Order Working Group Update - Webinar #3 Call in number:

UNIVERSITY OF NORTH CAROLINA CHARLOTTE

Security and Privacy Governance Program Guidelines

REPORT 2015/149 INTERNAL AUDIT DIVISION

10/4/2018. Prepare For When. About George Usi

Framework for Improving Critical Infrastructure Cybersecurity

Ministry of Government and Consumer Services. ServiceOntario. Figure 1: Summary Status of Actions Recommended in June 2016 Committee Report

CISA Training.

Internal Audit Report. Electronic Bidding and Contract Letting TxDOT Office of Internal Audit

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 June 2, 2014

SAC PA Security Frameworks - FISMA and NIST

Ingram Micro Cyber Security Portfolio

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

SOC 3 for Security and Availability

Article I - Administrative Bylaws Section IV - Coordinator Assignments

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

Interagency Advisory Board HSPD-12 Insights: Past, Present and Future. Carol Bales Office of Management and Budget December 2, 2008

Annexure 08 (Profile of the Project Team)

SCO Audit Tales. Chapter I. California State University, Sacramento

Position Description IT Auditor

DFARS Cyber Rule Considerations For Contractors In 2018

SSAE 18 & new SOC approach to compliance. Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services

Cyber Security Supply Chain Risk Management

IT Audit Process Prof. Liang Yao Week Two IT Audit Function

EU GDPR & NEW YORK CYBERSECURITY REQUIREMENTS 3 KEYS TO SUCCESS

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

Why you should adopt the NIST Cybersecurity Framework

Incident Response Lessons From the Front Lines. Session 276, March 8, 2018 Nolan Garrett, CISO, Children s Hospital Los Angeles

Critical Infrastructure Protection Version 5

Reviewed by ADM(RS) in accordance with the Access to Information Act. Information UNCLASSIFIED.

ISACA Cincinnati Chapter March Meeting

Wye Valley NHS Trust. Data protection audit report. Executive summary June 2017

Information Technology General Control Review

Les joies et les peines de la transformation numérique

Bringing Cybersecurity to the Boardroom Bret Arsenault

Streamlined FISMA Compliance For Hosted Information Systems

IT Governance ISO/IEC 27001:2013 ISMS Implementation. Service description. Protect Comply Thrive

Gatekeeper Public Key Infrastructure Framework. Information Security Registered Assessors Program Guide

Provider Monitoring Report. City and Guilds

Avanade s Approach to Client Data Protection

Upcoming PIPEDA Changes What is changing and what to do about it

Birmingham Community Healthcare NHS Foundation Trust. 2017/17 Data Security and Protection Requirements March 2018

NATIONAL INFORMATION TECHNOLOGY AUTHORITY - UGANDA (NITA-U) REGIONAL COMMUNICATIONS INFRASTRUCTURE PROGRAM (RCIP) INFORMATION SECURITY SPECIALIST

Subject: Audit Report 16-50, IT Disaster Recovery, California State University, Fresno

RFQ OIT-1 Q&A. Questions and Answers, in the order received.

EXAM PREPARATION GUIDE

Transcription:

Information Security Program Audit Introduction and Survival Guide Cyber Security Symposium 2016, Sacramento Convention Center September 28, 2016

INTRODUCTION Welcome Presenters Background Carl Salmonsen, CISA CISM 28-year veteran of Information Technology with the last 18 years in the fields of Information Security and Audit Barbara Schoellkopf, CISA CIA CRMA IT and internal control auditor at multiple state agencies; background in actuarial science, business intelligence and data analytics

CALIFORNIA INFORMATION SECURITY OFFICE BACKGROUND (CISO) CISO Primary Programs: Security Incident Reporting and Management Security Policy and Standards Development Technology Recovery Planning (TRP) Risk Management Information Security Training and Awareness and Public Outreach Oversight of the AB670 Risk Assessment Process Information Security Compliance Audits

AUDIT PROGRAM BACKGROUND Self Certification Process Not Reliable Need For Stronger Assurance That State Entities are implementing appropriate protections Information Security Program Audit, Program History 2014 - BCP to Establish 2-Year Pilot Information Security Audit Program Completed 6 Audits as Part of Pilot 2016 - Permanent Positions approved in 2016-2017 budget

AUDIT SELECTION CRITERIA Military Security Assessment not scheduled for this year No audit performed by CISO/ISPA in last 2 years Audit Target Refinement by Governor's Office and Department of Technology

AUDIT SCOPE Policy & Oversight SAM 5300 Governance, Risk, and Compliance Operational Security Key Information Security Domains 1. Risk Management Program 2. Policy & Privacy Management 3. Organization of Information Security 4. Compliance 5. Asset Management and Protection 6. Human Resources Security 7. Physical and Environmental Security 8. Communications and Operations Management 9. Access Control Management 10. Information Systems Acquisition, Development and Maintenance 11. Incident and Event Management 12. Business Continuity Management

AUDIT SCOPE Standards & Procedures Adopted Federal Standards: FIPS and NIST California Standards: SIMM CA Procedures and Forms: SIMM FIPS PUB 199, 200 NIST SP 800-53 Others 5305-A, Information Security Program Mgmt Std 5310-A, Privacy Statement and Notices Std 5310-B, Individual Access Std 5360-A, Telework and Remote Access Security Std 5325-A, Technology Recovery Plan Instructions 5325-B, Technology Recovery Pgm Compliance Certification 5330-A, Designation Letter 5330-B, Risk Mgmt and Privacy Pgm Compliance Certification 5340-A, Incident Reporting and Response Instructions 5340-B, Information Security Incident Report 5340-C, Requirements to Respond to Breach of Personal Info 5360-B, Remote Access Agreement

AUDIT OBJECTIVES Independent validation of the entity s information security and privacy program Assurance that security and privacy policy, procedures and practices are implemented and working as intended Provide Entities with Plan for Correcting Gaps or Shortcomings in the Information Security Program

ENGAGEMENT PROCESS Clients Selected and Notified Governor s Office Presentation Engagement Package Submitted to Clients by CISO Audit Team Dates/Timelines Negotiated with CISO Audit Manager Preliminary Articles Collected and Forwarded to Audit Team Engagement Kick-off Meeting Held

AUDIT PROCESS 6/22/2016 Technical 6/22/2016 Kickoff Entrance Conference Field Work Begins Field Work Ends 6/22/2016 Final Audit Report 2 weeks Field Work 6-10 weeks Reporting 11 weeks Interviews End Field Work Begins Preliminary Discovery Ends Small Client Medium Client Field Work Complete Large Client Preliminary Discovery & Interviews Detailed Testing 2 weeks 4 weeks 6 weeks max

AUDIT PERIOD & TIMELINE January 03 Month 1 Th Fr Sa Su Mo Tu We 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 February 03 Month 2 Su Mo Tu We Th Fr Sa 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 March 03 Month 3 Su Mo Tu We Th Fr Sa 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 June 03 Month 4 Mo Tu We Th Fr Sa Su 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 May 03 Month 5 Fr Sa Su Mo Tu We Th 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 June 03 Month 6 Mo Tu We Th Fr Sa Su 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 Audit Period (Usually 6 Months) The period of time covered by the audit. For example, Jan 1 through June 30. 6/22/2016 Entrance Conference Field Work Ends 6/22/2016 Final Audit Report Engagement Period The duration of the audit engagement. See Figure 1 for details.

FIELDWORK Document review Interviews of process owners and subject matter experts Other testing, which may include examination, observation, inspection, reperformance, re-calculation or other analytical procedures Bi-Weekly Status Reporting

WHAT CAN YOU DO TO PREPARE Get Executive Sponsorship Identify a Single Point of Contact Key liaison between the audit team and the audited entity Facilitates: Obtaining documentation and artifacts, Identifying process/control owners and experts, Scheduling and coordination of department resources with audit team, Escalating issues, as needed Begin Gathering Documentation and Submit to Audit Team As Early As Possible Identify a Working Area for the Audit Team

QUESTIONS Carl Salmonsen CSalmonsen @ state.ca.gov 916-431-5462 Barbara Schoellkopf BSchoellkopf @ state.ca.gov 916-431-5584

AUDIT TERMS Audit Period Defined period of time used for evaluation of control activities. Engagement A formal audit project. An engagement is executed by a contract and includes all the tasks or activities designed to accomplish a specific set of objectives. Engagement Package Provides information about the CISO Audit Team, audit process and serves as an initial information request. Entrance Conference Initial meeting to kick-off the audit.

AUDIT TERMS Exit Conference Meeting at the end of fieldwork to discuss findings and recommendations. Inspection Examining records or documents, in paper form, electronic form, or other media, or a physical examination of an asset. Interview Gathering testimonial information. Objectives Subject matter under examination and how performance will be assessed. Observation Examining a process or procedure being performed by others, for example, the auditor s observation of performance of a control activity.

AUDIT TERMS Population The entire set of data from which a sample is selected and about which the auditor wishes to draw conclusions. Preliminary Articles Request (PAR) Initial information request Re-computing The auditor independently calculates the value. Re-performance The auditor s independent execution of procedures or controls that were originally performed as part of the entity s internal controls.

AUDIT TERMS Test The application of procedures to some or all items in a population. Work Papers -Written audit documentation of procedures applied, tests performed, information obtained, and pertinent conclusions in the engagement. Provide the principal support for the auditor's report. For more definitions, see the CISO Definitions: http://www.cio.ca.gov/ois/government/definitions.asp

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback