Information Security Program Audit Introduction and Survival Guide Cyber Security Symposium 2016, Sacramento Convention Center September 28, 2016
INTRODUCTION Welcome Presenters Background Carl Salmonsen, CISA CISM 28-year veteran of Information Technology with the last 18 years in the fields of Information Security and Audit Barbara Schoellkopf, CISA CIA CRMA IT and internal control auditor at multiple state agencies; background in actuarial science, business intelligence and data analytics
CALIFORNIA INFORMATION SECURITY OFFICE BACKGROUND (CISO) CISO Primary Programs: Security Incident Reporting and Management Security Policy and Standards Development Technology Recovery Planning (TRP) Risk Management Information Security Training and Awareness and Public Outreach Oversight of the AB670 Risk Assessment Process Information Security Compliance Audits
AUDIT PROGRAM BACKGROUND Self Certification Process Not Reliable Need For Stronger Assurance That State Entities are implementing appropriate protections Information Security Program Audit, Program History 2014 - BCP to Establish 2-Year Pilot Information Security Audit Program Completed 6 Audits as Part of Pilot 2016 - Permanent Positions approved in 2016-2017 budget
AUDIT SELECTION CRITERIA Military Security Assessment not scheduled for this year No audit performed by CISO/ISPA in last 2 years Audit Target Refinement by Governor's Office and Department of Technology
AUDIT SCOPE Policy & Oversight SAM 5300 Governance, Risk, and Compliance Operational Security Key Information Security Domains 1. Risk Management Program 2. Policy & Privacy Management 3. Organization of Information Security 4. Compliance 5. Asset Management and Protection 6. Human Resources Security 7. Physical and Environmental Security 8. Communications and Operations Management 9. Access Control Management 10. Information Systems Acquisition, Development and Maintenance 11. Incident and Event Management 12. Business Continuity Management
AUDIT SCOPE Standards & Procedures Adopted Federal Standards: FIPS and NIST California Standards: SIMM CA Procedures and Forms: SIMM FIPS PUB 199, 200 NIST SP 800-53 Others 5305-A, Information Security Program Mgmt Std 5310-A, Privacy Statement and Notices Std 5310-B, Individual Access Std 5360-A, Telework and Remote Access Security Std 5325-A, Technology Recovery Plan Instructions 5325-B, Technology Recovery Pgm Compliance Certification 5330-A, Designation Letter 5330-B, Risk Mgmt and Privacy Pgm Compliance Certification 5340-A, Incident Reporting and Response Instructions 5340-B, Information Security Incident Report 5340-C, Requirements to Respond to Breach of Personal Info 5360-B, Remote Access Agreement
AUDIT OBJECTIVES Independent validation of the entity s information security and privacy program Assurance that security and privacy policy, procedures and practices are implemented and working as intended Provide Entities with Plan for Correcting Gaps or Shortcomings in the Information Security Program
ENGAGEMENT PROCESS Clients Selected and Notified Governor s Office Presentation Engagement Package Submitted to Clients by CISO Audit Team Dates/Timelines Negotiated with CISO Audit Manager Preliminary Articles Collected and Forwarded to Audit Team Engagement Kick-off Meeting Held
AUDIT PROCESS 6/22/2016 Technical 6/22/2016 Kickoff Entrance Conference Field Work Begins Field Work Ends 6/22/2016 Final Audit Report 2 weeks Field Work 6-10 weeks Reporting 11 weeks Interviews End Field Work Begins Preliminary Discovery Ends Small Client Medium Client Field Work Complete Large Client Preliminary Discovery & Interviews Detailed Testing 2 weeks 4 weeks 6 weeks max
AUDIT PERIOD & TIMELINE January 03 Month 1 Th Fr Sa Su Mo Tu We 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 February 03 Month 2 Su Mo Tu We Th Fr Sa 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 March 03 Month 3 Su Mo Tu We Th Fr Sa 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 June 03 Month 4 Mo Tu We Th Fr Sa Su 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 May 03 Month 5 Fr Sa Su Mo Tu We Th 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 June 03 Month 6 Mo Tu We Th Fr Sa Su 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 Audit Period (Usually 6 Months) The period of time covered by the audit. For example, Jan 1 through June 30. 6/22/2016 Entrance Conference Field Work Ends 6/22/2016 Final Audit Report Engagement Period The duration of the audit engagement. See Figure 1 for details.
FIELDWORK Document review Interviews of process owners and subject matter experts Other testing, which may include examination, observation, inspection, reperformance, re-calculation or other analytical procedures Bi-Weekly Status Reporting
WHAT CAN YOU DO TO PREPARE Get Executive Sponsorship Identify a Single Point of Contact Key liaison between the audit team and the audited entity Facilitates: Obtaining documentation and artifacts, Identifying process/control owners and experts, Scheduling and coordination of department resources with audit team, Escalating issues, as needed Begin Gathering Documentation and Submit to Audit Team As Early As Possible Identify a Working Area for the Audit Team
QUESTIONS Carl Salmonsen CSalmonsen @ state.ca.gov 916-431-5462 Barbara Schoellkopf BSchoellkopf @ state.ca.gov 916-431-5584
AUDIT TERMS Audit Period Defined period of time used for evaluation of control activities. Engagement A formal audit project. An engagement is executed by a contract and includes all the tasks or activities designed to accomplish a specific set of objectives. Engagement Package Provides information about the CISO Audit Team, audit process and serves as an initial information request. Entrance Conference Initial meeting to kick-off the audit.
AUDIT TERMS Exit Conference Meeting at the end of fieldwork to discuss findings and recommendations. Inspection Examining records or documents, in paper form, electronic form, or other media, or a physical examination of an asset. Interview Gathering testimonial information. Objectives Subject matter under examination and how performance will be assessed. Observation Examining a process or procedure being performed by others, for example, the auditor s observation of performance of a control activity.
AUDIT TERMS Population The entire set of data from which a sample is selected and about which the auditor wishes to draw conclusions. Preliminary Articles Request (PAR) Initial information request Re-computing The auditor independently calculates the value. Re-performance The auditor s independent execution of procedures or controls that were originally performed as part of the entity s internal controls.
AUDIT TERMS Test The application of procedures to some or all items in a population. Work Papers -Written audit documentation of procedures applied, tests performed, information obtained, and pertinent conclusions in the engagement. Provide the principal support for the auditor's report. For more definitions, see the CISO Definitions: http://www.cio.ca.gov/ois/government/definitions.asp