IT Audits at Penn IT Orientation Dan Hill December 12, 2012
Agenda Organization Chart Mission Statement OACP Internal Audit Overview Risk Management Process Strategic IT Auditing What to Expect when Audited by OACP The Audit Process IT Audit Services IT Audit Areas of Focus IT Audit Observation Trends FY08-FY11 Other Stuff WE Do Stuff YOU can Do Q & A Useful Web Links 2
OACP Organizational Chart 3
Mission Statement Proactive business partner Anticipate and aggressively manage business risks Ensure strong stewardship and management accountability at all levels Ensure the integrity of operational and financial information 4
OACP Internal Audit Overview Audit Universe University of Pennsylvania Penn Medicine Build relationships Assist Academic/Research, Administrative, University and Penn Medicine with common computing best practices (i.e. strategies for logical & physical security, backup & recovery, asset management, network security, user account management). Foster cooperation and communication between and within departments. Communicate and share industry standards and best practices. 5
Risk Management Process Assessing risk Integrated Internal Control Framework (IICF) by Committee of Sponsoring Organizations (COSO) Every individual in the organization is responsible for identifying and mitigating business risk OACP applies the concepts of the IICF in the approach to every initiative and project Control Objectives for Information and Technology (CobiT) by IT Governance Institute (ITGI) and Information Systems Audit and Control Association (ISACA) Build the audit plan 6
Strategic IT Auditing Information Criteria IT Resources Effectiveness Efficiency Confidentially Integrity Availability Compliance Reliability People Applications Technology Facilities Data 7
What to Expect When Audited by OACP Partnering concept Discussions about business risks related to the use of IT Improvements to IT and business processes Review internal controls and make recommendations for improvement Provide leverage with University and Penn Medicine management to help ensure that risks are addressed and mitigated 8
The Audit Process 9
IT Audit Services Information Security Services Network Security Reviews Web Application Security Reviews Wireless Security Reviews Governance, Risk, and Compliance Services IT Assessments Application Controls Reviews Information Processing Facilities (Data Centers) Audits Pre-Implementation Reviews Post-Implementation Reviews HIPAA / HITECH Audits Special Requests / Advisory Services Solution Selection Web Application Security Scanning Special Attesting Reporting (SSAE-16) / Vendor Management 10
IT Audit Areas of Focus Information Security Management Backups/File Restores Logical Security Protocols Network Environmental Controls Privacy Awareness & Third Party Management Physical Security Web or OS Vulnerabilities 11
IT Audit Areas of Focus (cont.) IT Management Processes Business Continuity / Disaster Recovery Plans Change Management Hardware / Software Inventory & Licensing Compliance IT Strategic Plan and Policies/Procedures IT Training & End User Communication Policies & Procedures 12
IT Audit Areas of Focus (cont.) Backups/File Restores Critical files backed up and rotated offsite Policies / Procedures / Processes developed/tested Documentation Logical Security Protocols Software safeguards in place Access controls / Segregation of duties Strong password protocols Current updates and patches Periodic review of access Computer/Server Room Environmental Controls UPS (uninterruptable power supply) HVAC and temp./humidity controls Emergency lighting 13
IT Audit Areas of Focus (cont.) Privacy Awareness & Third Party Management FERPA, HIPAA, PCI, etc, etc. Confidentiality of sensitive data maintained Pertinent data collected only PHI, SSNs, credit card numbers, student records Effective contract vendor management Physical Security Defensive strategies to deter, detect, delay, and deny threats Appropriate access Fire suppression equipment Web or OS Vulnerabilities Policies and procedures in place HP WebInspect Nessus, etc. Scanning Vulnerabilities Reports 14
IT Audit Areas of Focus (cont.) Business Continuity/Disaster Recovery Plans Universities Mission Continuity Program (MCP) Backup/Recovery processes in place and periodically tested Cookbook checklists and steps Cross-training of staff to ensure operational continuity Change Management Formalized processes to document changes Testing and acceptance of changes in development environment Authorizations, approvals, back-out plans Hardware/Software Inventory & Licensing Compliance Maintained and up-to-date IP lists and physical locations of hardware Software licensing compliance System Center Configuration Manager (SSCM usage by UPHS) 15
IT Audit Areas of Focus (cont.) IT Training & End User Communication Updated training manuals and user guides Effective training programs and processes IT support Policies and Procedures Clearly defined, documented, approved, and communicated Computing Incident Response and reports Updated and Revised as necessary Adherence to University, Penn Medicine Policies and all applicable regulatory requirements 16
IT Audit Observation Trends FY08 - FY11 University + Health System (including): HUP Pennsylvania Hospital Presbyterian Medical Center School of Medicine University Business Services Division University Division of Finance Dental School Division of Recreation Facilities Management Graduate School of Fine Arts Human Resources Division ISC UPHS Corporate ISD, Perelman SOM Law School Library Nursing School Provost Center Division of Public Safety SAS SEAS School of Social Work School of Veterinary Medicine VPUL Wharton Office of Billing Compliance 17
University/Penn Medicine IT Audit Observations FY08-FY11 Web or OS Vulnerabilities 5% Backups/File Restores 4% Business Continuity/Disaster Recovery Plans 5% Change Management 5% Hardware/Software Inventory & Licensing Compliance 7% Privacy Awareness & Third Party Management 16% IT Strategic Plan 1% Policies & Procedures 20% Logical Security Protocols 22% IT Training & End User Communication & Readiness 3% Physical Security 5% Knowledge Transfer 1% Note: All percent values are calculated from a total of 192 IT observations identified during FY08-FY11 Network Environmental Controls 6% 18
Other Stuff We Do IT Orientation (ITO) IT Roundtable Network Planning Task Force (NPTF) Network Policy Committee (NPC) IT Privacy Committee Security and Privacy Impact Assessment SPIA Super User s Group (SUG) Special Interest Groups (SIGs) 19
Stuff YOU Can Do Visit IT Audit web site at www.upenn.edu/oacp/audit for list of IT Audit services, internal controls guidance and whitepapers Target low hanging fruit Basic security Secure & Protect Keep up-to-date computing resource inventories Register all PennNet hosts that are critical Update Hardware/Software Inventories and applicable licenses Join SUG, and other applicable mailing and special interest lists Participate in SUG, WebSig, PCNet, MacNet, Security-Sig, VoIP, Cloud and other Special Interest Group meetings as appropriate Keep up with the latest news from the IT Roundtable At least monthly, take a look at the Network Policy Committee (NPC) website at: http://www.upenn.edu/computing/group/npc/ 20
Questions and Discussion 21
Useful Web Links www.upenn.edu/oacp and www.penn.edu/oacp/audit University of Pennsylvania Privacy www.upenn.edu/privacy SANS (SysAdmin, Audit, Network, Security Institute) http://www.sans.org Penn Medicine Privacy http://uphsxnet.uphs.upenn.edu/hipaa The Open Web Application Security Project (OWASP) https://www.owasp.org Computer Security Resource Center (CSRC) http://csrc.nist.gov/publications/nistpubs/index.html Center for Internet Security (CIS) http://www.cisecurity.org Microsoft Security Guidance Center http://www.microsoft.com/security/guidance/default.mspx 22
IT Audit Team Contact Information Kevin Secrest IT Audit Manager 215-573-4495 ksecrest@upenn.edu Dan Hill Senior IT Audit Specialist 215-746-2995 dwhill@upenn.edu Dominic Pasqualino Senior IT Audit Specialist 215-898-1933 dominicp@upenn.edu Ben Geevarghese IT Audit Specialist 215-573-4490 gben@upenn.edu 23