IT Audits at Penn. IT Orientation

Similar documents
01.0 Policy Responsibilities and Oversight

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

The Common Controls Framework BY ADOBE

No IT Audit Staff? How to Hack an IT Audit. Presenters. Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP

FDIC InTREx What Documentation Are You Expected to Have?

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Security and Privacy Governance Program Guidelines

Information Technology General Control Review

Administration and Data Retention. Best Practices for Systems Management

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

Policy and Procedure: SDM Guidance for HIPAA Business Associates

SECURITY & PRIVACY DOCUMENTATION

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Risk Management in Electronic Banking: Concepts and Best Practices

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

The simplified guide to. HIPAA compliance

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

University of Wisconsin-Madison Policy and Procedure

Security Audit What Why

AWS continually manages risk and undergoes recurring assessments to ensure compliance with industry standards.

locuz.com SOC Services

HIPAA Security and Privacy Policies & Procedures

Understanding IT Audit and Risk Management

Checklist: Credit Union Information Security and Privacy Policies

EXHIBIT A. - HIPAA Security Assessment Template -

Altius IT Policy Collection Compliance and Standards Matrix

ISE North America Leadership Summit and Awards

Subject: University Information Technology Resource Security Policy: OUTDATED

NEN The Education Network

DRAFT 2012 UC Davis Cyber-Safety Survey

Is your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner

A Checklist for Compliance in the Cloud 1. A Checklist for Compliance in the Cloud

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Altius IT Policy Collection Compliance and Standards Matrix

Cybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security

An Introduction to the ISO Security Standards

Education Network Security

Information Technology Disaster Recovery Planning Audit Redacted Public Report

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

2015 HFMA What Healthcare Can Learn from the Banking Industry

Avanade s Approach to Client Data Protection

Position Description IT Auditor

Vendor Security Questionnaire

Higher Education Privacy Update

7.16 INFORMATION TECHNOLOGY SECURITY

Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments

Boerner Consulting, LLC Reinhart Boerner Van Deuren s.c.

How To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

Contracting for an IT General Controls Audit

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

Table of Contents. Sample

MNsure Privacy Program Strategic Plan FY

Protect Your Institution with Effective Cybersecurity Governance. Baker Tilly Virchow Krause, LLP

Plenary Session: Branch Cybersecurity Controls Thursday, February 22 1:15 p.m. 2:15 p.m.

Cyber Risks in the Boardroom Conference

Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016

Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

INTELLIGENCE DRIVEN GRC FOR SECURITY

Cybersecurity Session IIA Conference 2018

CCISO Blueprint v1. EC-Council

HIPAA For Assisted Living WALA iii

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

HITRUST CSF Assurance Program HITRUST, Frisco, TX. All Rights Reserved.

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Introduction To IS Auditing

Cyber Security Program

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

Data Backup and Contingency Planning Procedure

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Business Continuity Management Standards A Side-by-Side Comparison

USING QUALYSGUARD TO MEET SOX COMPLIANCE & IT CONTROL OBJECTIVES

HIPAA RISK ADVISOR SAMPLE REPORT

HIPAA / HITECH Overview of Capabilities and Protected Health Information

10/18/2016. Preparing Your Organization for a HHS OIG Information Security Audit. Models for Risk Assessment

Defensible Security DefSec 101

Management Update: Information Security Risk Best Practices

Certified Information Systems Auditor (CISA)

Oracle Data Cloud ( ODC ) Inbound Security Policies

Cybersecurity in Higher Ed

What can the OnBase Cloud do for you? lbmctech.com

COBIT 5 With COSO 2013

DATA STEWARDSHIP STANDARDS

Cyber Criminal Methods & Prevention Techniques. By

CYBERSECURITY: E-COMMERCE, GOVERNANCE AND APPLIED CERTIFICATIONS A ROUNDTABLE DISCUSSION 15 DECEMBER 2015

Is Your Compliance Strategy Putting Your Business at Risk?

Top 10 ICS Cybersecurity Problems Observed in Critical Infrastructure

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

Certified Information Security Manager (CISM) Course Overview

Google Cloud & the General Data Protection Regulation (GDPR)

WHITE PAPER. Title. Managed Services for SAS Technology

Gramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.

Transcription:

IT Audits at Penn IT Orientation Dan Hill December 12, 2012

Agenda Organization Chart Mission Statement OACP Internal Audit Overview Risk Management Process Strategic IT Auditing What to Expect when Audited by OACP The Audit Process IT Audit Services IT Audit Areas of Focus IT Audit Observation Trends FY08-FY11 Other Stuff WE Do Stuff YOU can Do Q & A Useful Web Links 2

OACP Organizational Chart 3

Mission Statement Proactive business partner Anticipate and aggressively manage business risks Ensure strong stewardship and management accountability at all levels Ensure the integrity of operational and financial information 4

OACP Internal Audit Overview Audit Universe University of Pennsylvania Penn Medicine Build relationships Assist Academic/Research, Administrative, University and Penn Medicine with common computing best practices (i.e. strategies for logical & physical security, backup & recovery, asset management, network security, user account management). Foster cooperation and communication between and within departments. Communicate and share industry standards and best practices. 5

Risk Management Process Assessing risk Integrated Internal Control Framework (IICF) by Committee of Sponsoring Organizations (COSO) Every individual in the organization is responsible for identifying and mitigating business risk OACP applies the concepts of the IICF in the approach to every initiative and project Control Objectives for Information and Technology (CobiT) by IT Governance Institute (ITGI) and Information Systems Audit and Control Association (ISACA) Build the audit plan 6

Strategic IT Auditing Information Criteria IT Resources Effectiveness Efficiency Confidentially Integrity Availability Compliance Reliability People Applications Technology Facilities Data 7

What to Expect When Audited by OACP Partnering concept Discussions about business risks related to the use of IT Improvements to IT and business processes Review internal controls and make recommendations for improvement Provide leverage with University and Penn Medicine management to help ensure that risks are addressed and mitigated 8

The Audit Process 9

IT Audit Services Information Security Services Network Security Reviews Web Application Security Reviews Wireless Security Reviews Governance, Risk, and Compliance Services IT Assessments Application Controls Reviews Information Processing Facilities (Data Centers) Audits Pre-Implementation Reviews Post-Implementation Reviews HIPAA / HITECH Audits Special Requests / Advisory Services Solution Selection Web Application Security Scanning Special Attesting Reporting (SSAE-16) / Vendor Management 10

IT Audit Areas of Focus Information Security Management Backups/File Restores Logical Security Protocols Network Environmental Controls Privacy Awareness & Third Party Management Physical Security Web or OS Vulnerabilities 11

IT Audit Areas of Focus (cont.) IT Management Processes Business Continuity / Disaster Recovery Plans Change Management Hardware / Software Inventory & Licensing Compliance IT Strategic Plan and Policies/Procedures IT Training & End User Communication Policies & Procedures 12

IT Audit Areas of Focus (cont.) Backups/File Restores Critical files backed up and rotated offsite Policies / Procedures / Processes developed/tested Documentation Logical Security Protocols Software safeguards in place Access controls / Segregation of duties Strong password protocols Current updates and patches Periodic review of access Computer/Server Room Environmental Controls UPS (uninterruptable power supply) HVAC and temp./humidity controls Emergency lighting 13

IT Audit Areas of Focus (cont.) Privacy Awareness & Third Party Management FERPA, HIPAA, PCI, etc, etc. Confidentiality of sensitive data maintained Pertinent data collected only PHI, SSNs, credit card numbers, student records Effective contract vendor management Physical Security Defensive strategies to deter, detect, delay, and deny threats Appropriate access Fire suppression equipment Web or OS Vulnerabilities Policies and procedures in place HP WebInspect Nessus, etc. Scanning Vulnerabilities Reports 14

IT Audit Areas of Focus (cont.) Business Continuity/Disaster Recovery Plans Universities Mission Continuity Program (MCP) Backup/Recovery processes in place and periodically tested Cookbook checklists and steps Cross-training of staff to ensure operational continuity Change Management Formalized processes to document changes Testing and acceptance of changes in development environment Authorizations, approvals, back-out plans Hardware/Software Inventory & Licensing Compliance Maintained and up-to-date IP lists and physical locations of hardware Software licensing compliance System Center Configuration Manager (SSCM usage by UPHS) 15

IT Audit Areas of Focus (cont.) IT Training & End User Communication Updated training manuals and user guides Effective training programs and processes IT support Policies and Procedures Clearly defined, documented, approved, and communicated Computing Incident Response and reports Updated and Revised as necessary Adherence to University, Penn Medicine Policies and all applicable regulatory requirements 16

IT Audit Observation Trends FY08 - FY11 University + Health System (including): HUP Pennsylvania Hospital Presbyterian Medical Center School of Medicine University Business Services Division University Division of Finance Dental School Division of Recreation Facilities Management Graduate School of Fine Arts Human Resources Division ISC UPHS Corporate ISD, Perelman SOM Law School Library Nursing School Provost Center Division of Public Safety SAS SEAS School of Social Work School of Veterinary Medicine VPUL Wharton Office of Billing Compliance 17

University/Penn Medicine IT Audit Observations FY08-FY11 Web or OS Vulnerabilities 5% Backups/File Restores 4% Business Continuity/Disaster Recovery Plans 5% Change Management 5% Hardware/Software Inventory & Licensing Compliance 7% Privacy Awareness & Third Party Management 16% IT Strategic Plan 1% Policies & Procedures 20% Logical Security Protocols 22% IT Training & End User Communication & Readiness 3% Physical Security 5% Knowledge Transfer 1% Note: All percent values are calculated from a total of 192 IT observations identified during FY08-FY11 Network Environmental Controls 6% 18

Other Stuff We Do IT Orientation (ITO) IT Roundtable Network Planning Task Force (NPTF) Network Policy Committee (NPC) IT Privacy Committee Security and Privacy Impact Assessment SPIA Super User s Group (SUG) Special Interest Groups (SIGs) 19

Stuff YOU Can Do Visit IT Audit web site at www.upenn.edu/oacp/audit for list of IT Audit services, internal controls guidance and whitepapers Target low hanging fruit Basic security Secure & Protect Keep up-to-date computing resource inventories Register all PennNet hosts that are critical Update Hardware/Software Inventories and applicable licenses Join SUG, and other applicable mailing and special interest lists Participate in SUG, WebSig, PCNet, MacNet, Security-Sig, VoIP, Cloud and other Special Interest Group meetings as appropriate Keep up with the latest news from the IT Roundtable At least monthly, take a look at the Network Policy Committee (NPC) website at: http://www.upenn.edu/computing/group/npc/ 20

Questions and Discussion 21

Useful Web Links www.upenn.edu/oacp and www.penn.edu/oacp/audit University of Pennsylvania Privacy www.upenn.edu/privacy SANS (SysAdmin, Audit, Network, Security Institute) http://www.sans.org Penn Medicine Privacy http://uphsxnet.uphs.upenn.edu/hipaa The Open Web Application Security Project (OWASP) https://www.owasp.org Computer Security Resource Center (CSRC) http://csrc.nist.gov/publications/nistpubs/index.html Center for Internet Security (CIS) http://www.cisecurity.org Microsoft Security Guidance Center http://www.microsoft.com/security/guidance/default.mspx 22

IT Audit Team Contact Information Kevin Secrest IT Audit Manager 215-573-4495 ksecrest@upenn.edu Dan Hill Senior IT Audit Specialist 215-746-2995 dwhill@upenn.edu Dominic Pasqualino Senior IT Audit Specialist 215-898-1933 dominicp@upenn.edu Ben Geevarghese IT Audit Specialist 215-573-4490 gben@upenn.edu 23

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback