UNIVERSITY OF NORTH CAROLINA CHARLOTTE

Similar documents
UNIVERSITY OF NORTH CAROLINA CHAPEL HILL

STATE OF NORTH CAROLINA OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA FAYETTEVILLE STATE UNIVERSITY

STATE OF NORTH CAROLINA

STATE OF NORTH CAROLINA

STATE OF NORTH CAROLINA

STATE OF NORTH CAROLINA

General Information Technology Controls Follow-up Review

New Jersey State Legislature Office of Legislative Services Office of the State Auditor. November 16, 2015 to November 30, 2017

Article II - Standards Section V - Continuing Education Requirements

Subject: Audit Report 18-84, IT Disaster Recovery, California State University, Sacramento

Review of the Feasibility Plan for Coordinating Operations of the North Carolina Research and Education Network and the State Network Infrastructure

The Texas A&M University System Internal Audit Department MONTHLY AUDIT REPORT

Information Technology General Control Review

Office of Inspector General Office of Professional Practice Services

Department Of Public Utilities Multi Vendor Reading System (MVRS) 12 Months ended December 31, 2011

Statewide Information Technology Contingency Planning

26 February Office of the Secretary Public Company Accounting Oversight Board 1666 K Street, NW Washington, DC

The Texas A&M University System Internal Audit Department MONTHLY AUDIT REPORT

ISACA Survey Results. 27 April Ms. Nancy M. Morris, Secretary Securities and Exchange Commission 100 F Street NE Washington, DC

Subject: Audit Report 16-50, IT Disaster Recovery, California State University, Fresno

STATE OF NORTH CAROLINA

Any observations not included in this report were discussed with your staff at the informal exit conference and may be subject to follow-up.

REPORT 2015/010 INTERNAL AUDIT DIVISION

STATE OF NORTH CAROLINA

Internal Audit Report. Electronic Bidding and Contract Letting TxDOT Office of Internal Audit

STATE OF NORTH CAROLINA

REPORT Bill Bradbury, Secretary of State Cathy Pollino, Director, Audits Division

STATE OF NORTH CAROLINA

Judiciary Judicial Information Systems

Postal Inspection Service Mail Covers Program

Table of Contents. Preface xvii PART ONE: FOUNDATIONS OF MODERN INTERNAL AUDITING

STATE OF NORTH CAROLINA

manner. IOPA conducts its reviews in conformance with Government Auditing Standards issued by the Comptroller General of the United States.

Internal Audit Follow-Up Report. Multiple Use Agreements TxDOT Office of Internal Audit

Any observations not included in this report were discussed with your staff at the informal exit conference and may be subject to follow-up.

Department of Public Safety and Correctional Services Information Technology and Communications Division

International Auditing and Assurance Standards Board (IAASB) International Federation of Accountants 545 Fifth Avenue, 14 th Floor New York, NY 10017

Audit and Compliance Committee - Agenda

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

Texas A&M University: Learning Management System General & Application Controls Review

Aboriginal Affairs and Northern Development Canada. Internal Audit Report Summary. Audit of Information Technology Security.

Article I - Administrative Bylaws Section IV - Coordinator Assignments

STATE OF NORTH CAROLINA

STATE OF NORTH CAROLINA

Maryland Health Care Commission

REPORT 2015/149 INTERNAL AUDIT DIVISION

Information Technology Audit

NORTH CAROLINA NC MRITE. Nominating Category: Enterprise IT Management Initiatives

IS Audit and Assurance Guideline 2001 Audit Charter

Subject: University Information Technology Resource Security Policy: OUTDATED

Office of Internal Audit

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

REPORT 2015/186 INTERNAL AUDIT DIVISION

UNC Campus Security Initiatives Update. Business Affairs Committee May 9, 2017

Application for Certification

CASA External Peer Review Program Guidelines. Table of Contents

General Information System Controls Review

Taking the Mystery Out of Counting CPE. Opening Remarks

Office of MN.IT Services Data Centers

NHS Fife. 2015/16 Audit Computer Service Review Follow Up

Within our recommendations for editorial changes, additions are noted in bold underline and deletions in strike-through.

STATE OF NORTH CAROLINA

I n f o r m a t i o n S y s t e m s C y b e r s e c u r i t y A s s e s s m e n t

Decentralized IT General Controls Review: Student Affairs Systems Group

THE UNIVERSITY OF TEXAS-PAN AMERICAN OFFICE OF AUDITS & CONSULTING SERVICES. Computer Administrative Rights Report No

REVIEW OF MANAGEMENT AND OVERSIGHT OF THE INTEGRATED BUSINESS MANAGEMENT SYSTEM (IBMS) January 16, 2009

FOLLOW-UP REPORT Industrial Control Systems Audit

Effective: 12/31/17 Last Revised: 8/28/17. Responsible University Administrator: Vice Chancellor for Information Services & CIO

Information Security Program Audit Introduction and Survival Guide

Opportunities to Integrate Technology Into the Classroom. Presented by:

STAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:

AUDIT UNITED NATIONS VOLUNTEERS PROGRAMME INFORMATION AND COMMUNICATION TECHNOLOGY. Report No Issue Date: 8 January 2014

HIPAA RISK ADVISOR SAMPLE REPORT

Standard for Security of Information Technology Resources

Disaster Recovery Planning. Office of Information Technology Services

Cybersecurity Act of 2015 Audit for NRC

ISO/IEC overview

INTERNAL AUDIT DIVISION REPORT 2017/138

Judiciary Judicial Information Systems

North Carolina Department of State Treasurer

Certified Information Security Manager (CISM) Course Overview

IT MANAGER PERMANENT SALARY SCALE: P07 (R ) Ref:AgriS042/2019 Information Technology Manager. Reporting to. Information Technology (IT)

North Carolina Visit and Assessment Tom Clarke Vice President for Research and Technology National Center for State Courts

Public Safety Canada. Audit of the Business Continuity Planning Program

Exploring the Maturity of Risk Management Process in Government: An Integrated ERM Model at the U.S. Department of Education

STATE OF NORTH CAROLINA

1997 Minna Laws Chap. February 1, The Honorable Jesse Ventura Governor 130 State Capitol Building

Internal Audit Department

Investigation. City of Edmonton Office of the City Auditor. ETS Workforce Development. January 14, 2019

In 2017, the Auditor General initiated an audit of the City s information technology infrastructure and assets.

ROLE DESCRIPTION IT SPECIALIST

Auditor General's Office

Electronic Signature Policy

UCLA AUDIT & ADVISORY SERVICES

ISACA CISA Review Course CHAPTER 1 THE IS AUDIT PROCESS

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

Certified Assessor. Application for COBIT Certified Assessor

IS Audit and Assurance Guideline 2002 Organisational Independence

300 Riverview Plaza Odysseus Marcopolus, Chief Operating Officer Trenton, NJ POLICY NO: SUPERSEDES: N/A VERSION: 1.0

Computer Security Incident Response Plan. Date of Approval: 23-FEB-2014

Transcription:

STATE OF NORTH CAROLINA OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA UNIVERSITY OF NORTH CAROLINA CHARLOTTE INFORMATION TECHNOLOGY GENERAL CONTROLS INFORMATION SYSTEMS AUDIT JULY 2017

EXECUTIVE SUMMARY PURPOSE The objective of this information systems audit at the University of North Carolina Charlotte (UNCC) was to assess the general and business process application controls that UNCC maintained. These controls are pursuant to the common information security framework adopted by the University of North Carolina system campuses. BACKGROUND The University of North Carolina Information Technology Security Council recommended the adoption of ISO 27002 Information Technology Security Techniques Code of Practice for Information Security Controls as the common security framework baseline for University of North Carolina system campuses. UNCC formally adopted the ISO 27002 security framework on December 22, 2011. KEY FINDINGS The results of the audit disclosed security deficiencies considered reportable under generally accepted government auditing standards. These deficiencies are reported to UNCC by separate letter in accordance with these standards. These items should be kept confidential as provided by North Carolina General Statute 132-6.1(c). UNCC agreed with our findings and recommendations. The key findings and recommendations may not be inclusive of all findings and recommendations in the report.

STATE OF NORTH CAROLINA Office of the State Auditor Beth A. Wood, CPA State Auditor 2 S. Salisbury Street 20601 Mail Service Center Raleigh, NC 27699-0600 Telephone: (919) 807-7500 Fax: (919) 807-7647 http://www.ncauditor.net AUDITOR S TRANSMITTAL The Honorable Roy Cooper, Governor Members of the North Carolina General Assembly Board of Trustees, University of North Carolina Charlotte Dr. Philip L. Dubois, Chancellor, University of North Carolina Charlotte Ladies and Gentlemen: We are pleased to submit this information systems audit report titled University of North Carolina Charlotte (UNCC) Information Technology General Controls. The audit objective was to assess whether IT controls maintained by UNCC were adequate pursuant to the common information security framework adopted by the University of North Carolina system campuses. The Office of the State Auditor performed this audit by authority of Article 5A of Chapter 147 of the North Carolina General Statutes and conducted it in accordance with generally accepted government auditing standards issued by the Comptroller General of the United States. The results of our audit disclosed findings considered reportable under generally accepted government auditing standards. Due to their sensitivity, findings regarding security were reported to UNCC by a separate letter in accordance with these standards and should be kept confidential as provided in North Carolina General Statute 132-6.1(c). We express our appreciation to the management and staff of the University of North Carolina Charlotte for the courtesy, cooperation, and assistance provided us during the audit. Respectfully submitted, Beth A. Wood, CPA State Auditor

TABLE OF CONTENTS PAGE BACKGROUND... 1 OBJECTIVE, SCOPE, AND METHODOLOGY... 2 FINDINGS, RECOMMENDATIONS, AND RESPONSE... 3 Beth A. Wood, CPA State Auditor ORDERING INFORMATION... 4 Article V, Chapter 147 of the North Carolina General Statutes, gives the Auditor broad Article 5A, Chapter 147 of the North Carolina General Statutes, gives the Auditor broad powers to examine all powers to examine all books books, records, files, papers, documents, and financial affairs of every state agency and any organization that receives public funding. The Auditor also has the power to summon people to produce records and to answer questions under oath.

BACKGROUND

BACKGROUND University of North Carolina Charlotte The University of North Carolina Charlotte (UNCC) is one of 17 constituent institutions that make up the University of North Carolina System. UNCC s Information Technology Services (ITS) provides information technology services to administrators, staff, and students of the university and is responsible for centralized information technology management. ITS is headed by the Chief Information Officer (CIO), who reports directly to the Provost and serves on the Chancellor s Cabinet. ITS is comprised of seven areas: Enterprise Applications Enterprise Infrastructure Client Engagement University Research Computing Planning and Administration Center for Teaching and Learning Information Security Compliance The University of North Carolina Information Technology Security Council recommended the adoption of ISO 27002 Information Technology - Security Techniques - Code of Practice for Information Security Controls as the common security framework baseline for University of North Carolina system campuses. UNCC formally adopted the ISO 27002 security framework on December 22, 2011. 1

OBJECTIVE, SCOPE, AND METHODOLOGY

OBJECTIVE, SCOPE, AND METHODOLOGY The objective of this audit was to assess the general and business process application controls maintained by the University of North Carolina Charlotte (UNCC). These controls are pursuant to the common information security framework adopted by the University of North Carolina system campuses. The scope of our audit included IT general controls administered and maintained by UNCC s Information Technology Services; the College of Engineering; the College of Computing and Informatics; and the Student Health Center. The following IT general controls categories were included in the audit: IT governance Access controls Physical security Change management Configuration management Network administration Disaster recovery To accomplish our audit objectives, we gained an understanding of UNCC s policies and procedures, interviewed key UNCC administrators and other personnel, examined system configurations, examined system controls, reviewed appropriate technical literature, and reviewed computer-generated reports. Whenever sampling was used, auditors applied a nonstatistical approach. Therefore, results could not be projected to the population. This approach was determined to adequately support the audit conclusions. The audit fieldwork was conducted between January 2017 and March 2017. As a basis for evaluating controls, auditors applied the guidance contained in the International Organization for Standardization Standard 27002 (ISO 27002) for information technology security framework. Additionally, auditors applied the guidance contained in the COBIT (Control Objectives for Information and Related Technologies) framework issued by ISACA. COBIT is a comprehensive framework that helps enterprises in achieving their objectives for the governance and management of enterprise information and technology assets. We conducted this information systems audit in accordance with generally accepted government auditing standards (GAGAS). Those performance audit standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. 2

FINDINGS, RECOMMENDATIONS, AND RESPONSE

FINDINGS, RECOMMENDATIONS, AND RESPONSE The audit found security deficiencies considered reportable under generally accepted government auditing standards. These deficiencies are reported to the University by a separate letter in accordance with these standards. These items should be kept confidential as provided by North Carolina General Statute 132-6.1(c). UNCC agreed with our findings and recommendations. 3

ORDERING INFORMATION COPIES OF THIS REPORT MAY BE OBTAINED BY CONTACTING: Office of the State Auditor State of North Carolina 2 South Salisbury Street 20601 Mail Service Center Raleigh, North Carolina 27699-0600 Telephone: 919-807-7500 Facsimile: 919-807-7647 Internet: http://www.ncauditor.net To report alleged incidents of fraud, waste or abuse in state government contact the Office of the State Auditor Fraud Hotline: 1-800-730-8477 or download our free app. https://play.google.com/store/apps/details?id=net.ncauditor.ncauditor https://itunes.apple.com/us/app/nc-state-auditor-hotline/id567315745 For additional information contact: Brad Young Director External Affairs 919-807-7513 This audit was conducted in 1,100 hours at an approximate cost of $113,300. 4

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback