Frame Work for IT Auditing in Higher Education of Information and Information Systems
- 1. Office of Internal Audit (OIA) Board of Regents of the
University System of Georgia June 8, 2009 Erwin (Chris) L. Carrow,
IT Auditor,CISSP, INFOSEC, CSSP, CCNP, OCM, plus a bunch of others
(Who Cares?) The IT Auditing Process (Everything you dont want to
know about the impending IT Audit and are afraid to ask)
2. Schedule of Events
- 1.Introduction Quick Hello
- 2.Orientation Where are we at / Where we want to go?
- Part I, II, III OIA Background; Audit Process, Plan, and
Expectations; and the On-site Audit
- Part IV Example of How to Prepare COBIT 4.01
- (1 hour and break for Lunch)
- Part V - High Level Simple Application ofIdentity Management,
Access Control, and Security Management
- Regroup Discussion What do you want to focus on?
- 5.Lock-into the Particulars and Do It
3. Agenda and Overview
-
- Audit Staff Background & Organizational Structure
-
- Audit Selection Process: Risk Assessment, Planning Process,
Methodology, Scope of Application, Standards of Application
-
- Type of Audit Role of Auditors: Federal, State, Campus, &
BOR Audits
- Part II Audit Process, Plan, and Expectations
-
- The Process: Notification to Final Report
-
- The Audit Finding & Follow-Up Process
-
- Part III The On-site Audit
- Part IV Example of How to Prepare COBIT 4.01
- Part V High Level Simple Example
4. What IT Auditors are Not! (Despite the Similar
Resemblance)
- We have Families and like being able to spend time with
them
- We can Speak in other than Audit, Tech, and Business
terminology
- We have no problems Sleeping at nights
5. Part I OIA Background ( The Untold Story) 6. Why We Audit
Mission & Charter
- Internal auditing is an independent appraisal activity
authorized by the Board of Regents toexamine ,evaluate ,
andadvisecomponents of the University System of Georgia.The
objectives of internal auditing are to assist members of the Board,
the Chancellor, and institution management in the effective
discharge of their responsibilities by furnishing them withanalyses
,appraisals ,recommendations ,counsel , andinformation concerning
the activities reviewed and bypromoting efficient operations and
effective controls .
- - Internal Audit Charter approved by the Board of Regents
7. Staff Background &Organizational Structure 8. Audits
Selection Process Risk Assessment & Planning Process (The Why
Us Syndrome?)
- OIAs Annual Risk Assessment
-
- Survey USG and System Office Leadership
-
- Survey members of the BOR
-
- Incorporate financial data, management turnover, fraud, state
audit reports, and additional criteria
-
- USG institutions ranked by risk score
-
- Designed to ensure coverage of institutions with high risk
-
- Also designed to ensure OIA coverage at all USG institutions at
least once every 3-4 years
-
- Specifies institution and broad categories in which to
audit
-
- May also incorporate consulting engagements and other special
projects
9. Audit Plan We ask the Question, WhatHigh Critical
RiskExist?
- Determined how the categories of risk may or may not
apply:
-
- Strategic: Affects the entities ability to achieve goals and
objectives
-
- Compliance: Affects compliance with laws and regulations,
safety and environmental issues, litigation, conflicts of interest,
etc.
-
- Reputational : Affects reputation, public perception, political
issues, etc.
-
- Financial : Affects loss of assets, technology, etc.
-
- Operational :Affects on-going management processes and
procedures
10. Audit Plan The Focus on Risk TheHigh Critical Riskthat Exist
11. Audit Methodology & Plan
-
-
- Provides roadmap to auditor on which areas to focus audit steps
(assess controls)
-
-
-
- Preventive : controls to stop the problem from occurring
-
-
-
- Detective : controls to find the problem
-
-
-
- Corrective : controls to repair the problem after
detection
-
-
-
- Administrative : policies, standards, guidelines, &
procedures
-
-
-
- Technical : controls using hardware or software for processing
& analysis
-
-
-
- Physical : controls to implement barriers or deterrents
-
-
- Based upon industry certification standards &
requirements
12. Methodology & Scope of Audit
-
- Standards for the Methodology
-
-
-
- Institute of Internal Auditor(IIA -www.theiia.org )
-
-
-
- Information System Audit & Control Association (ISACA
-www.isaca.org )
- Scopeof Application:Area of Emphasis (Entity or Process)
-
- Usually focused on institution-wide processes, e.g., data
classification, IT services, NOC, incident response / emergency
planning, strategic planning, change management,etc.
-
- Will incorporate recommended focus areas from institutional
leadership
-
- Scope can change during the course of an audit if
warranted
13. Standards of Application
-
- COBiT 4.1 (Control Objectives for Information Technology)
-
- NIST(National Institute of Standards and Technology)
-
- ISO 17799/27001 (International Organization for
Standardization)
-
- ITIL (Information Technology Infrastructure Library)
- Compliance and Regulatory Requirements (FISMA, FERPA, HIPAA,
PCI, SOX, SCADA, etc.)
- Board of Regents Standards
- Institutions LocalPolicies and Procedures
14. Evaluation Criteria - CMMI
- Common Maturity Model of Internal Controls
-
- Variants of the CMMI: CMM & ISO 15504
-
- IdentifiesWHEREyou are at in the application ofIT risk
mitigation controls andHOWto get to the next level
-
-
- Level 0:No Recognizable Process , though one is needed
-
-
- Level 1:Process isAd-hocand perform by key individuals
-
-
- Level 2:Process isRepeatable, but not controlled
-
-
- Level 3:Process isDefined&Documentedand
periodicallyEvaluated
-
-
- Level 4:Managed & Measurable ; effective Internal Controls
with Risk Management
-
-
- Level 5:OptimizedEnterprise wide risk and control program
15. Areas Commonly Reviewed& Priority of Emphasis
Information Technology Department (High) Auxiliaries (Low) Academic
Units (Limited) AdministrativeUnits(Medium) 16. Types of Audits
Federal, State, Campus, and Board of Regents
-
- Rely on work of state auditors
-
- May focus on federal compliance (FISMA, FERPA, HIPAA, etc.),
financial aid, and federal grants management
- State Auditors Financial and Performance
-
- Financial / Operational auditors - external auditors validating
internal controls and the AFR
-
- Performance auditors external auditors focused on specific
system-wide process or policy issue
-
- Generally focused on departmental reviews
-
- Report to institution President and USO Chief Audit
Officer
- Board of Regents Auditors
-
- Shoot the gaps that other agencies do not address and engage
with specific BOR or Legislative concerns
17. Policing the Process and Safe-Guarding What's Important
Purchase the Family Trunk Monkey! 18.
- Part II Audit Process & Evaluation
19. The Process We Follow From Notification to Final Report
- 1 stPhase:Pre-Campus Work
-
- Notification Letter Sent to President upon annual audit plan
approval
-
- Engagement Letter Sent to President approx. 30 days prior to
start of audit
-
- Data Collection Initial interviews, data requests, network
scans may take place prior to arrival on campus the more we get
ahead of time the less we have to spend onsite
- 2 ndPhase:On-Campus Fieldwork
-
- Initiated with Entrance Conference (Line in the Sand)
-
- Scope of work may expand/contract
-
- Campus POC kept informed on audit progress and issues
-
- Wrap-Up meeting conducted at close of work summarizing initial
results
- 3 rdPhase:Post-Campus Work
-
- Draft Report prepared and sent as discussion document
-
- Exit Conference held either in person or via phone
-
- Official Draft Report sent requiring response from
institution
-
- Institutions response incorporated in report
-
- Report published and distributed
20. Summary of Audit Flow Timeframes Audit Letter with data
request sent preliminary assessment Entrance meeting & Audit
field work Draft Report Sent Final Report with Responses issued 30
Days 30 Days 2 to 6 weeks Exit Conference with President Action
items reviewed quarterly 3 to 5 weeks Draft with Responses Returned
21. Auditing by the Numbers (Fear -Factor)? 22. Audit: Application
of Standards
- Standards& Identification
-
- Gather Information / Evidence
-
- Assess Control Weaknesses
-
- Calculate Level of Criteria Applied (CMMI)
- Analysis to Determine if Compliant with Standards
- Document Variances orExceptions(Findings)
- Report Per Charter Requirements (Audit Rating)
23. Snapshot of Documentation Format
- General Area of Impact or Effect , e.g., Network
infrastructure
- Finding:Identification of theProblemandSolution(typically a
combination of exceptions weighted per threat or impact, e.g.,
thethreat is likely ,vulnerabilities exist , therefore loss can be
expected ,if corrective action is not taken )
-
- Observation/ Condition:Identify the context &weaknessorlack
of control
-
-
- Managerial Overview short high level summary of issuesfor upper
management
-
-
- Technical Details longparticularized explanation of the key
issues
-
- Criteria :WhatRightLooks Like
-
- Cause :TheReasonWhy something is not right
-
- Risk / Effect :Problemsbecause of the weakness or lack of
control
-
- Recommendation :What isRequiredto correct the weakness or lack
of control
-
-
- Minimums (non-negotiable)
-
-
- Ideal (optional and subject to capability or constraints)
-
- Managements Documented Response
24. Sample Audit Finding Executive Summary
- Network Design, Security Architecture, .
- A review was made of the design and implementation of
theAudited Entitiesnetwork.This review focused on the design of the
network, the infrastructure used to support the network and the
ability of the network to support critical operations and recover
from failures.The security of the network services and support
infrastructure were also assessed.The following observations were
noted:
- Report Item #1: Significant(Rating of Exception)
- Insecure protocols and access procedures were being used to
configure, manage, and monitor network infrastructure resources.The
use of insecure protocols could allow a potential attacker to
create a network failure or takeover network resources.(Problem
Statement)
25. Sample Audit Finding Observations High Level
- Ensure secure connections and protocols are being used for
operational configuration and management of remote services and
resources. (Solution Statement)
- Observation:(When doing the audit these are the things we
found)
- The procedures and protocols used to configure and
manageAudited Entitiesresources were not using a secure process or
protocols.Lack of a secure method of controlling critical resources
could provide an opportunity for malicious intent.Hostile attackers
could damage or take over improperly configured or managed network
resources.
26. Sample Audit Finding Observations Low Level
- It was identified that was the main method used to help
mitigate risk.While this implementation would limit possible to the
remotely administrated devices, it does not mitigate or circumvent
Zero Day application layer threats / vulnerabilities, , or trusted
internal disgruntled users.More significant security precautions
need to be given consideration and are addressed in the following
observations.
- Session connectivity to remotely manage or configure a device
should be established through a secure means.The Internet Operating
System (IOS) on several of the routers should have been updated to
accommodate Secure Shell (SSH) or Virtual Private Networking (VPN)
for secure communication for configuration and management
requirements
- Both Telnet and System Network Management Protocols (version 1
& version 2c) were implemented for systems and applications
that monitor and manage remote network infrastructure
devices.Telnet is a clear text transmission through a terminal
command-line and should not be used for configuration and
management access.
27. Sample Audit Finding Criteria, Cause, Risk/Effect
- The exchange of sensitive system configuration and management
information should be by means of a trusted path or medium with
controls to provide authenticity of content, proof of submission,
proof of receipt, and non-repudiation of origin.
- Lack of secure exchange of information due to the limitations
of older systems or software that was used to support and manage
the network infrastructure.Inappropriate procedures were being
practiced for remotely accessing the networks critical services and
resources.
- Lack of trusted means of communication for configuration and
management of network infrastructure
- Sensitive information exposed or violation of system integrity
by unauthorized parties
- Unauthorized access to or manipulation of key systems or
resources
28. Sample Audit Finding Recommendation / Response
- We recommend the following changes for configuration,
management, and monitoring ofAudited Entitiesnetwork infrastructure
resources.
- Discontinue Telnet protocol use for connections to remote
resources unless .Secure Shell (SSH) or Virtual Private network
(VPN) connection should be used for all operational
requirements
- Simple Network Management Protocol (SNMP) versions 1 and 2c
should be discontinued and version 3 utilized for all network
management needs.For software applications that are dependent upon
.
- The identified recommendations will be implemented by , who
should complete the worknot later than .
- Response was satisfactory
29. The Report Individual Finding Ratings
- Through investigation and analysis, a number
ofexceptionsgenerated are often summarized to identify a weakness
or risk and create a Finding
- The impact of aFindingcan be classified in one of the four
following ways:
- Insignificant= Nominal violations of procedures, rules or
regulations.Not included in report. Corrective action suggested
verbally, but not required.
- Notable= Minor violation of policies and procedures; and/or
weak internal controls; and/or opportunity to improve effectiveness
and efficiency. Moderate risk identified. Corrective action
recommended.
- Significant = Significant violation of
policies/procedures/laws; and/or poor internal controls; and/or
significant opportunity to improve effectiveness and efficiency.
Significant risk identified. Corrective action required.
- Major= Major violation of policies/procedures/laws; and/or
unacceptable internal controls; and/or high risk for
fraud/waste/abuse; and/or major opportunity to improve
effectiveness and efficiency. Major risk identified. Immediate
corrective action required.
- Relationship ofException(s)toFindingcan be ,One to OneorMany to
One
30. Overall Report Ratings
- The overall rating is typically based on thenumberandtypeof
Findings
- Excellent= Few notable observations.No internal control
weaknesses noted, good adherence to laws, regulations and
policies.Excellent control environment.
- Good= Several notable and/or one or two significant
observations.Minor violations of policies and procedures.No
violation of laws.Minor opportunities for improvement.
- Fair= Many notable observations and/or few significant
observations.Several notable violations of policy.Minor violations
of regulations.No violations of laws. Moderate opportunities for
improvement.
- Poor =Several significant observations and no major
observations.Controls were weak in one or more areas.Noncompliance
with policies/regulations put the University/College at
risk.Violation of law (not serious).Substantial opportunities for
improvement.
- Adverse = Several significant observations orone or more major
observations .Significant risk for noncompliance with
policies/regulations.Serious violation of laws.Significant
opportunities for improvement.
31. Audit Finding Follow-Up Process
- Our expectations from leadership upon completion of the audit
draft report
- Response to audit report is to be provided in the form of an
action plan WHOwill doWHATto implement recommendation byWHEN
- Status of action plan isreported on a quarterly basisto the BOR
Audit Committeeuntil issue is resolved
32. Snapshot of Evidence Gathering Process(Typically Inductive
to Deductive Approach) 33. What Does Evidence Look like?
- Definition:Evidence must beSufficient, Reliable and
Relevant
- The various types of audit evidence that the IS auditor
consider using include:
-
- Observed processes and existence of physical items, e.g., A
computer room security system in operation
-
- Documentary audit evidence, e.g., Activity and control logs,
System development documentation
-
- Representations, e.g., Written policies and procedures, System
flowcharts, Written or oral statements
-
- Analysis, e.g., Benchmarking IS performance against other
organizations or past periods; Comparison of error rates between
applications, transactions and users
- Evidence gathering procedures considered are:Inquiry,
Observation, Inspection, Confirmation, Re-performance ,and
Monitoring
- Audit evidence should be useful to form an opinion or support
the findings and conclusions.
- Evidence gathered should be appropriately documented and
organized to support the findings and conclusions.
34. We Help Support the Process ,We are Life Savers! Purchase
the First-Aid Trunk Monkey! 35. Part III The On-site Audit
(Preliminaries, Logistics & Execution) 36. Part III The On-site
Audit Preliminaries 37. Sample Engagement Letter To Your
Institutions Leadership
- Dear Dr.So and So or Whomever :
- In accordance with the Internal Audit Plan approved by , we
plan to conduct an audit ofAudited Entity Universitys network and
associated systems beginning onDate .This letter is to confirm
.
- The audit engagement will constitute an independent and
objective service performed on behalf of the Board of Regents.The
purpose of this audit will be to evaluate .
- The scope of the audit will include such areas as:
- Identity Management ; the management of user credentials and
the means by which users might log onto to and use various systems
or resources, e.g., the provisioning and de-provisioning of
student, faculty, staff, and outside agencies identities
- Access Control ; the mechanisms in place to permit or deny the
use of a particular resource by a particular entity, e.g.,
technical or administrative controls to allow or deny access to
file shares
- Perimeter and Network Security ; the provisions made in an
underlying computer network infrastructure to protect
network-accessible resources from unauthorized access and the
effectiveness of these measures.
- Please note that the scope of the audit is subject to
change/modification during the course of the audit.Please designate
an individual that will serve as your representative and primary
contact for the audit..Additional information regarding our audit
process, as well as specific requests for logistical assistance, is
attached. .Please have these materials assembled and ready for
review byDate ..
- Engagement Letter of Generic- Revised Aug 2008.doc
38. Sample Engagement Letter Attachments Included
- A Practical list of Procedures and Requirements
-
-
- Work Space Room, Desk, printer, etc.
-
-
- Technical Assistance VPN capability, etc.
-
-
-
- BOR Engagement Process and Request for Logistical
Assistance.doc
- IT Auditor Technical Needs and Requirements
-
- Audited Entities Policies, Procedures, Guidelines, etc
-
- Audited Entities Topology, Configs, Hardware, etc.
-
- Data Store(s) Access Requirements for Testing
-
-
-
- IT Audit Request List-Generic - Reduced.doc
-
- Script(s) to Apply to the Data Store(s)
-
-
-
- Oracle Audit Privileges.doc and Audit Steps for Oracle
Databases.doc
- Contact will be made withAudited Entities CIO / CISOby Auditor
toNegotiatethe practicality of technical needs and
requirements
39.
- Part III The On-site Audit Logistics and THE PLAN
40. Sample Audit Plan OIA Internal Use by the Auditors -
Situation
- WhatRisk or Requirement justifies a specific
Audit(Implementation of the Tactical guidance and associated
functional requirements)?
- What Critical Business process or function needs to be assessed
and why?
- What precedence is there for an investigation or the gathering
of evidence?
- What regulatory or policy compliance issue exist to support the
goals and objective for a specific audit?
- How does this one audit fit into the bigger picture, e.g.,
time, resources, the Tactical / Strategic goals, and other auditor
agencies that will audit our institution?
- Is the goal to place emphasis upon Risk Assessment, Risk
Management, or Risk Avoidance?
- What Critical Process Information is available to support the
goals and objectives for a specific audit?
- Will the process be deductive (investigation of predefined
particulars to prove some hypotheses) or inductive (the collection
of facts that may or may not reveal patterns or activities that
introduce risk)?
41. Sample Audit Plan OIA Internal Use by the Auditors Other
Considerations
- Pre-Audit Considerations or Outcomes:
- Define what is to be audited and associate outcomes scope and
criteria.
-
- What process of examining and validating documents, data,
processes, procedures, systems, or other activities will be used to
ensure that the audited entity complies with objectives?
-
- What set of business rules, system control, government
regulations, or security policies will be used to measure and
determine compliance of the audited entity ?
- Define expected outcomes or results for which the audit will
produce, e.g., a report which identifies ,(goals or objectives
resulting from the audit).
42. Sample Audit Plan OIA Internal Use by the Auditors -
Mission
- Mission(goals and objectives):
- The OIA IT department will conduct an audit ofAudited
Institution or entity nameondate of onsite audit to validate that
appropriate controls and procedures exist to mitigate the potential
threat of the inappropriate access to theInstitutesnetwork and
resources.The focus of the audit will review:
-
- The management of user credentials and the means by which users
might log onto to and use various systems or resources, e.g., the
provisioning and de-provisioning of student, faculty, staff, and
outside agencies identities
-
- The mechanisms in place to permit or deny the use of a
particular resource by a particular entity, e.g., technical or
administrative controls to allow or deny access to file shares
-
- The provisions made in an underlying computer network
infrastructure to protect network-accessible resources from
unauthorized access and the effectiveness of these measures.
43. Sample Audit Plan OIA Internal Use by the Auditors Execution
of Audit
- Execution(Operational Requirements Part 1):
- The explanation of how critical characteristics of the mission
will be complete- what steps and / or processes involved to
complete the mission:
-
- Controls to be assessed are:preventive, detective, corrective,
administrative, technical, and physical(Need to address specifics
per the types of systems being employed at Audited Entity)
-
- Audit programs / processes to support the mission and target
specific application of controls and the individuals who will
complete each set of tasks and the time to be invested during the
audit - Identity Management (50%) Access Control (25%) Network and
Perimeter Security (25%)
-
- Key system(s) to be evaluated are the major network support
systems associated with user access:
-
-
- Data Stores: Banner, PeopleSoft, Other database systems
-
-
- Directory services (NDS, AD, LDAP, etc.)
-
-
- One Card system, and others ,
-
- User access to network resources and associated policies and
procedures for:NOC, Administration, Auxiliary Services, Faculty,
Students
-
-
- Internal and external network devices
44. Sample Audit Plan OIA Internal Use by the Auditors Execution
of Audit
- Execution(Operational Requirements - Part 2) :
- Standards for the Audit Methodology
-
- Standards for the execution of the audit will comply with IIA
guidance.Processes or outcomes will be measured using Industry
Standard businesses practices identified in ISACA (CoBIT4.01) and
the additional guidelines where applicable, e.g., NIST, ISO, ITL,
BPM, Local Policies, etc.
- CMMI level 3 will be the minimum criteria for measuring key
processes for maturity
- Objectives and milestones of the audit (programs and process)
to support the mission
45. Sample Audit Plan OIA Internal Use by the Auditors C3
- Command, Control, & Communication :
- Key Leadership contact information and communication procedures
or protocolexpected
-
- Key shareholders (contact information): President, Chief
Business Officer, Chief Information Officer, Chief Security
Officer, and is there a local campus auditor?
-
- Are they any special requirements or considerations outside of
our normal operations?
- Logistics Resources required to complete the mission Identify
& coordinate logical requirements
-
- The audited institution or entities location
-
- Travel mileage and driving time from USGBOR to Institution/
Hotel
-
- Timeline and general schedule of hours to be invested
-
- Support needs to conduct the audit or coordinated e.g., office
space, interview rooms, parking passes, etc
- Coordination and schedulingwith audited entity POC in how the
audit evidence will be gathered and what resources needed e.g.,
people for interviews, IT systems, documentation, etc.
- Communications notification and dialogue required to complete
the mission
-
- Key shareholders regular situational audit updates to the
audited entity
-
- Interviewees coordination and conduct:Administration or
Operational Services, e.g., IT, HR, etc; Functional Faculty;
Auxiliary Service or outside agencies contracted to support the
audited entity
-
- Colleagues (peer auditors) and superiors special or general
guidance as the process progresses
46. Sample Audit Plan OIA Internal Use by the Auditors
Safety
- Safety(physical or political considerations):
- Sensitivity to issues that are local to the audited entity
-
- Assessments involving or around resources or equipment that is
hazardous
-
- Avoidance of placing the auditor in a situation that could
compromise the integrity of the evidence being gathered or their
personal character
47. With Your IT Auditor Around ,You have no need to fear!
Purchase the Karate Trunk Monkey! 48.
- Part III The On-siteExecution of Audit
49. Your Institution- Audit Objectives (Sample of Business Logic
and Associated Risk Areas Understanding the Objective )
- Your Institutionplays a vital role for theAudit Entityneeds of
USG.Loss oftheAudit Entitysfunctionality would have a major impact
onyour institutions ' capability to (business practice, controls to
mitigaterisk, and / or effect if not protected or working
properly)in support of USG development, growth, cost, etc.,
oradversely impact USGs image .
- Possible areas to be reviewed:
-
- Governance, Administration, Policies and Procedures
-
- Physical Security and Environmental Controls
-
- Network Design and Security Architecture
-
- User Management / Logical Access to Applications and Sensitive
Data
-
- Incident and Disaster Response
-
- Change Management, Systems Monitoring and Trend Analysis
50. Your Institution- Plan of Action
- Gather Information / Evidence
-
- Interviews with key personnel
-
- Test and Validate Objectives
- Document initial analysis (informal)
- Dialogue and gain Confirmation ofObservations
- Dialogue and gain Common Understanding
ofExceptionsandFindings
- Get Key Shareholders toSignAudit Report Worksheets (ARWs)
- Up until the final report is completed, dialogue will continue
with audited entity regarding findings
51. Your Institution- Schedule of Events
- Support Auditors logistical needs and evidence gathering
requirements (sent with engagement letter)
-
- Key shareholders schedule time for Interviews with personnel
requested
-
- Need to provide an institutional administrative contact to
coordinate interviews and logistics, e.g., 10:00 AM at Building A,
room 120, withJoe or Jill Somebody.
-
- Order of precedence; leadership to line worker, or dean /
director to faculty
-
- Need to speak with key areas leadership the 1 stweek
-
- Hours of operation from 8:00 to 7:00 (with working lunch split
shift is possible if needed, 45-60 minutes per each interview)
-
- Leadership should recommend others as needed
-
- Interviewees will need to be from key functional areas
- Need to havephysical accessto system resources or locationsto
assess and confirm controls(e.g., look over the shoulder or direct
access)
- Auditor will provide status updates toyour institutionsaudit
POC each week
- Brief exit meeting with Key leadership to address ARWs
52.
- Did Someone Mention Break?
53.
- Part IV - Example of How to Prepare
- BIA, CMMI, and COBIT 4.01
54.
- Education versus Industry
- Everyones goalin USG is to:Create a More Educated
Georgiaby,providingInformation Technologicalservice and
supportforfunctional and operational businessneeds or
requirements
55. IT Challenges and Business Requirements - Where are you
at?Can seem likeHERDING CATS ! EDS Cat Herding1:07 minutes 56. IT
Challenges and Business Requirements - Where are you at?Can seem
like herding cats!
- Business Functions and Processes?
-
- Herding Cats can have its challenges
-
- Herding Cats has its risks
- Education is distinct from Industry practices due to:
-
- Diversity of AdministrativeOperationalRequirements
-
- Fluctuation ofFunctionalInstructor / Faculty Requirements
- Educational requirements do overlap with Industry!
-
- Business rules and requirements, e.g. compliance, integrity,
confidentiality, availability, effectiveness, reliability,
efficiency, etc.
-
- Processes, e.g.,domains (scope of application for controls),
procedures, operational activities, etc.
-
- Resources, e.g., people, information, infrastructure,
applications, etc.
57. Pitch Hit Fingers in Dike 1# Where are you at?Prioritizing
the process We Do Understand! 58. Pitch Hit Fingers in Dike 2#Real
World Real Problems We Are Concerned! 59. Pitch Hit Fingers in Dike
3# Running out of Fingers? We Recognize the Challenge! 60. Know
Yourself Know Your Enemy!The Art of War( Chinese : ;pinyin :Sn Z
Bng F ) is aChinese military treatisethat was written during the6th
century BCbySun Tzu .
- Two Possible not Recommended Responses to the Challenge
-
- Freak Out : Embrace Hopelessness, Hide, Ignore, Deny, andPlay
Computer games until theInevitable Occurs
-
- IdealisticandUnrealistic : Do the Don Quixote(To Dream the
Impossible Dream and Fight the Impossible Fight) - Wear yourself
out Fighting Windmills byshooting at whatever pops its head
out!
- Third Approach How do you Eat the Elephant standing in the
corner, Instead of Avoid it?Take ONE BITE at a time by
-
- Create a deliberate Long term Plan
-
- Identify Short term Objectives and Milestones
-
- GainKey Shareholderownership of the challenges
-
- Test and Monitor the process with Identifiable Outcomes
61. Making a Lose / Lose Situation ,a Win / Win
- Givens:AperfectIT Operational environment does not exist!You
will have Exceptions and Findings (if not you should complain about
the auditor)
- Priority of effort should be directed tolikely threats for
known vulnerabilitiesby ,
-
- Affirming good controls and practices
-
- Uncovering unknown vulnerabilities
- Focus upon what is essentialfor the success ofYour Institutions
Business Functions. Which are comprised of
-
- Business Rules or Requirements :A statement that defines or
constrains some aspect of the business.It is intended to assert
business structure or to control or influence the behavior of the
business.
-
- Business Standards or Practices :A related group of business
processes that support some aspects of the mission of an
enterprise.
62. Dealing with the Nuts The Old Way!Assessing Risk? 20
thCentury FOX Ice Age1:55 min/sec 63. Nuts Can Be Challenging
Business Process Gathering and Storing NUTS and the Big Squeeze
- Tasks of Dealing with the NUTS
-
- 3. The Big Squeeze?OperationalversusFunctionalneeds!
- What are the Associated Risks?
20 thCentury FOX Ice Age 64. In Time, Nut Requirements Change
The New Way !Risk Assessment? 20 thCentury FOX Ice Age 2: The
Meltdown55 sec 65. Different Nuts, Different Methods History has a
Way of Repeating Itself!
- Old Ways can Influence New Ways of ,
- Different Business Requirements Use of Different Methods
(Variety of NUTS)
- Sometimes the NUTS get Bigger and Harder to CRACK
- Risk may Change or Increase!
20 thCentury FOX Ice Age 2: The Meltdown 66. Making Peanut
Butter Out of Nuts Moral:Life is Always Going to Be a Little
Squirrelly.
- Business functionGoalsandObjectivescan make the IT requirements
a little NUTTY
- Risk Implicationsassociatedwith ITImplementationsare NOT always
CONSIDERED
- Clearly Define the Task:Try makingPEANUT BUTTERout of a
difficult situation it is easier to Store
20 thCentury FOX Ice Age 2: The Meltdown 67. A Business
Functions- Rules and Practices
- What are the Business Principles in Operation?
- Reasons- Whyyou do things a certainWay
Control Objectives for Information and related Technology
(COBIT) 68. Business Requirements Objectives and Rules of
Engagement
- Requirements Who needs it?What is it suppose to do?How do I
ensure its?
69. IT Resources New or Existing
- Resources Who or what is involved for the implementation &
maintenance?
-
- Applications: What systems are involved?
-
- Information: What Data Dependencies exist?
-
- Infrastructure: What will the current or new IT environment
require?
-
- People: Who will it support?
70. IT Processes Operational Considerations
- Processes What is the scope of functionality for the business
implementation and what needs to be done to make it work?
-
- Domains: Who or what is involved?
-
- Processes: What major events will occur?
-
- Activities: What individual events must support those
processes?
71. Four Principles for Consideration Does a process exist or a
means in place for?
- 1 stTop-down Risk Basedidentificationof threats and
vulnerabilities forkeyBusinessprocessesandrelatedITsupport
processes , e.g., change management, access security, operations,
etc. ( General Risk Assessment )
- 2 ndControl of IT Risk that affect critical IT functionality
infinancially significant applications and related data (
Particularized Risk Assessment )
- 3 rd Layered IT controls to mitigate risk for application
program code, databases, operating systems, and the network (
Operational processes that align with precedence of Risk )
- 4 th Risk mitigationbased upon Business and IT control
objectives (not the limitations of individual controls), have a
IRP, DRP, & BCP
72. Four Principles for Consideration Possible Suggestions!
- 1 st Security Policythat supports theIT Strategic Planand
identifies the general scope of application General Risk
Assessment
- 2 nd Detailed Risk Assessment that is conducted and evaluated
periodically
- 4 thBusiness and IT control objectives are aligned IRP, DRP,
& BCPJustify Response
Layer Change Management Operations Security Application Database
Operating System Network Infrastructure 73. COBIT 4.01 Business
Rules, Requirements and Practices How Processes Are Evaluated? 74.
Sample Key Process Ecommerce e.g., One Card System
Requirements?
- Business Rules and Requirements (step 1):
- Capacity and Performance Measurement (Quality of Service being
delivered step 4)
- Controls to Measure and Mitigate Risk (Security of Service
provided step 5)
- Contingency Planning & Rehearsal (step 6)
Access Control ? Identity Management? Regulatory PCI Constrains
and Requirements? Vendors ? Network Infrastructure and Security?
75. Example: One Card System Identity Management
- Thinking About Identity Management (IdM)
-
- Is management ready to meet the challenges of IdM?
-
- Is there enough buy-in to implement an IdM program effectively
and efficiently?
-
- What are the prevailing perceptions and expectations of
IdM?
-
- Has the IT strategic plan been updated to reflect the need or
concern for IdM?
-
- Has management considered the impact of IdMon the organizations
long-term strategy?
-
- Is the corporate culture ready for and accepting of
change?
-
- Has a risk assessment been performed on the current
environment?
-
- What are the limitations with regard to resources that can be
dedicated to implementing an IdM solution?
-
- Are the resources centralized or decentralized?
76. Example: One Card System Identity Management
- Planning for the Implementation of Identity Management
(IdM)
- IT Inventory and Resources
-
- Have an analysis and assessment of the IT architecture
(hardware, software and resources) been performed?
-
- Will new web servers, OSs, DBs, and application be required for
the implementation?
-
- Is the legal department up to date on the latest privacy laws
and their impact on maintaining and protecting data?
-
- Are users shared between organization units and if so how?
-
- Has the impact on the restructuring of IT operations as a
result of the IdM implementation been considered?
-
- Have designated IT resources for the implementation of IdM been
assigned?
-
- Has a clear budget been established for the
implementation?
-
- Is the entitys data classified into different categories
(confidential, sensitive, public access)?
-
- Has an assessment of alternate forms of authentication been
analyzed (i.e., PKI, biometrics)?
77. Example: One Card System Identity Management
- Meeting the Needs of the Business
-
- What are the business needs and expectations of the
organizations management and IT department? How will IdM help meet
these expectations?
-
- Are the needs of the organizations management aligned with
those of the IT department?
-
- Does the IT department have the necessary resources, time and
funding to meet or exceed the expectations of management?
-
- Is there a timeline/deadline associated with the implementation
of IdM?
-
- Has a process review been performed (identifying key areas for
streamlining and reducing costs)?
-
- Have all applications been mapped to a timed life cycle?
-
- Has a segregation of duties been established for implementing
IdM?
-
- Has management communicated to the users of the organization
regarding IdM?
-
- Has a cost-benefit analysis been performed?
-
- Have external implications been considered (laws, regulations,
etc.)?
-
- What will the new IdM savings be benchmarked against?
78. Business Impact Analysis (BIA) The ABCs by the Numbers CISA
Study Guide, SYBEX, 2006 79. Areas of Concern BIA to Contingency
Planning Principles of Information Security, Thompson, 2007 80. One
Method of Service Support and Risk AssurancePurchase the IT Trunk
Monkey! 81. COBIT 4.01 What Is It? Four Major Areas of Review
- Plan and Organize (PO) Provides direction to solution
delivery(AI) and service delivery (DS)
- Acquire and Implement (AI) Provides the solutions and passes
them to be turned into services
- Deliver and Support (DS) Receives the solutions and makes them
usable for end users
- Monitor and Evaluate (ME) Monitors all processes to ensure that
the direction provided is followed
82. COBIT 4.01 Narrowing the Scope Delivery and Support (DS)
- DS1 Define and Manage Service Levels
- DS2 Manage Third-party Services
- DS3 Manage Performance and Capacity
- DS4 Ensure Continuous Service
- DS5 Ensure Systems Security
- DS6 Identify and Allocate Costs
- DS7 Educate and Train Users
- DS8 Manage Service Desk and Incidents
- DS9 Manage the Configuration
- DS12 Manage the Physical Environment
13 Categories 83. DS5 Ensure Systems Security
- DS5.1 Management of IT Security
- DS5.3 Identity Management
- DS5.4 User Account Management
- DS5.5 Security Testing, Surveillance and Monitoring
- DS5.6 Security Incident Definition
- DS5.7 Protection of Security Technology
- DS5.8 Cryptographic Key Management
- DS5.9 Malicious Software Prevention, Detection and
Correction
- DS5.11 Exchange of Sensitive Data.
11 Sub-Categories 84. DS5.3 Identity Management Goals and
Objectives
- DS5.3 Identity Management
- Ensure thatall users (internal, external and temporary) and
their activityon IT systems (business application, IT environment,
system operations, development and
maintenance)areuniquelyidentifiable . Enable user identities via
authentication mechanisms.
- Confirm thatuser access rightsto systems and data are in line
withdefined and documented business needsand that job requirements
are attached to user identities.
- Ensure thatuser accessrights arerequestedby user
management,approvedby system owners andimplementedby the
security-responsible person.
- Maintain useridentitiesand accessrightsin a central
repository.
- Deploy cost-effectivetechnical and procedural measures , and
keep themcurrentto establish useridentification, implement
authentication and enforce access rights .
85. Logical Didactic Approach DS5.3 Identity Management (How it
is Evaluated)
- Control over the IT processofEnsure systems securitythat
satisfies thebusiness requirement for ITof maintaining the
integrity of information and processing infrastructure and
minimizing the impact of security vulnerabilities and
incidents
-
- defining IT security policies, plans and procedures, and
monitoring, detecting, reporting and resolving security
vulnerabilities and incidents
-
- Understanding security requirements, vulnerabilities and
threats
-
- Managing user identities and authorizations in a standardized
manner
-
- Testing security regularly
-
- Number of incidents damaging the organization's reputation with
the public
-
- Number of systems where security requirements are not met
-
- Number of violations in segregation of duties
86. How We Measure Success?Maturity Model CMMI DS5 Snapshoot
(Criteria)
- DS5 Ensure Systems Security -Management of the process ofEnsure
systems securitythat satisfies thebusiness requirements for ITof
maintaining theintegrityof information and processing
infrastructure andminimizing the impact of security vulnerabilities
and incidentsis:
- 0 Non-existentwhen The organization does not recognize the need
for IT security. Responsibilities and accountabilities are not
assigned There is a complete lack of a recognizable system security
administration process .
- 1 Initial/Ad Hoc when The organization recognizes the need for
IT security. Awareness of the need for security depends primarily
on the individual. IT security is addressed on a reactive basis. IT
security is not measured.Detected IT security breaches invoke
finger-pointing responses , to IT security breaches are
unpredictable.
- 2 Repeatable but Intuitive when Responsibilities and
accountabilities for IT security are assigned to an IT security ,
although the management authority ... Awareness of the need for
security is fragmented and limited. Although security-relevant
information ,it is not analyzed . IT security is seen primarily as
the responsibility and domain of IT andthe business does not see IT
security as within its domain .
- 3 Definedwhen Security awareness exists and is promoted by
management. IT security procedures are defined and aligned with IT
security policy. Responsibilities for IT security are assigned and
understood, but not consistently enforced.An IT security plan and
security solutions exist as driven by risk analysis .Reporting on
security does not contain a clear business focus.Ad hoc security
testing (e.g.,intrusion testing) is performed. Security training is
available for IT and the business, but is only informally scheduled
and managed.
- 4 Managed and Measurablewhen Responsibilities for IT security
are clearly assigned, managed and enforced. IT security risk and
impact analysis is consistently performed. Security policies and
procedures are completed with specific security baselines. ....User
identification, authentication and authorization are standardized
.Security certification is pursued for staff members ... . Security
testing is completed using standard and formalized processes,
leading to improvements of security levels. .IT security reporting
is linked to business objectives . IT security training is
conducted. ITsecurity trainingis planned and managed in a manner
that responds to business needs and defined security risk profiles.
Goals and metrics for security management have been defined but are
not yet measured.
- 5 OptimizedwhenIT security is a joint responsibility of
business and IT management and is integrated with corporate
security business objectives . IT security requirements are clearly
defined, optimized and included in an approved security plan. Users
and customers are increasingly accountable for definingsecurity
requirements, and security functions are integrated with
applications at the design stage . Security incidents are promptly
addressed withformalized incident response proceduressupported by
automated tools. Periodic security assessments are conducted to
evaluate the effectiveness of the implementation of the security
plan. Information on threats and vulnerabilities is systematically
collected and analyzed. Adequate controls to mitigate risks are
promptly communicated .
87. COBIT 4.01 Standards to NIST Mapping Integration with other
Standards(Alignment of IT Controls to Mitigate Risk) 88. NIST
800-53, Revision 1 Standards Terminology and Application 89. Sample
Key Process Ecommerce e.g., One Card System
- Solutions to Other Questions Relating to the Ecommerce
system
-
- Plan and Organize(PO)Provides direction to solution
delivery(AI) and service delivery (DS): PO1, PO4, PO5, PO6, PO8,
PO9, PO10, and PO11
-
- Acquire and Implement(AI) Provides the solutions and passes
them to be turned into services AI5 and AI4
-
- Deliver and Support(DS) Receives the solutions and makes them
usable for end users: DS1, DS5 and DS11
- Map the requirementsto your preferred checklist, e.g. NIST or
ISO
- Requirements for EcommerceCompliment other Processes
-
- Less work required for other system implementations
-
- No duplication of effort if requirements are properly
addressed
- Identity Managementapplies to many different other process
requirements, e.g., Applications, Operating Systems, and
Databases
90. COBIT 4.0-4.01 Available Mappings
- ISACA web site atwww.isaca.org/cobitmapping (many more
available then listed here)
- A few of the available mappings
-
- COBIT Mapping: Mapping of NIST SP800-53 with COBIT 4.1
-
- COBIT Mapping: Mapping of CMMI for Development V1.2 With COBIT
4.0
-
- COBIT Mapping: Mapping of ISO/IEC 17799:2000 With COBIT, 2nd
Edition
-
- COBIT Mapping: Mapping of ISO/IEC 17799:2005 With COBIT
4.0
-
- COBIT Mapping: Mapping of ITIL With COBIT 4.0
- Other planned detailed mappings include:
-
- COBIT Mapping: Mapping of ITIL V3 With COBIT 4.1
-
- COBIT Mapping: Mapping of COSO ERM With COBIT 4.1
-
- COBIT Mapping: Mapping of ISO 20000 With COBIT 4.1
-
- COBIT Mapping: Mapping of CMMI for Development V1.2 With COBIT
4.1
-
- COBIT Mapping: Mapping of PMBOK With COBIT 4.1
-
- COBIT Mapping: Mapping of ISI/IEC 1220 With COBIT 4.1
-
- COBIT Mapping: Mapping of ISO 19770-1 With COBIT 4.1
91.
- Did Someone Mention , Another Break?
92.
- Part V High Level Simple Example:
- Identity Management, Access Control, & Network
Security
93. Birthing of a New Approach? Purchase the Birthing Trunk
Monkey! 94. Entities Assessed During the AuditScopeof
Application:Areas of Emphasis (Entity or Process)
- IAM:Identity and Access Control Management
-
- Identity Management ; the management of user credentials and
the means by which users might log onto anduse various systems or
resources , e.g., theprovisioning and de-provisioningof student,
faculty, staff, and outside agencies identities
-
- Access Control ; the mechanisms in place to permit or deny
theuse of a particular resource by a particular entity , e.g.,
technical or administrative controls to allow or deny access to
file shares
- NETSEC:Perimeter and Network Security
-
- Theprovisions and managementfor the underlying computer network
infrastructure toprotect network-accessible resourcesfrom
unauthorized access and theeffectiveness of these measures
95. Users Involved in Business Functions and Types of System
Information? (Provisioning of High Risk or Critical
Information)
- Business Functional responsibility for assigning Rights &
Permissions to various roles within the organization
-
- Business Owner :Responsible for theprovisioning and
delegationof the processes or functions and associated privileges,
e.g., Payroll, Registrar, FinAid, HR, ConEd, etc.
-
- Trustees : Responsible to maintain trust granted by Business
owner, e.g., Worker Bees in the associated departments thatconduct
day to day operations
-
- Stewards : Responsible toservice and support the business
function , typically provide a technical system or infrastructure
to facilitate business needs, e.g., ITS, OIIT, etc.
- Types of Information (Data Classification) per BORs BPM
-
- Unrestricted / Public :No consequence typically general
information
-
- Sensitive :typically references legal or externally imposed
constraints that requires this restriction
-
- Confidential :highest level of restriction, applies to the risk
or harm that may result from disclosure or inappropriate use, e.g.,
FERPA
96. Following the Business Function Information from Origin to
Destination
- We Identify how the information travels and is managed
throughout the business function life cycle!
-
- Technical Considerations: How packets of data are managed,
provisioned, formatted, and transferred throughout business
functions
-
- Administrative Considerations: How the handling of information
is conducted per the classification of this information and its
intended use
-
- Attempt to assess information and information system security
from various perspectives
97. High level Simple Example Paradigm Shift CAN YOU DO IT?
- Technology Management of User Space and Services through
Security Threat Gateways
-
- Techniques and Current Management Practices
-
- Recognition of the Challenges for Network Infrastructure
Security
-
-
- User Profile Characteristics and Service Needs Identification
Process
-
-
- Tactical Significance of the Security Threat Gateway in
Mitigating Risk
98. Overall Audit Plan & Program: Summary of Situation
- The methodology for auditing the Information Systems assessment
will be aTop Downapproach
-
- Business Goals to Standards and Practices
-
- Business Function to Information System
-
- Leadership (administrator) to Technician or Staff member (end
user)
- The approach will focus on key business functions and their
associatedBusiness Goals and Objectivesas it relates toIAMandNETSEC
.
- Once identified and agreed upon for eachbusiness function, the
key associated requirements, resources, and processeswill be
identified andassessed to determine if high or critical risk is
being managed .
- Focus will be uponControl Practices and Responsibility /
Accountability associated with key activitieswith an expectedCMMI
level 3 criteriafor High Risk Critical processes.
99. High level Simple Example Traditional Network Paradigm
- Techniques and Current Management Practices
100. Management of User Space and Services - Threat Controls
- Recognition of the Challenges for Network Infrastructure
Security
Principles of Information Security, Thompson, 2007 Your
Institution's Security Topology! 101. Management of User Space and
Services -Regulatory Compliance
- Further Recognition of the Challenges for Network
Infrastructure Security
CISA Study Guide, SYBEX, 2006 The LAW: We Are Not Exempt! 102.
Management of User Space and Services Through Security Threat
Gateways
- Discussion(Relate it to COBIT) :
-
- User Profile Characteristics and Service Needs Identification
Process
-
-
- Survey Business Functionality ( Goals and Objectives )
-
-
- IT Service Needs Identification ( Rules and Requirements;
Scope, Processes, and Activities; and Resources )
-
-
- Virtual Playgrounds ( Context of the Audited Entities )
-
-
-
- User Space(IT, Faculty, Staff, Students, etc)
-
-
-
- Service Space (access to various resources and services)
-
- Tactical / Operational Significance of the Security Threat
Gateway in Mitigating Risk( Controls for the Audited Entities
)
103. Your InstitutionsBusiness Functions for (the Audited
Entities)- What Rules and Practices Exist?
- Contextualize the Issues!
- What are the Business Principles in Operation?
- Reasons- Whyyou do things a certainWay
- Who are the Key Shareholders?
Control Objectives for Information and related Technology
(COBIT) 104. Identity Management, Access Control, and Network
Security Business Rules, Requirements and Practices Self-Evaluated?
Do a Check-up If theVisionisUnclear , theCostis Always toMuch !
105. Management of User Space and Services Through Security Threat
Gateways Sample User Survey
- Some of the questions to pose in the survey may look like
this:
- What information technology services do you need to perform
your duties?Please briefly describe how you use technology on a
daily basis.
- Do you use email and if so do you require that it be sent
securely, so no one but the intended user can read it?If so please
describe a practical example in the past where this was necessary
or would have been beneficial.
- Do you use or exchange data that may be considered sensitive,
and if so briefly describe how you do this?
- Do you need information technology when you travel, or do you
work from home?If so, what resources do you need access to, and for
what purpose?
- How long have you been with the organization and what is your
current position?
- How often do you use some type information technology, and what
level of knowledge or experience would you classify yourself as,
e.g., novice, intermediate, expert, or somewhere in between?
- Does your department have any special needs or requirements
that may introduce a threat to the overall information technology
services on our network?
SurveyMonkey.com free, easy, and effective 106. Management of
User Space and Services Through Security Threat Gateways Sample
User Services 107. Management of User Space and Services Through
Security Threat Gateways Virtual Play Grounds Controls to Mitigate
or Avoid Risk? 108. Management of User Space and Services Through
Security Threat Gateways Identity Management Choke Points
- No longer a FRONT-DOOR Issue
-
- We live in a glass house with no closed doors and lots of open
windows need a 3D solution
-
-
- User Space, Service Space, and STGs
-
- The challenge is internal andcan bewithout boundaries
- Boundaries must be how YOU draw them
-
- Proactively rethink through the Traditional Topology
paradigm
-
- The STG Channels Resource Access
-
- Defined boundaries and regulate the channels to ..
-
-
- Control and Mitigate Risk
-
- People are the biggest vulnerability on the network
-
-
- Political Fiefdoms and Turf Battles for freedom of
expression?
-
-
- Work with them or against them?
-
-
- Give them a virtual Playground with clearly defined
boundaries
109. Management of User Space and Services Through Security
Threat Gateways Tactical Network Paradigm Shift
-
- Match user needs to services
-
- Fluid controls in place to mitigate risk
-
- Create Security Threat Gateways to control andmitigating
risk
110. Management of User Space and Services Through Security
Threat Gateways Keys of Success to Mitigate Risk
- Step1:Clearly Poll andDefine User Needs and Requirements
(Business Function!)
- Step 2:Identity Policy and Legal Requirements
- Step 3:Create and Segregate into Logical Buckets (Spaces &
Places)
-
- Service Groups (Service Space)
- Step 4: Map out the Topologyand Physical Requirements
-
- Physical Hardware software
-
- Routing, Switching, IDS, IPS, DAM
- Step 5:Redefine Security Requirements and Implement Security
Threat Gateways(the Perimeter is Everywhere) !
- Step 6:Create the Virtual User Playground
- Step 7:Document, Manage, and Monitor User Activity and
Resources
111. Summary Overview of IT Audits
- Audit Process, Plan, and Expectations
- Example of How to Prepare COBIT 4.01
- Simple Example Security Threat Gateways
112. Key Resources
- Web App Consortium -www.webappsec.org
- EDUCAUSE -educause.edu/security
- Univ. Austin Texas Sec. -security.utexas.edu
- Univ. Cornell Sec. -www.cit.cornell.edu/security
- Virginia Tech Sec. -security.vt.edu
- Ga. Tech Info Sec. Center -www.gtisc.gatech.edu
- Video Clips -www.imdb.com/video/screenplay
113. Call to Action & Challenge Birds of a Feather, Flock
Together or Life is For the BirdsBe Different? PIXAR For the
Birds3:16 minutes 114. Where are you in the Process of Preparation
for the Audit? Standing Alone ?ITCan Seem a Little Funny ,BUTITWILL
WORK OUT! Moral:Dont Drink theKool-Aid and BeCaught with YourShorts
Down Possible Situation :The Emperor has No Clothes -Who is Going
to Tell Him? Disclaimer: AllPUNSare intended, and should not be
held against theRetarded Auditor or OIA 115. Discussion &
Questions? Suggestion?
-
- Build Relational Bridges of Trust with Superiors -even though
it Requires a Level of Vulnerability(I am anIdealistUSEWisdom
hopefully, we have build one today)
-
- Strategize a Plan toAddress the Elephant in the Corner
-
-
- Step 1:Where are your weaknesses for the Areas being
Audited?
-
-
- Step 2:What will it take to get to CMMI level 3?
-
-
- Step 3:Who else needs to be include in the solution
process?
-
-
- Step 4:Make a physical list of resources that need to be
accessed?
-
-
- Step 5:Notify Key Shareholders of their involvement and what
you need from them to be successful!
-
-
- Step 6:Take the time leftbefore your auditandbackward plan
!
-
-
- Step 7:No one likesugly surprises you can run, but you cant
hide!