USG INFORMATION SECURITY PROGRAM AUDIT:  ACHIEVING SUCCESSFUL AUDIT OUTCOMES

Cara King

Senior IT Auditor, OIAC

Topic Introduction

This presentation will highlight areas of focus for the upcoming USG Information Security Program Audit that will be conducted at the University System Office.

OIAC will be working closely with the USO and the USG CISO

Some Institutional involvement will be essential during the course of this audit

Expectations of the audit and examples of artifacts (to drive successful audit outcomes) are derived from the IT Handbook Sections 3 & 5 and the Audit Expectations Workbook.

Topic Objectives

Objective 1: Awareness of the audit as Institutional

involvement may be required.

Objective 2: To Provide a Sneak Preview as the

procedures are still in development … more soon

Objective 3: Final plan will be distributed accordingly upon its completion

Background Information

Board of Regents: 11.3 Information Security Policy

11.3.1 General Policy 11.3.2 System-Level Activities 11.3.3 Institutional Responsibilities

11.3.1 General Policy

The USO, all USG institutions, and the GPLS shall create and maintain an internal information security technology infrastructure consisting of an information security organization and program that ensures the confidentiality, availability, and integrity of all USG information assets.

11.3.2 System-Level Activities

The USG CISO shall:

develop and maintain an information security organization and architecture for support of information security across the USG and support of activities between institutions.

maintain information security implementation guidelines that the USO, all USG institutions, and the GPLS should consider in the development of their individualized information security plans.

11.3.3 Institutional Responsibilities

ensure appropriate and auditable information security controls are in place.

develop, implement, and maintain an individualized information security plan and submit for periodic review

methods for ensuring that information regarding the applicable laws, regulations, guidelines, and policies is distributed and readily available to its user community shall be included in the individualized information security plan.

clear procedures for reporting and handling of information security incidents shall be followed. These procedures shall include reporting of incidents to the USO in a timely manner, and shall be documented in the individualized information security plan.

BOR Policy Manual

Background Information

Board of Regents: 11.3 Information Security Policy

We all play respective roles in 11.3 policy adherence

One step toward adherence is the upcoming USG Information Security Program Audit

USG Information SecurityProgram Audit

Timeline: Planning phase: In progress Field work: Will begin Summer 2014

Areas of Focus: Information Security Management Information Security Operations

Areas of Focus: Information Security Management

1. Governance2. Risk Assessment (Procedures Still Being

Developed)

3. Policies 4. IT Security Plan

1. Governance

Objective: Processes are in practice to assure applicable management oversight of the information security function.

Purpose: The information security governance is to ensure that the USO, SSC, USG, Georgia Archives and GPLS are proactively implementing appropriate information security controls to support their mission in an effective manner, while managing evolving information security risks.

1. Governance

Expectations for Audit:

security governance committee/security steering committee exists

security steering committee includes representation from key functional areas

committee members regularly attend committee meetings

security management communication process exists and reporting lines are clearly established

1. Governance:

Example Artifacts:

security governance committee/security steering committee charter

charter membership list

meeting schedule

minutes of selected committee meetings

verification of communication process

2. Risk Assessment

Expectations for Audit: Risk Assessments are regularly conducted

to prioritize information security initiatives and ensure alignment with business risks.

Example Artifacts: Recent risk assessment documents

3. Policies

Objective: Policies are created according to a defined format and are distributed following a distribution list based on subject matter and relevance, and the scope of the policies are appropriate to ensure that the information security is adequate to address the risk tolerance.

3. Policies

Expectations for Audit

Information security policies are adequate and complete.

There is adequacy of communication practices related to the dissemination of information security policies.

3. Policies

Example Artifacts

Security policies documents An agreement to comply with Information Security

policies (internal to IT/external to IT) Appropriate Use Policy Laptop/desktop computer security policy Internet usage policy Firewall policy E-mail security policy

Proof of policy awareness/communications

Location/site of the readily available policies

4. IT Security Plan

Objective: Translate business, risk and compliance

requirements into an overall IT security plan: Taking into consideration the IT infrastructure and the

security culture Ensure that the plan is implemented in security

policies and procedures, together with appropriate investments in services, personnel, software and hardware.

Communicate security policies and procedures to stakeholders and users.

The security plan is reviewed on a regular basis to determine that it is updated to reflect changes to the operating environment and new threats.

4. IT Security Plan:

Expectations for Audit:

There exists a Security Plan, by which the security strategic plan is operationalized or implemented.

Adequacy and completeness of the Security Plan.

The Security Plan is reviewed on a regular basis to determine that it is updated to reflect changes to the operating environment and new threats.

4. IT Security Plan:

Example Artifact

A copy of the IT security plan including version history

Areas of Focus: Information Security Operations

1. Security Testing and Monitoring (Procedures Still Being Developed)

2. Incident Management (Procedures Still Being Developed) Response and Monitoring

3. Endpoint Security Management (Procedures Still Being Developed)

1. *Procedures will be developed in accordance with IT HB Sect 5 update as it is published.

4. Security Awareness, Training, and Education

4. Security Awareness, Training, and Education Objective:

One of the objectives/goals of the ITS Information Technology Strategic Plan 2010 is to increase the awareness of the workforce through a security awareness program. The USG cannot protect the confidentiality, integrity, and availability of information and information systems in today’s highly networked environment without ensuring that each person involved understands their roles and responsibilities and is adequately trained to perform them. (IT Handbook Section 5.9.3.1)

4. Security Awareness, Training, and Education

Expectations for Audit

There is a strong Security Awareness, Training, and Education program

Training is conducted annually and attendance is mandatory

Role-based security education and awareness needs have been identified and provided to those individuals within the organization that have unique or specific information security responsibilities

There is record of completed and needed security training maintained

4. Security Awareness, Training, and Education

Example Artifacts

Copy of the Security Awareness, Training, and Education program

Documented record of completed and needed security training

SUMMARY EXAMPLE ARTIFACTS, THUS FAR:

1. Security governance committee/security steering committee charter

2. Charter membership list3. Meeting schedule4. Minutes of selected committee meetings5. Verification of communication process6. Recent risk assessment documents 7. Security policies documents8. Proof of policy awareness/communications 9. Location/site of the readily available policies10. A copy of the IT security plan including

version history11. Copy of the Security Awareness, Training,

and Education program 12. Documented record of completed and

needed security training

Points of Contact

Kenyatta MorrisonDirector of Information Technology Audit Office: 404-962-3028 kenyatta.morrison@usg.edu

Cara King Senior IT AuditorOffice: 404-962-3024cara.king@usg.edu

Thank You