USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES
Cara King
Senior IT Auditor, OIAC
Topic Introduction
This presentation will highlight areas of focus for the upcoming USG Information Security Program Audit that will be conducted at the University System Office.
OIAC will be working closely with the USO and the USG CISO
Some Institutional involvement will be essential during the course of this audit
Expectations of the audit and examples of artifacts (to drive successful audit outcomes) are derived from the IT Handbook Sections 3 & 5 and the Audit Expectations Workbook.
Topic Objectives
Objective 1: Awareness of the audit as Institutional
involvement may be required.
Objective 2: To Provide a Sneak Preview as the
procedures are still in development … more soon
Objective 3: Final plan will be distributed accordingly upon its completion
Background Information
Board of Regents: 11.3 Information Security Policy
11.3.1 General Policy 11.3.2 System-Level Activities 11.3.3 Institutional Responsibilities
11.3.1 General Policy
The USO, all USG institutions, and the GPLS shall create and maintain an internal information security technology infrastructure consisting of an information security organization and program that ensures the confidentiality, availability, and integrity of all USG information assets.
11.3.2 System-Level Activities
The USG CISO shall:
develop and maintain an information security organization and architecture for support of information security across the USG and support of activities between institutions.
maintain information security implementation guidelines that the USO, all USG institutions, and the GPLS should consider in the development of their individualized information security plans.
11.3.3 Institutional Responsibilities
ensure appropriate and auditable information security controls are in place.
develop, implement, and maintain an individualized information security plan and submit for periodic review
methods for ensuring that information regarding the applicable laws, regulations, guidelines, and policies is distributed and readily available to its user community shall be included in the individualized information security plan.
clear procedures for reporting and handling of information security incidents shall be followed. These procedures shall include reporting of incidents to the USO in a timely manner, and shall be documented in the individualized information security plan.
BOR Policy Manual
Background Information
Board of Regents: 11.3 Information Security Policy
We all play respective roles in 11.3 policy adherence
One step toward adherence is the upcoming USG Information Security Program Audit
USG Information SecurityProgram Audit
Timeline: Planning phase: In progress Field work: Will begin Summer 2014
Areas of Focus: Information Security Management Information Security Operations
Areas of Focus: Information Security Management
1. Governance2. Risk Assessment (Procedures Still Being
Developed)
3. Policies 4. IT Security Plan
1. Governance
Objective: Processes are in practice to assure applicable management oversight of the information security function.
Purpose: The information security governance is to ensure that the USO, SSC, USG, Georgia Archives and GPLS are proactively implementing appropriate information security controls to support their mission in an effective manner, while managing evolving information security risks.
1. Governance
Expectations for Audit:
security governance committee/security steering committee exists
security steering committee includes representation from key functional areas
committee members regularly attend committee meetings
security management communication process exists and reporting lines are clearly established
1. Governance:
Example Artifacts:
security governance committee/security steering committee charter
charter membership list
meeting schedule
minutes of selected committee meetings
verification of communication process
2. Risk Assessment
Expectations for Audit: Risk Assessments are regularly conducted
to prioritize information security initiatives and ensure alignment with business risks.
Example Artifacts: Recent risk assessment documents
3. Policies
Objective: Policies are created according to a defined format and are distributed following a distribution list based on subject matter and relevance, and the scope of the policies are appropriate to ensure that the information security is adequate to address the risk tolerance.
3. Policies
Expectations for Audit
Information security policies are adequate and complete.
There is adequacy of communication practices related to the dissemination of information security policies.
3. Policies
Example Artifacts
Security policies documents An agreement to comply with Information Security
policies (internal to IT/external to IT) Appropriate Use Policy Laptop/desktop computer security policy Internet usage policy Firewall policy E-mail security policy
Proof of policy awareness/communications
Location/site of the readily available policies
4. IT Security Plan
Objective: Translate business, risk and compliance
requirements into an overall IT security plan: Taking into consideration the IT infrastructure and the
security culture Ensure that the plan is implemented in security
policies and procedures, together with appropriate investments in services, personnel, software and hardware.
Communicate security policies and procedures to stakeholders and users.
The security plan is reviewed on a regular basis to determine that it is updated to reflect changes to the operating environment and new threats.
4. IT Security Plan:
Expectations for Audit:
There exists a Security Plan, by which the security strategic plan is operationalized or implemented.
Adequacy and completeness of the Security Plan.
The Security Plan is reviewed on a regular basis to determine that it is updated to reflect changes to the operating environment and new threats.
4. IT Security Plan:
Example Artifact
A copy of the IT security plan including version history
Areas of Focus: Information Security Operations
1. Security Testing and Monitoring (Procedures Still Being Developed)
2. Incident Management (Procedures Still Being Developed) Response and Monitoring
3. Endpoint Security Management (Procedures Still Being Developed)
1. *Procedures will be developed in accordance with IT HB Sect 5 update as it is published.
4. Security Awareness, Training, and Education
4. Security Awareness, Training, and Education Objective:
One of the objectives/goals of the ITS Information Technology Strategic Plan 2010 is to increase the awareness of the workforce through a security awareness program. The USG cannot protect the confidentiality, integrity, and availability of information and information systems in today’s highly networked environment without ensuring that each person involved understands their roles and responsibilities and is adequately trained to perform them. (IT Handbook Section 5.9.3.1)
4. Security Awareness, Training, and Education
Expectations for Audit
There is a strong Security Awareness, Training, and Education program
Training is conducted annually and attendance is mandatory
Role-based security education and awareness needs have been identified and provided to those individuals within the organization that have unique or specific information security responsibilities
There is record of completed and needed security training maintained
4. Security Awareness, Training, and Education
Example Artifacts
Copy of the Security Awareness, Training, and Education program
Documented record of completed and needed security training
SUMMARY EXAMPLE ARTIFACTS, THUS FAR:
1. Security governance committee/security steering committee charter
2. Charter membership list3. Meeting schedule4. Minutes of selected committee meetings5. Verification of communication process6. Recent risk assessment documents 7. Security policies documents8. Proof of policy awareness/communications 9. Location/site of the readily available policies10. A copy of the IT security plan including
version history11. Copy of the Security Awareness, Training,
and Education program 12. Documented record of completed and
needed security training
Points of Contact
Kenyatta MorrisonDirector of Information Technology Audit Office: 404-962-3028 [email protected]
Cara King Senior IT AuditorOffice: [email protected]
Thank You