USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT...
-
Upload
miles-ellard -
Category
Documents
-
view
214 -
download
0
Transcript of USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT...
![Page 1: USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.](https://reader038.fdocuments.net/reader038/viewer/2022110116/551bfcc5550346ad4f8b49fc/html5/thumbnails/1.jpg)
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES
Cara King
Senior IT Auditor, OIAC
![Page 2: USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.](https://reader038.fdocuments.net/reader038/viewer/2022110116/551bfcc5550346ad4f8b49fc/html5/thumbnails/2.jpg)
Topic Introduction
This presentation will highlight areas of focus for the upcoming USG Information Security Program Audit that will be conducted at the University System Office.
OIAC will be working closely with the USO and the USG CISO
Some Institutional involvement will be essential during the course of this audit
Expectations of the audit and examples of artifacts (to drive successful audit outcomes) are derived from the IT Handbook Sections 3 & 5 and the Audit Expectations Workbook.
![Page 3: USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.](https://reader038.fdocuments.net/reader038/viewer/2022110116/551bfcc5550346ad4f8b49fc/html5/thumbnails/3.jpg)
Topic Objectives
Objective 1: Awareness of the audit as Institutional
involvement may be required.
Objective 2: To Provide a Sneak Preview as the
procedures are still in development … more soon
Objective 3: Final plan will be distributed accordingly upon its completion
![Page 4: USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.](https://reader038.fdocuments.net/reader038/viewer/2022110116/551bfcc5550346ad4f8b49fc/html5/thumbnails/4.jpg)
Background Information
Board of Regents: 11.3 Information Security Policy
11.3.1 General Policy 11.3.2 System-Level Activities 11.3.3 Institutional Responsibilities
![Page 5: USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.](https://reader038.fdocuments.net/reader038/viewer/2022110116/551bfcc5550346ad4f8b49fc/html5/thumbnails/5.jpg)
11.3.1 General Policy
The USO, all USG institutions, and the GPLS shall create and maintain an internal information security technology infrastructure consisting of an information security organization and program that ensures the confidentiality, availability, and integrity of all USG information assets.
![Page 6: USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.](https://reader038.fdocuments.net/reader038/viewer/2022110116/551bfcc5550346ad4f8b49fc/html5/thumbnails/6.jpg)
11.3.2 System-Level Activities
The USG CISO shall:
develop and maintain an information security organization and architecture for support of information security across the USG and support of activities between institutions.
maintain information security implementation guidelines that the USO, all USG institutions, and the GPLS should consider in the development of their individualized information security plans.
![Page 7: USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.](https://reader038.fdocuments.net/reader038/viewer/2022110116/551bfcc5550346ad4f8b49fc/html5/thumbnails/7.jpg)
11.3.3 Institutional Responsibilities
ensure appropriate and auditable information security controls are in place.
develop, implement, and maintain an individualized information security plan and submit for periodic review
methods for ensuring that information regarding the applicable laws, regulations, guidelines, and policies is distributed and readily available to its user community shall be included in the individualized information security plan.
clear procedures for reporting and handling of information security incidents shall be followed. These procedures shall include reporting of incidents to the USO in a timely manner, and shall be documented in the individualized information security plan.
BOR Policy Manual
![Page 8: USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.](https://reader038.fdocuments.net/reader038/viewer/2022110116/551bfcc5550346ad4f8b49fc/html5/thumbnails/8.jpg)
Background Information
Board of Regents: 11.3 Information Security Policy
We all play respective roles in 11.3 policy adherence
One step toward adherence is the upcoming USG Information Security Program Audit
![Page 9: USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.](https://reader038.fdocuments.net/reader038/viewer/2022110116/551bfcc5550346ad4f8b49fc/html5/thumbnails/9.jpg)
USG Information SecurityProgram Audit
Timeline: Planning phase: In progress Field work: Will begin Summer 2014
Areas of Focus: Information Security Management Information Security Operations
![Page 10: USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.](https://reader038.fdocuments.net/reader038/viewer/2022110116/551bfcc5550346ad4f8b49fc/html5/thumbnails/10.jpg)
Areas of Focus: Information Security Management
1. Governance2. Risk Assessment (Procedures Still Being
Developed)
3. Policies 4. IT Security Plan
![Page 11: USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.](https://reader038.fdocuments.net/reader038/viewer/2022110116/551bfcc5550346ad4f8b49fc/html5/thumbnails/11.jpg)
1. Governance
Objective: Processes are in practice to assure applicable management oversight of the information security function.
Purpose: The information security governance is to ensure that the USO, SSC, USG, Georgia Archives and GPLS are proactively implementing appropriate information security controls to support their mission in an effective manner, while managing evolving information security risks.
![Page 12: USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.](https://reader038.fdocuments.net/reader038/viewer/2022110116/551bfcc5550346ad4f8b49fc/html5/thumbnails/12.jpg)
1. Governance
Expectations for Audit:
security governance committee/security steering committee exists
security steering committee includes representation from key functional areas
committee members regularly attend committee meetings
security management communication process exists and reporting lines are clearly established
![Page 13: USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.](https://reader038.fdocuments.net/reader038/viewer/2022110116/551bfcc5550346ad4f8b49fc/html5/thumbnails/13.jpg)
1. Governance:
Example Artifacts:
security governance committee/security steering committee charter
charter membership list
meeting schedule
minutes of selected committee meetings
verification of communication process
![Page 14: USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.](https://reader038.fdocuments.net/reader038/viewer/2022110116/551bfcc5550346ad4f8b49fc/html5/thumbnails/14.jpg)
2. Risk Assessment
Expectations for Audit: Risk Assessments are regularly conducted
to prioritize information security initiatives and ensure alignment with business risks.
Example Artifacts: Recent risk assessment documents
![Page 15: USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.](https://reader038.fdocuments.net/reader038/viewer/2022110116/551bfcc5550346ad4f8b49fc/html5/thumbnails/15.jpg)
3. Policies
Objective: Policies are created according to a defined format and are distributed following a distribution list based on subject matter and relevance, and the scope of the policies are appropriate to ensure that the information security is adequate to address the risk tolerance.
![Page 16: USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.](https://reader038.fdocuments.net/reader038/viewer/2022110116/551bfcc5550346ad4f8b49fc/html5/thumbnails/16.jpg)
3. Policies
Expectations for Audit
Information security policies are adequate and complete.
There is adequacy of communication practices related to the dissemination of information security policies.
![Page 17: USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.](https://reader038.fdocuments.net/reader038/viewer/2022110116/551bfcc5550346ad4f8b49fc/html5/thumbnails/17.jpg)
3. Policies
Example Artifacts
Security policies documents An agreement to comply with Information Security
policies (internal to IT/external to IT) Appropriate Use Policy Laptop/desktop computer security policy Internet usage policy Firewall policy E-mail security policy
Proof of policy awareness/communications
Location/site of the readily available policies
![Page 18: USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.](https://reader038.fdocuments.net/reader038/viewer/2022110116/551bfcc5550346ad4f8b49fc/html5/thumbnails/18.jpg)
4. IT Security Plan
Objective: Translate business, risk and compliance
requirements into an overall IT security plan: Taking into consideration the IT infrastructure and the
security culture Ensure that the plan is implemented in security
policies and procedures, together with appropriate investments in services, personnel, software and hardware.
Communicate security policies and procedures to stakeholders and users.
The security plan is reviewed on a regular basis to determine that it is updated to reflect changes to the operating environment and new threats.
![Page 19: USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.](https://reader038.fdocuments.net/reader038/viewer/2022110116/551bfcc5550346ad4f8b49fc/html5/thumbnails/19.jpg)
4. IT Security Plan:
Expectations for Audit:
There exists a Security Plan, by which the security strategic plan is operationalized or implemented.
Adequacy and completeness of the Security Plan.
The Security Plan is reviewed on a regular basis to determine that it is updated to reflect changes to the operating environment and new threats.
![Page 20: USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.](https://reader038.fdocuments.net/reader038/viewer/2022110116/551bfcc5550346ad4f8b49fc/html5/thumbnails/20.jpg)
4. IT Security Plan:
Example Artifact
A copy of the IT security plan including version history
![Page 21: USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.](https://reader038.fdocuments.net/reader038/viewer/2022110116/551bfcc5550346ad4f8b49fc/html5/thumbnails/21.jpg)
Areas of Focus: Information Security Operations
1. Security Testing and Monitoring (Procedures Still Being Developed)
2. Incident Management (Procedures Still Being Developed) Response and Monitoring
3. Endpoint Security Management (Procedures Still Being Developed)
1. *Procedures will be developed in accordance with IT HB Sect 5 update as it is published.
4. Security Awareness, Training, and Education
![Page 22: USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.](https://reader038.fdocuments.net/reader038/viewer/2022110116/551bfcc5550346ad4f8b49fc/html5/thumbnails/22.jpg)
4. Security Awareness, Training, and Education Objective:
One of the objectives/goals of the ITS Information Technology Strategic Plan 2010 is to increase the awareness of the workforce through a security awareness program. The USG cannot protect the confidentiality, integrity, and availability of information and information systems in today’s highly networked environment without ensuring that each person involved understands their roles and responsibilities and is adequately trained to perform them. (IT Handbook Section 5.9.3.1)
![Page 23: USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.](https://reader038.fdocuments.net/reader038/viewer/2022110116/551bfcc5550346ad4f8b49fc/html5/thumbnails/23.jpg)
4. Security Awareness, Training, and Education
Expectations for Audit
There is a strong Security Awareness, Training, and Education program
Training is conducted annually and attendance is mandatory
Role-based security education and awareness needs have been identified and provided to those individuals within the organization that have unique or specific information security responsibilities
There is record of completed and needed security training maintained
![Page 24: USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.](https://reader038.fdocuments.net/reader038/viewer/2022110116/551bfcc5550346ad4f8b49fc/html5/thumbnails/24.jpg)
4. Security Awareness, Training, and Education
Example Artifacts
Copy of the Security Awareness, Training, and Education program
Documented record of completed and needed security training
![Page 25: USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.](https://reader038.fdocuments.net/reader038/viewer/2022110116/551bfcc5550346ad4f8b49fc/html5/thumbnails/25.jpg)
SUMMARY EXAMPLE ARTIFACTS, THUS FAR:
1. Security governance committee/security steering committee charter
2. Charter membership list3. Meeting schedule4. Minutes of selected committee meetings5. Verification of communication process6. Recent risk assessment documents 7. Security policies documents8. Proof of policy awareness/communications 9. Location/site of the readily available policies10. A copy of the IT security plan including
version history11. Copy of the Security Awareness, Training,
and Education program 12. Documented record of completed and
needed security training
![Page 26: USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.](https://reader038.fdocuments.net/reader038/viewer/2022110116/551bfcc5550346ad4f8b49fc/html5/thumbnails/26.jpg)
Points of Contact
Kenyatta MorrisonDirector of Information Technology Audit Office: 404-962-3028 [email protected]
Cara King Senior IT AuditorOffice: [email protected]
![Page 27: USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.](https://reader038.fdocuments.net/reader038/viewer/2022110116/551bfcc5550346ad4f8b49fc/html5/thumbnails/27.jpg)
Thank You