W a s h i n g t o n S t a t e A u d i t o r ’ s O ffi c e

Washington’s Statewide IT Risk Assessment

National State Auditors AssociationIT Conference

September 24, 2015

Troy Niemeyer, Deputy Director of State Audit

W a s h i n g t o n S t a t e A u d i t o r ’ s O ffi c e 2

About the Washington State Auditor’s Office

What is a statewide IT risk assessment, and why did we conduct one?

What were we looking for?

How to start?

Who to include?

Results! Survey results from other states Next steps Risk assessment tool

About today’s presentation

W a s h i n g t o n S t a t e A u d i t o r ’ s O ffi c e 3

Established in state constitution Based in the state capitol of Olympia, Washington State Auditor is elected every four years Jan Jutte, CPA, CGFM – Acting State Auditor

First “acting” elected official in Washington state history First CPA to hold the State Auditor role First female State Auditor

About our Office

W a s h i n g t o n S t a t e A u d i t o r ’ s O ffi c e 4

We audit: 190 state agencies

Comprehensive Annual Financial Report (CAFR), Statewide Single Audit (SWSA), accountability (compliance), performance, fraud and state whistleblower program

1,950+ local governments Financial, single, accountability and fraud

About our Office

W a s h i n g t o n S t a t e A u d i t o r ’ s O ffi c e 5

390 audit and support staff Three state agency audit teams

Includes the Statewide Technology Audit Team (STAT)

13 local audit teams throughout the state Includes Local Information Systems Audit (Team LISA)

One Performance Audit team

About our Office

W a s h i n g t o n S t a t e A u d i t o r ’ s O ffi c e 6

Roadmap Tool Guide A three-year audit plan for our IT audit team

Can be updated Can be repeated

IT Risk Assessment: What it is

W a s h i n g t o n S t a t e A u d i t o r ’ s O ffi c e 7

Not an audit No public report

No findings or opinions No conclusions No recommendations to agencies

IT Risk Assessment: What it’s not

W a s h i n g t o n S t a t e A u d i t o r ’ s O ffi c e 8

Desire to do additional IT audit work Priority of state auditor

Recent IT performance audits Safe Data Disposal: Protecting confidential information Opportunities to Improve State IT Security

Improving state budget Earlier approach fragmented and lacked

strategic direction

Why conduct a risk assessment?

W a s h i n g t o n S t a t e A u d i t o r ’ s O ffi c e 9

Internally? How long would it take? How much would it cost?

Hire a contractor? We wanted an outside, independent perspective

“We don’t know what we don’t know” Provides instant credibility

How should we go about it?

W a s h i n g t o n S t a t e A u d i t o r ’ s O ffi c e 10

Inventory of state IT systems What are the biggest risks facing our state? What is our role in auditing those risks? How should the Office be organized to do additional

IT audit work?

Contract deliverables

W a s h i n g t o n S t a t e A u d i t o r ’ s O ffi c e 11

Consider materiality to CAFR & SWSA Eliminate one-timers

Eliminate universities and community/technical colleges Include State Board of Community & Technical Colleges

Brainstorm to judgmentally add or eliminate others

No more than 25 agencies

Ended up with 27 state agencies, including the three IT oversight agencies

Which agencies should we include?

W a s h i n g t o n S t a t e A u d i t o r ’ s O ffi c e 12

Chief Information Officer Consolidated Technology Services Enterprise Services

Financial Management Social and Health Services Health

Veterans Affairs Revenue Transportation

Commerce Corrections State Investment Board

Employment Security Military Department (National Guard) Labor and Industries

Natural Resources Early Learning Ecology

Fish and Wildlife State Board of Community & Technical Colleges

Administrative Office of the Courts

Superintendent of Public Instruction Licensing Retirement Systems

State Patrol State Treasurer Health Care Authority

The 27 agencies we included in the assessment

W a s h i n g t o n S t a t e A u d i t o r ’ s O ffi c e 13

Letter to all agencies (included or not) Key IT leaders at OCIO, CTS, DES Agency directors and deputies Audit liaisons Governor's Office Entrance/kickoff

61 people attended

Exit conference next month

Preliminary steps: Outreach

W a s h i n g t o n S t a t e A u d i t o r ’ s O ffi c e 14

Try to make the process painless Gather information centrally Use information that already exists Limit the amount of agency staff time needed

Easing the pain

W a s h i n g t o n S t a t e A u d i t o r ’ s O ffi c e 15

Policies, reports, project dashboard on the OCIO website

Disaster Recovery/Business Continuity Plan IT portfolio information IT audit results (three years) Agency IT risk assessment results Vulnerability assessment results Penetration testing results

Documents reviewed

W a s h i n g t o n S t a t e A u d i t o r ’ s O ffi c e 16

Planning and Managing IT Portfolios Approval and oversight of IT Investments

IT Risk Assessment Managing IT projects

Ensuring security of IT assets Disaster recovery/business continuity

Enterprise architecture Enterprise-wide services

Emerging technologies Contracting and procurement

Vendor management System life cycle requirements

Maintenance and operations

Statewide and agency risk categories

W a s h i n g t o n S t a t e A u d i t o r ’ s O ffi c e 17

Statewide and agency survey questions

Annual IT Budget? Security incidents in the last 12 months?

Number of IT staff? Number of users? (internal & external)

Formal IT risk assessment process? Percent of IT staff to total staff?

Mobile devices used? Do you have a CISO?

Formal project management? IT Security compliance audit?

DRP/BCP in place? DRP/BCP adequately funded?

IT projects in process? DRP/BCP tested?

Security management program updated? Inventory of systems up to date?

W a s h i n g t o n S t a t e A u d i t o r ’ s O ffi c e 18

Application risk categories

Security Management

Access Control

Contingency Planning

Configuration Management

Segregation of Duties

Business Process

Interface Controls

Data Management Controls

W a s h i n g t o n S t a t e A u d i t o r ’ s O ffi c e 19

Last security assessment? Categories of data in system? Critical or core?

Last review of access controls? Last penetration test? Last vulnerability

assessment?

Number of transactions monthly?

Security event logs monitored? Where physically hosted?

Does this support other applications?

Processing controls in place? Adequate funding?

Change control process? Version support? Resource reliability?

To be decommissioned? Online service?

Application-specific questions

W a s h i n g t o n S t a t e A u d i t o r ’ s O ffi c e 20

Three teams performed IT audit work Statewide Technology Audit Team (STAT) Local Information System Audit (Team LISA) Performance Audit

Three managers reported to three deputy directors

Teams operated in silos, resulting in: Poor communication

Strained relationships

Different priorities Fragmented approach

How should our Office be organized for IT audits?

W a s h i n g t o n S t a t e A u d i t o r ’ s O ffi c e 21

Reviewed NSAA - “Auditing in the States”

Interviewed 17 states – Thank you for your help!

States we interviewed

W a s h i n g t o n S t a t e A u d i t o r ’ s O ffi c e 22

Sample questions Is your state auditor elected or appointed?

How is your office organized for IT audit?

What type of IT audits do you do?

How many total staff? How many IT audit staff?

Separate budget? Or part of the CAFR team’s budget?

Certifications required for IT auditors?

Do you offer incentives for certifications?

Are IT auditors paid more?

Questions we asked other SAO’s

W a s h i n g t o n S t a t e A u d i t o r ’ s O ffi c e 23

Responses from other states

Question 5: Staffing levelsIT audit staff size (out of 16 IT audit functions)

No IT audit functions had an IT audit staff size of 15-19

W a s h i n g t o n S t a t e A u d i t o r ’ s O ffi c e 24

Responses from other states

Question 7: Training & certificate requirements

W a s h i n g t o n S t a t e A u d i t o r ’ s O ffi c e 25

Responses from other states

Question 9: Budgets for IT & non-IT audit work

W a s h i n g t o n S t a t e A u d i t o r ’ s O ffi c e 26

Responses from other states

Question 10: Types of IT audit teams

W a s h i n g t o n S t a t e A u d i t o r ’ s O ffi c e 27

Washington statewide risk ratings

Low Planning and Managing IT Portfolios High Approval and oversight of

IT Investments

Med IT Risk Assessment Med Managing IT projects

Med Ensuring security of IT assets Med Disaster recovery/business continuity

Med Enterprise architecture Med Enterprise-wide services

Low Emerging technologies Med Contracting and procurement

Low Vendor management Med System life cycle requirements

Low Maintenance and operations

W a s h i n g t o n S t a t e A u d i t o r ’ s O ffi c e 28

Dashboards provide at-a-glance summaries

W a s h i n g t o n S t a t e A u d i t o r ’ s O ffi c e 29

Dashboards provide at-a-glance summaries

W a s h i n g t o n S t a t e A u d i t o r ’ s O ffi c e 30

Project Preliminary Objective(s) Budget Hours

Managing IT projects/IT investments (OCIO)

Determine if right processes and controls in place to ensure that projects are delivered on time, on budget, and with right resources.Determine whether controls in place to measure achieved benefits against intended benefits after project completion.

750

Enterprise-wide services/Enterprise architecture

Perform security and/or performance review of CTS provided statewide services including but not limited to firewall services, active directory services, data center services and wide area networks. The scope could include whether CTS services, which agencies are mandated to use, are adequately meeting the service level requirements required by the user agencies’ mission and functions.

800

System interfaces Security review of the integrity and operation of interfaces for a selected number of applications at a sample of agencies. 750

Department of Fish and Wildlife

Application and general controls review of the Cody System, Lift 2000, or WILD applications with a focus on security management, access control, configuration management, and segregation of duties.

750

Suggested audit plan – year one

W a s h i n g t o n S t a t e A u d i t o r ’ s O ffi c e 31

Contractor’s deliverables to our Office Report Tool User guide

Deliverables to agencies PDF version of individual results Working version for individual agencies

Tour of the Risk Assessment Tool!

Next steps

W a s h i n g t o n S t a t e A u d i t o r ’ s O ffi c e 32

QUESTIONS?

Troy NiemeyerDeputy Director of State Audit

Washington State Auditor’s OfficeTroy.Niemeyer@sao.wa.gov

(360)725-5363

Statewide IT Risk Assessment