Michael Burch, IS Audit Supervisor

1
INTRODUCTION
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• Michael Burch, IS Audit Supervisor
• Lisa Outlaw, IS Audit Supervisor
• Michelle Wicker, IS Auditor - Team Leader

IIPS Fall Conference 2007
2
Summary of Community College Audits
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• 2002/2003 Audits and Follow Ups
• 2006 and 2007 Limited General Controls
• Fiscal Year 2007 Financial Audit Files

IIPS Fall Conference 2007
3
Community College Audits for 2008
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• Shift of Focus
• From Limited General Controls
• To Penetration and Vulnerability Assessments
• Assistance to Financial Audits
• Financial Audit File
• Datatel Colleague Access File
• Random General Controls if Needed

IIPS Fall Conference 2007
4
IT GOVERNANCE
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• Every organization has some form of IT Governance
  by default
• Good IT Governance
• Ensures IT investments are optimized and aligned
  with business strategy.
• Delivers value within acceptable risk boundaries

IIPS Fall Conference 2007
5
IT GOVERNANCE
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• What is Definition of IT Governance?

IIPS Fall Conference 2007
6
IT GOVERNANCE
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• What is Definition of IT Governance?
• No Standard Definition!

IIPS Fall Conference 2007
7
IT GOVERNANCE
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• Evolved from corporate governance
• Which define proper management of business
• Compliance with regulatory requirements
• Has gained prominence from recent events
• IT Governance applies to organizations IT
  environment

IIPS Fall Conference 2007
8
IT GOVERNANCE
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• Specifies the decision rights and accountability
  framework to encourage and force desirable
  behavior in the use of IT for the organization
• Is the strategic alignment of IT with the
  business goals such that maximum value is
  achieved through the development and maintenance
  of effective IT controls and accountability,
  performance management, and risk management

IIPS Fall Conference 2007
9
IT GOVERNANCE
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• Involves management, processes, and resources
• Aligns IT goals and objectives with those of the
  business as a whole
• Purpose is to ensure optimum and uninterrupted
  service delivery

IIPS Fall Conference 2007
10
IT GOVERNANCEMethodologies
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• COBIT (Controls Objectives for Information
  Technology)
• ITIL (Information Technology Infrastructure
  Library)
• ISO Standards
• ISO 17799 (renamed 27002 July 2007)
• ISO 27001

IIPS Fall Conference 2007
11
IT GOVERNANCEInformation System Security
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• Security is about managing risks
• Risk management covers opportunity and asset
  protection
• Provides value in providing
• Business Enablement
• Asset Protection

IIPS Fall Conference 2007
12
IT GOVERNANCE
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• IT GOVERNANCE IS ABOUT
• Control
• Accountability
• Responsibility
• Authority
• Who defines the rules and who is responsible for
  compliance and monitoring of the rules

IIPS Fall Conference 2007
13
IT GOVERNANCEOften Confused with IT Management
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• IT Governance
• Who makes the decisions
• Getting right people involved with IT decisions
• Not leaving it to IT
• IT Management
• Making and implementation of decisions
• consistent with the governance framework

IIPS Fall Conference 2007
14
IT GOVERNANCEFour Objectives
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• IT VALUE and ALIGNMENT
• Creates necessary structure and processes around
  IT to ensure that IT projects are aligned with
  the business goals and objectives

IIPS Fall Conference 2007
15
IT GOVERNANCEFour Objectives
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• RISK MANAGEMENT
• IT risks often same as business risk for
  organization
• Therefore managing IT risks is paramount for the
  organization as a whole

IIPS Fall Conference 2007
16
IT GOVERNANCEFour Objectives
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• IT RISKS include
• Security risks arising from hackers and insiders
• Denial of service attacks
• Privacy risks from Identity Theft
• Recovery from disasters
• Resiliency of systems from outages
• and project failures

IIPS Fall Conference 2007
17
IT GOVERNANCEFour Objectives
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• ACCOUNTABILITY
• At end of day, governance is about
  accountability.
• Current legislation is holding senior management
  accountable for the integrity and credibility of
  financial system and controls.
• IT management is held accountable for return of
  investment in IT as well as the credibility of
  ITs controls

IIPS Fall Conference 2007
18
IT GOVERNANCE FRAMEWORK
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• Formal methodology of establishing a corporate
  model for setting and delivery business strategy,
  measuring performance, managing risk, and
  establishing a corporate culture with ethical
  standards
• To fit within the governance framework, IS
  security must be aligned to deliver on the
  business strategy

IIPS Fall Conference 2007
19
IT GOVERNANCEFour Objectives
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• PERFORMANCE MEASUREMENT
• Accountability requires score keeping to measure
  how well the organization is doing

IIPS Fall Conference 2007
20
IT GOVERNANCEIS Security Policy
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• Must clearly define roles and responsibilities
  for security, including owners, custodians, and
  managers
• Define the owners of business processes and data
• Define acceptable parameters for IT operations
• Define communications between owners and IT
• Define monitoring for compliance

IIPS Fall Conference 2007
21
IT GOVERNANCEIS Security Policy
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• Polices must have effective processes
  (procedures) for implementation and compliance
• Require knowledge and support for maintenance
  (must change as requirements change)
• Security issues often arise from deficiencies in
  the procedures and people area
• Awareness of individuals responsibilities for
  security must be embedded within the culture of
  the organization from induction to exit

IIPS Fall Conference 2007
22
IT GOVERNANCEIS Security
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• Needs to be integrated into the enterprise risk
  management framework.
• Covers the whole enterprise
• Security awareness and responsibility must apply
  to those with external or temporary access rights
  to information systems as well as permanent staff
• Must become part of the organizations culture,
  not an afterthought

IIPS Fall Conference 2007
23
IT GOVERNANCEMethodologies
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• COBIT (Controls Objectives for Information
  Technology) and ISO 27001 and 27002
• Defines what should be done
• ITIL (Information Technology Infrastructure
  Library)
• Provides the how from a service management
• perspective

IIPS Fall Conference 2007
24
IT GOVERNANCEMethodologies
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• These best practices have been significant not
  from the AUDIT perspective but from managements
  for defining IT governance for the organization
• In private industry there is now regulatory
  requirements for effective information system
  controls
• Sarbanes Oxley
• HIPPA

IIPS Fall Conference 2007
25
IT GOVERNANCEMethodologies
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• Its only matter of time before the shareholders
  of government (taxpayers) demand the same of
  governmental agencies.

IIPS Fall Conference 2007
26
IT GOVERNANCE
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• Its not a question of IF but rather the question
  is WHEN.
• Government will be forced to implement IT
  governance, whether by legislation or good
  management practices.
• The time is start implementation of IT governance
  for the community colleges, is NOW rather than
  LATER.

IIPS Fall Conference 2007
27
IT GOVERNANCE
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• Who is Responsible?
• The Board of Directors/Executive Management
• Business Processes and Data Owners
• IT
• Auditors
• The Board of Director and Executive Management
  must take ownership of IT Governance and set its
  direction

IIPS Fall Conference 2007
28
COBIT
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• IT Governance in simple terms is managements
  policy for controlling ITs strategic impact and
  value for the organization
• Structure and set of processes and related
  procedures to aid in providing effective IT
  services to the organization and the monitoring
  of the IT process

IIPS Fall Conference 2007
29
COBIT
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• COBIT is the most recognized framework for
  support of IT governance
• Office of State Auditor has selected COBIT as the
  framework for IS Audits of state agencies.

IIPS Fall Conference 2007
30
COBIT
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• Based on best practices
• Focuses on the processes of the IT
• Provides for IT performance assessment and
  monitoring

IIPS Fall Conference 2007
31
COBIT
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• Effective IT governance would actually build a
  framework using all three of the above
  methodologies
• For our discuss today, we will focus on COBIT
  since it provides the best overall control
  practices and framework. COBIT provides move
  detail than ITIL and ISO standards for developing
  IT governance

IIPS Fall Conference 2007
32
COBIT
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• ITIL
• Provides best practice for service management and
  delivery
• Does not cover strategic impact of IT and
  relation between IT and business processes
• ISO 17799 (27002) and 27001
• Focus is on security and does not provide for
  planning and delivery of IT services

IIPS Fall Conference 2007
33
COBIT
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• COBIT 4.0 released in 2005
• COBIT 4.1 released May 2007
• Downloadable from ISACA website (www.isaca.org)
• Set of 34 high-level control objectives
  containing 215 detail control objectives.
  Reduced from 314 in previous versions

IIPS Fall Conference 2007
34
COBIT
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• Control objectives are grouped into four main
  domains
• Planning and Organizing
• Acquisition and Implementation
• Delivery and Support
• Monitoring

IIPS Fall Conference 2007
35
COBIT
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• Planning and Organizing
• Strategy Planning
• Communications
• Strategy Management
• Risk Management
• Resource Management

IIPS Fall Conference 2007
36
COBIT
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• Acquisition and Implementation
• Identify, develop, or acquire and
• implementation solutions to business processes
• Management of the life cycle of systems
• through maintenance, enhancements, and
• retirement

IIPS Fall Conference 2007
37
COBIT
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• Delivery and Support
• Service and support including
• Performance and Security
• Training

IIPS Fall Conference 2007
38
COBIT
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• Monitoring
• All processes needed to regularly assess for
• compliance with control requirements
• Addresses managements oversight of the
• organization control processes
• Self-Assessments, Internal and External Audit

IIPS Fall Conference 2007
39
COBIT
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• Provides management and business processes owners
  with an IT governance model that helps in
  delivering value from IT and understanding and
  managing the risks associated with IT
• Helps bridge the gaps between business
  requirements, control needs, and technical issues

IIPS Fall Conference 2007
40
COBIT
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• Is a control model to meet the needs of IT
  governance and ensure the integrity of
  information systems and data

IIPS Fall Conference 2007
41
COBITWho Uses IT?
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• Those who have primary responsibilities for
  business processes and technology.
• Those who depends on technology for relevant and
  reliable information
• Those who provide quality, reliability, and
  control of information technology

IIPS Fall Conference 2007
42
COBITWho Uses IT?
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• COBIT is not only used by the IT department, but
  by the organization as a whole, including
  business processes and data owners
• Provides business processes owners with a
  framework to control activities for IT
• Provides management with a set of tools for
  self-assessment and monitoring of IT function

IIPS Fall Conference 2007
43
COBITWhy Use IT?
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• COBIT is business oriented, therefore using it to
  understand IT control objectives to deliver IT
  value and manage IT related business risks is
  straight forward

IIPS Fall Conference 2007
44
COBITManagement Guidelines
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• Provide tools for management to perform
  self-assessments to make choices for control
  implementation and improvement over the
  organizations information and related
  technology.
• Guidelines are provided for each of the 34 IT
  Processes, with a management and performance
  measurement perspective

IIPS Fall Conference 2007
45
COBITManagement Guidelines
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• Tools are provided by the guidelines to support
  management decision making process
• COBIT 4.0 and 4.1 integrates the management
  guidelines with the control objectives in one
  publication

IIPS Fall Conference 2007
46
COBIT
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• Overall COBIT is a management tool for IT
  controls
• Not necessarily just an audit tool
• COBIT provides management, auditors, users with a
  set of generally accepted measures, indicators,
  processes and best practices to assist the
  organization in maximizing the benefits derived
  through the use of information technology and
  development of IT governance and controls

IIPS Fall Conference 2007
47
COBIT
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• Helps management, auditors, and users understand
  the organizations IT systems and decide the
  level of security and controls that is necessary
  to protect the organizations assets through the
  development of an effective IT governance model.

IIPS Fall Conference 2007
48
COBIT Product Family
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• The complete COBIT package is a set of six
  publications
• Executive Summary
• Framework
• Control Objectives
• Audit Guidelines
• Implementation Tool Set
• Management Guidelines

IIPS Fall Conference 2007
49
COBIT Product Family
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• Executive Summary
• Consists of an Executive Overview which
• provides a thorough awareness and
• understanding of COBITs key concepts and
• principles

IIPS Fall Conference 2007
50
COBIT Product Family
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• Framework
• Explains how IT processes deliver the
• information that the business needs to
• achieve its objectives
• Delivered through the 34 high-level control
• objectives, one for each IT process,
• contained in the four domains

IIPS Fall Conference 2007
51
COBIT Product Family
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• Framework
• Identifies which of the seven information
• criteria (effectiveness, efficiency,
  confidentiality, integrity, availability,
  compliance, and reliability), as well as which
• IT resources (people, applications, information,
• and infrastructure) are important for the
• IT processes to fully support business

IIPS Fall Conference 2007
52
COBIT Product Family
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• Control Objectives
• Statements of desired results or purposes to
• be achieved by implementing the 214 specific,
• detailed control objectives throughout the
• 34 IT processes

IIPS Fall Conference 2007
53
COBIT Product Family
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• Audit Guidelines
• Outlines and suggest actual activities to be
  performed for each of the 34 high-level
  IT control objectives, while substantiating the
• risk of control objectives not being met.

IIPS Fall Conference 2007
54
COBIT Security Baseline
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• Information security is a key aspect of IT
  governance
• COBIT covers security in addition to other risk
  that can occur with the use of IT
• The COBIT-based security baseline provides key
  controls for security
• The COBIT Security Baseline, 2nd Edition has been
  updated and aligned with COBIT 4.1

IIPS Fall Conference 2007
55
COBIT Security Baseline
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• Gaps in Security usually caused by
• Lack of a comprehensive and maintainable
• risk and threat management process
• New vulnerabilities resulting from the
• widespread use of new technologies
• Lack of maintenance to assure all patches are
• promptly made

IIPS Fall Conference 2007
56
COBIT Security Baseline
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• Gaps in Security usually caused by
• Increased networking and mobile working
• Lack of security awareness
• Insufficient discipline when applying controls
• New and determined efforts of hackers,
• fraudsters, criminals, and terrorists

IIPS Fall Conference 2007
57
COBIT Security Baseline
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• Gaps in Security usually caused by
• Changing legislative, legal and regulatory
  security requirements
• Anyone doubting the significant of information
  security should take a moment to consider the
  potential impact of a security incident
  personally or on the organization or working
  environment

IIPS Fall Conference 2007
58
COBIT Security Baseline
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• Impact of a security incident
• Availability Information is no longer
  available when and where required
• Integrity - Information is corrupt and
  incomplete
• Confidentiality Information is exposed to
  unauthorized individuals

IIPS Fall Conference 2007
59
COBIT Security Baseline
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• There is no such thing as 100 security, but by
  following the advice suggested in the COBIT
  security baseline and maintain an awareness of
  security related risks and vulnerabilities, an
  effective level of security can be achieved.
• Security is NOT a one-time effort, IT environment
  keep changing, and new security risks can occur
  at any time

IIPS Fall Conference 2007
60
COBIT Security Baseline
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• Good security does not necessarily mean large
  amount of time or expense. By raising awareness,
  recognizing the risks that can occur and taking
  sensible precautions when using IT, security can
  be achieved with little effort.

IIPS Fall Conference 2007
61
COBIT Security Baseline
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• Good security will improve an organizations
  reputation, build its confidence and increase the
  trust from others with whom business is
  conducted, and even improve efficiency by making
  it possible to avoid wasted time and effort
  recovering from a security incident

IIPS Fall Conference 2007
62
COBIT Security Baseline
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• Reference also to the ISO 27002 standards to show
  that the baseline aligns with the standard and
  also provide links to further guidance
• The cross-referencing to COBIT provides links to
  more detailed generic guidance on each of the 44
  key control objectives that can be tailored for
  IT security

IIPS Fall Conference 2007
63
COBIT Security Baseline
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• Focus on the most essential information security
  steps
• The 44 most important security-related objectives
  have been extracted from the COBIT framework and
  are presented in this guide
• Provides key control objectives and suggested
  minimum control steps, cross-referenced to the
  COBIT processes and control objectives

IIPS Fall Conference 2007
64
INFORMATION SECURITY
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• Security relates to the protection of valuable
  assets against unavailability, loss, misuse,
  disclosure or damage
• Information must be protected against harm from
  threats leading to different types of impacts,
  such as loss, inaccessibility, alteration or
  wrongful disclosure.
• Threats include errors and omissions, fraud,
  accidents, and intentional damage

IIPS Fall Conference 2007
65
INFORMATION SECURITY
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• The objective of information security is
  protecting the interests of those relying on
  information and the systems and communications
  that deliver the information from harm resulting
  from failures of availability, confidentiality,
  and integrity
• The amount of protection required depends on how
  likely a security risk is to occur and how big an
  impact it would have if it did occur (Risk
  Assessment)

IIPS Fall Conference 2007
66
INFORMATION SECURITY
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• Information security provides the management
  processes, technology and assurance to allow
  businesses management to ensure business
  transactions can be trusted ensure IT services
  are usable and can appropriately resist and
  recover from failures due to error, deliberate
  attacks or disaster ensure critical confidential
  information is withheld from those who should not
  have access to it.
• Dr. Paul Dorsey, Director, Digital Business
  Security, BP PLC, UK

IIPS Fall Conference 2007
67
INFORMATION SECURITY
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• COMPUTER SECURITY
• A Computer is Secured if you can depend on it and
  its software to behave as you expect
• Dr. Eugene Spafford, Professor and Executive
  Director, Purdue University Center for Education
  and Research in Information Assurance and
  Security

IIPS Fall Conference 2007
68
IIPS FALL CONFERENCE 2007
Office of State Auditor Michael Burch, CPA,
CISA IS Audit Supervisor

• QUESTIONS?

IIPS Fall Conference 2007