Frame Work for IT Auditing in Higher Education of Information and Information Systems

1. Office of Internal Audit (OIA) Board of Regents of the University System of Georgia June 8, 2009 Erwin (Chris) L. Carrow, IT Auditor, CISSP, INFOSEC, CSSP, CCNP, OCM, plus a bunch of others (Who Cares?) The IT Auditing Process (Everything you don’t want to know about the impending IT Audit and are afraid to ask)

5. Part I –OIA Background ( The Untold Story)

7. Staff Background & Organizational Structure

10. Audit Plan – The Focus on Risk The High Critical Risk that Exist

15. Areas Commonly Reviewed & Priority of Emphasis Information Technology Department (High) Auxiliaries (Low) Academic Units (Limited) Administrative Units (Medium)

17. Policing the Process and Safe-Guarding What's Important Purchase the Family Trunk Monkey!

20. Summary of Audit Flow Timeframes Audit Letter with data request sent – preliminary assessment Entrance meeting & Audit field work Draft Report Sent Final Report with Responses issued 30 Days 30 Days 2 to 6 weeks Exit Conference with President Action items reviewed quarterly 3 to 5 weeks Draft with Responses Returned

21. Auditing by the Numbers (Fear -Factor)?

32. Snapshot of Evidence Gathering Process (Typically Inductive to Deductive Approach)

34. We Help Support the Process …, We are Life Savers! Purchase the First-Aid Trunk Monkey!

35. Part III – The On-site Audit (Preliminaries, Logistics & Execution)

36. Part III – The On-site Audit Preliminaries

47. With Your IT Auditor Around …, You have no need to fear! Purchase the Karate Trunk Monkey!

55. IT Challenges and Business Requirements - Where are you at? Can seem like HERDING CATS ! EDS “Cat Herding” 1:07 minutes

57. Pitch Hit – Fingers in Dike 1# Where are you at? Prioritizing the process We Do Understand!

58. Pitch Hit – Fingers in Dike 2# Real World – Real Problems We Are Concerned!

59. Pitch Hit – Fingers in Dike 3# Running out of Fingers? We Recognize the Challenge!

62. Dealing with the Nuts The Old Way…! Assessing Risk? 20 th Century FOX “Ice Age” 1:55 min/sec

64. In Time, Nut Requirements Change The New Way …! Risk Assessment? 20 th Century FOX “Ice Age 2: The Meltdown” 55 sec

73. COBIT 4.01 – Business Rules, Requirements and Practices How Processes Are Evaluated?

78. Business Impact Analysis (BIA) – The ABC’s by the Numbers CISA Study Guide, SYBEX, 2006

79. Areas of Concern – BIA to Contingency Planning Principles of Information Security, Thompson, 2007

80. One Method of Service Support and Risk Assurance Purchase the IT Trunk Monkey!

87. COBIT 4.01 Standards to NIST Mapping –Integration with other Standards (Alignment of IT Controls to Mitigate Risk)

88. NIST 800-53, Revision 1 Standards Terminology and Application

93. Birthing of a New Approach? Purchase the Birthing Trunk Monkey!

104. Identity Management, Access Control, and Network Security – Business Rules, Requirements and Practices Self-Evaluated? Do a Check-up If the Vision is Unclear , the Cost is Always to Much !

106. Management of User Space and Services Through Security Threat Gateways – Sample User Services

107. Management of User Space and Services Through Security Threat Gateways – Virtual Play Grounds Controls to Mitigate or Avoid Risk?

113. Call to Action & Challenge “ Birds of a Feather, Flock Together” or “Life is For the Birds” Be Different? PIXAR “For the Birds” 3:16 minutes

114. Where are you in the Process of Preparation for the Audit? Standing Alone …? IT Can Seem a Little Funny …, BUT IT WILL WORK OUT! Moral: “Don’t Drink the Kool-Aid” and Be “Caught with Your Shorts Down ” Possible Situation : The Emperor has No Clothes - Who is Going to Tell Him? Disclaimer: All PUNS are intended, and should not be held against the Retarded Auditor or OIA