1. Office of Internal Audit (OIA) Board of Regents of the University System of Georgia June 8, 2009 Erwin (Chris) L. Carrow, IT Auditor, CISSP, INFOSEC, CSSP, CCNP, OCM, plus a bunch of others (Who Cares?) The IT Auditing Process (Everything you don’t want to know about the impending IT Audit and are afraid to ask)
10. Audit Plan – The Focus on Risk The High Critical Risk that Exist
11.
12.
13.
14.
15. Areas Commonly Reviewed & Priority of Emphasis Information Technology Department (High) Auxiliaries (Low) Academic Units (Limited) Administrative Units (Medium)
16.
17. Policing the Process and Safe-Guarding What's Important Purchase the Family Trunk Monkey!
18.
19.
20. Summary of Audit Flow Timeframes Audit Letter with data request sent – preliminary assessment Entrance meeting & Audit field work Draft Report Sent Final Report with Responses issued 30 Days 30 Days 2 to 6 weeks Exit Conference with President Action items reviewed quarterly 3 to 5 weeks Draft with Responses Returned
93. Birthing of a New Approach? Purchase the Birthing Trunk Monkey!
94.
95.
96.
97.
98.
99.
100.
101.
102.
103.
104. Identity Management, Access Control, and Network Security – Business Rules, Requirements and Practices Self-Evaluated? Do a Check-up If the Vision is Unclear , the Cost is Always to Much !
105.
106. Management of User Space and Services Through Security Threat Gateways – Sample User Services
107. Management of User Space and Services Through Security Threat Gateways – Virtual Play Grounds Controls to Mitigate or Avoid Risk?
108.
109.
110.
111.
112.
113. Call to Action & Challenge “ Birds of a Feather, Flock Together” or “Life is For the Birds” Be Different? PIXAR “For the Birds” 3:16 minutes
114. Where are you in the Process of Preparation for the Audit? Standing Alone …? IT Can Seem a Little Funny …, BUT IT WILL WORK OUT! Moral: “Don’t Drink the Kool-Aid” and Be “Caught with Your Shorts Down ” Possible Situation : The Emperor has No Clothes - Who is Going to Tell Him? Disclaimer: All PUNS are intended, and should not be held against the Retarded Auditor or OIA