1 / 14

IT Governance

IT Governance. Teresa Furnish, CISA IT Senior Auditor Oregon Secretary of State – Audits Division. Agenda. Organization Structure Executive Order Audit Findings Consolidation and ORS 182.122 More Audit Findings Governance as Cause Other Causes List of Related Audits. Organization.

Download Presentation

IT Governance

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. IT Governance NSAA IT Conference - September 2012 Teresa Furnish, CISA IT Senior Auditor Oregon Secretary of State – Audits Division

  2. Agenda • Organization Structure • Executive Order • Audit Findings • Consolidation and ORS 182.122 • More Audit Findings • Governance as Cause • Other Causes • List of Related Audits

  3. Organization • Department of Administrative Services (DAS) • Chief Information Office • Chief Information Officer • Enterprise Security Office (ESO) • Chief Information Security Officer • State Data Center (SDC) • Shared Service Delivery

  4. 1998 – Executive Order 98-05 • According to statute Oregon Revised Statute 291.038, DAS was to: • Ensure that resources fit together in a statewide system capable of providing ready access to information, computing and telecommunication resources. • Adopt statewide policies, procedures, standards, and guidelines to govern the state’s IT resources.

  5. Information Resources Management Division (IRMD) 2001 • Strategy and policy for securing systems was entirely omitted from the IT plans. • No clear indication of the actions needed to accomplish the initiatives, principles, practices or vision. • Policies and procedures did not provide guidance on implementation, leaving agencies to interpret the criteria. • No monitoring for agency compliance.

  6. IRMD Follow-up – 2003 • Improvements in methodology • No statewide rules, policies, procedures and guidelines addressing most significant risks • No monitoring for compliance • The policies and procedures to govern security, system development and disaster recovery are not at the agency level either.

  7. Consolidation • Computing & Networking Infrastructure Consolidation (CNIC) 2004 • Combine three DAS data centers into the State Data Center (SDC) • Move 12 of the state’s major data processing centers into one facility • Mission: “Reduce costs while maintaining or improving service levels”

  8. Oregon Revised Statute 182.122 • Gives DAS responsibility for and authority over information systems security…including taking all measures reasonably necessary to protect the availability, integrity or confidentiality of information systems. • Assigned specific tasks to DAS including • Establish a state information systems security plan and associated standards, policies and procedures • Conduct vulnerability assessments • Verify the security of information systems

  9. State Data Center – 2008 • Consolidation objectives not yet achieved • Detailed end-state architecture not defined • Number of network servers or operating system platforms not reduced • Staffing levels not reduced • Operating procedures not consolidated • Operations not uniformly or effectively controlled • Processes to manage the configuration of SDC infrastructure not developed • Security issues

  10. Enterprise Security Office – 2009 • Department had not • Developed complete security plans and associated standards, policies and procedures • Conducted vulnerability assessments of agency information systems • Reviewed or verified the security of information systems • Ensured remedial actions were taken to resolve identified security issues

  11. State Data Center – 2010 • Security issues • Most of the security issues continued to exist • Could be mitigated without new or overly complex technical solutions • Configure or implement already acquired technology • Attention and resources of state agencies needed for others • Shared services governance structure not effective for managing security in a timely manner

  12. Governance as Cause

  13. Other Causes • No one has authority • Decision making through council –difficulty reaching consensus • Decentralized culture – too much autonomy

  14. Related Audits • Information Resources Management Division Review 2001 • Information Resources Management Division Follow-up 2003 • CNIC (Computing & Networking Infrastructure Consolidation )Risk Assessment – 2006 • State Data Center (SDC) Review – 2008 • Enterprise Security Office (ESO) – 2009 • State Data Center Review – 2010 • State Data Center Review – 2012 Available at: http://www.sos.state.or.us/audits

More Related