2011-2012 IT Audit Summary - PowerPoint PPT Presentation

idania
2011 2012 it audit summary n.
Skip this Video
Loading SlideShow in 5 Seconds..
2011-2012 IT Audit Summary PowerPoint Presentation
Download Presentation
2011-2012 IT Audit Summary

play fullscreen
1 / 12
Download Presentation
88 Views
Download Presentation

2011-2012 IT Audit Summary

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. 2011-2012 IT Audit Summary Bruce Patrou Chief Information and Technology Officer St. Johns County School District Email: patroub@stjohns.k12.fl.us Rick Laneau Data Center Manager, Information Services School District of Hillsborough County Email: rick.laneau@sdhc.k12.fl.us

  2. User Account Mgt • Develop system to provision user accounts • Document your methods • Ensure your system handles account revocation • Link accounts to your Directory System (if able) • Project at St. Johns: • Working to employ Microsoft FIM (for employees) • Auto Provision accounts when new/changed in HR System • Auto account rights revocation/lockout • Groups and rights tied to role • Accounts cross multiple systems • Accounts tied to MS Active Directory

  3. User Access Rights • Limit Users to Role based system rights • Review Users rights • Document Results • Make changes from findings • Perform as often as practical • Document Account approval procedures • Avoid exceptions to your rules

  4. Data Loss Prevention • School Districts handle lots of sensitive data • Student Academic Records (many elements) • Staff sensitive data (SSN, Medical, etc.) • Loss or unauthorized disclosure can be damaging • Identify what is sensitive and where it’s located • Identify how it is accessed and via what systems • Identify how to control its transmission • Policies, Procedures • Monitoring • Encryption • User Awareness and Training

  5. Data Loss Prevention • Supported by multiple Documents: • Employee Acceptable Use Policy • Procedures for Handling Student Directory Information • IT Procedures Handbook • Procedures for handling and transmitting sensitive data • Location and security of sensitive/critical data • Data Inventory • Data Backup • Training and awareness


  6. Disaster Recovery and Testing • Identify critical processes • Identify key staff to participate • Cold or Hot remote site • Annual testing • Daily log file updates • Dedicated connection preferred

  7. User Authentication Security Settings • Password length (minimum 8) • Password complexity enabled • Password history • Password lockout after x number of attempts • Password expiration (60 days) • Document your settings

  8. Incident Response Procedures • Procedures for reporting the unauthorized release of sensitive Student or Staff data • Include who will do what and when

  9. IT Procedures Manual • Mission/Goal • Definitions • Documentation Standards • Org Chart (IT Dept) (include roles) • Major Software Acquisition • Project approval, selection and monitoring • Operational Procedures • Security Awareness Program • Security and Access • System Backups

  10. Security Risk Assessment • Security Risk Assessment Survey and Mitigation Plan (see template) • External/Internal penetration assessment • Helpful links to NIST and Florida AEIT • https://aeit.myflorida.com/sites/default/files/files/Security/2011FloridaITRiskAssessmentFinal.pdf • NIST SP800-30 Revision 1 (Sept 2011 Draft) • http://csrc.nist.gov/publications/PubsSPs.html

  11. Security Awareness Program • Publish SA notes for employees • Publish notice of changes • Provide training to staff on changes • Security Training (log via PD system) • Example

  12. Questions