how to mechanise an it audit
play

HOW TO MECHANISE AN IT AUDIT Chris Parker chris.parker@uq.edu.au - PowerPoint PPT Presentation

Aug 15, 2023 •182 likes •798 views

HOW TO MECHANISE AN IT AUDIT Chris Parker chris.parker@uq.edu.au The University of Queensland $1.6 Billion Organisation 40+ Sites 400+ Buildings 100+ Institutes, Schools, and Centres 50,000+ Students 100,000+ Network

  1. HOW TO MECHANISE AN IT AUDIT Chris Parker chris.parker@uq.edu.au

  2. The University of Queensland • $1.6 Billion Organisation • 40+ Sites • 400+ Buildings • 100+ Institutes, Schools, and Centres • 50,000+ Students • 100,000+ Network Ports Chris Parker chris.parker@uq.edu.au

  3. Effective Use of IT UQ Uses IT Chris Parker chris.parker@uq.edu.au

  4. Effective Use of IT UQ Uses A Lot Of IT Chris Parker chris.parker@uq.edu.au

  5. Effective Use of IT For Students IT is used to Attract, enrol, teach, assess and graduate students eLearning Enrol in Online Attract Graduation Recordings Assessment Classes Chris Parker chris.parker@uq.edu.au

  6. Effective Use of IT For Researchers IT is used to Create, store, protect & share and publish research material Create Protect Share Publish Store Chris Parker chris.parker@uq.edu.au

  7. Effective Use of IT For Researchers Chris Parker chris.parker@uq.edu.au

  8. Organisation’s Use of IT Chris Parker chris.parker@uq.edu.au

  9. Chris Parker chris.parker@uq.edu.au

  10. Purpose of the Audit • To identify and understand the IT services at UQ, • how important they are • who looks after them • How they interconnect Chris Parker chris.parker@uq.edu.au

  11. Objectives of This Audit Identify the RISKS Chris Parker chris.parker@uq.edu.au

  12. Risk Categories Risks are divided into 3 categories: onfidentiality the risk of unauthorised access to data ntegrity the risk of data being changed or incorrect vailability the risk of the service or data not being available when needed. Chris Parker chris.parker@uq.edu.au

  13. IT Risk Categories Risks are divided into 3 categories: Common way of classifying risk in security standards such as ISO 27001 Chris Parker chris.parker@uq.edu.au

  14. IT Risk Categories - Confidentiality onfidentiality is gauged by the type of data stored in or captured by the service. = 1 Course & subject information = 7 Student Identity information Chris Parker chris.parker@uq.edu.au

  15. IT Risk Categories - Integrity ntegrity of the data depends on the system that is using it. = 5 Student Name in the Student Portal = 9 Student Name for Diploma Printing Chris Parker chris.parker@uq.edu.au

  16. IT Risk Categories - Availability vailability (uptime) will vary for each service = 9 e-Learning System - 24 x 7 = 4 Staff Time-Sheeting System Chris Parker chris.parker@uq.edu.au

  17. Target For each service we want to set a Target CIA and a Actual CIA (Actual is after controls) Chris Parker chris.parker@uq.edu.au

  18. Target Questions about a service can contribute towards setting a target CIA:  The data the service uses:  Business impact of service outage:  Data accuracy requirement:  Business hours or 24/7: Chris Parker chris.parker@uq.edu.au

  19. Actual Questions about a service can contribute towards setting a Actual CIA: ( What controls are currently in place to protect the service in the three areas )   Behind firewalls:  Type of equipment used:    Location of equipment:   Backup & recovery strategy: Chris Parker chris.parker@uq.edu.au

  20. Process 35 questions for each service, some multi-value 20,000+ pieces of information about the IT services in the organisation Chris Parker chris.parker@uq.edu.au

  21. Process How to capture all this information? Using a web based system allowing IT staff to enter their own service details. Processing the information centrally for reporting. Chris Parker chris.parker@uq.edu.au

  22. Process Using ServiceView we are able to delegate the task of: Adding a new IT service Setting service dependencies on other services Setting data centre dependencies & failovers Chris Parker chris.parker@uq.edu.au

  23. Chris Parker chris.parker@uq.edu.au

  25. Setting Service Dependencies on Other Services Video SV Adding Service Chris Parker chris.parker@uq.edu.au

  26. Service Dependencies B LACKBOARD LDAPA LDAP R EQUIRED FOR S ERVICE D ELIVERY B LACKBOARD Chris Parker chris.parker@uq.edu.au

  27. Service Dependencies LDAP R EQUIRED FOR S ERVICE D ELIVERY B LACKBOARD S ERVI CE B L ECTURE L ECTURE S OME F EATURES B LACKBOARD R ECORDINGS R ECORDINGS Chris Parker chris.parker@uq.edu.au

  28. Service Dependencies LDAP R EQUIRED FOR S ERVICE D ELIVERY B LACKBOARD L ECTURE S OME F EATURES B LACKBOARD R ECORDINGS S TUDENT S TUDENT B LACKBOARD U PDATES S YSTEM S YSTEM N O U PDATES Chris Parker chris.parker@uq.edu.au

  29. Video SV Adding Service Chris Parker chris.parker@uq.edu.au

  32. Service Risk Calculating the service risk Chris Parker chris.parker@uq.edu.au

  33. Chris Parker chris.parker@uq.edu.au

  34. Each data type is classified for confidentiality centrally Chris Parker chris.parker@uq.edu.au

  35. Chris Parker chris.parker@uq.edu.au

  36. Chris Parker chris.parker@uq.edu.au

  37. Chris Parker chris.parker@uq.edu.au

  38. How Well Is the Service Being Run? OK OK OK The service is being run properly. Chris Parker chris.parker@uq.edu.au

  39. Chris Parker chris.parker@uq.edu.au

  40. How Well Is the Service Being Run? OK BAD VERY BAD The service is not being run properly. Chris Parker chris.parker@uq.edu.au

  41. How Important Is The Service? Some services are more important to the organisation Classify services into “Tier 1”, “Tier 2” etc based on their importance. Blackboard Tier 1 Chris Parker chris.parker@uq.edu.au

  42. Risk Appetite Some services are more important to the organisation Classify services into “Tier 1”, “Tier 2” etc based on their importance. Any service this service depends on automatically classified in same tier or higher Blackboard Tier 1 LDAP Database Tier 1 Tier 1 Chris Parker chris.parker@uq.edu.au

  43. Calculating Residual Risk? Combine all this information to get residual risk How well are we running this service + How important is this service = RESIDUAL RISK LOW MODERATE HIGH SIGNIFICANT Chris Parker chris.parker@uq.edu.au

  44. Confidentiality Important For All Services We cannot expect hackers to only target our most important services, all services are equally venerable for confidentiality How well are we running this service + What data does this service use = RESIDUAL RISK LOW MODERATE HIGH SIGNIFICANT Chris Parker chris.parker@uq.edu.au

  45. Reporting How do we extract the information in a meaningful way Chris Parker chris.parker@uq.edu.au

  47. Reporting Data Centre Dependency & Recovery Report Chris Parker chris.parker@uq.edu.au

  48. Reporting Chris Parker chris.parker@uq.edu.au

  49. Other uses of the information Chris Parker chris.parker@uq.edu.au

  50. Reporting Complete Risk Report Chris Parker chris.parker@uq.edu.au

  52. Complete Risk Report Service Dependencies Services 40 Seconds and Actual 18,000 database queries later CIA Stored Data Target Chris Parker CIA chris.parker@uq.edu.au

  53. Chris Parker chris.parker@uq.edu.au

  54. Reporting How do we know it works? Chris Parker chris.parker@uq.edu.au

  56. Chris Parker chris.parker@uq.edu.au

  57. Complete Risk Report Service Dependencies Services Another 40 Seconds and Actual 18,000 database queries later CIA Stored Data Target Chris Parker CIA chris.parker@uq.edu.au

  58. Chris Parker chris.parker@uq.edu.au

  59. More Information If you would like more information email me at: chris.parker@uq.edu.au Thank you for your time. Chris Parker chris.parker@uq.edu.au

  60. What Constitutes an IT Service • Applications or other IT services that perform a critical business functions without which would impact on your ability to conduct your business efficiently OR • Applications or other IT services which store sensitive data Chris Parker chris.parker@uq.edu.au

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Farmersville, Texas Audit Presentation September 30, 2017 Presented By: Louis Breedlove, Audit

Farmersville, Texas Audit Presentation September 30, 2017 Presented By: Louis Breedlove, Audit

Farmersville, Texas Audit Presentation September 30, 2017 Presented By: Louis Breedlove, Audit Manager June 26, 2018 1 OVERVIEW OF THE AUDIT PROCESS Audit Planning and Risk Assessment Audit Standards The audit was performed in

425 views • 13 slides
Section 3 Risk ASJ Stages of an Audit Audit Approaches ASJ In this approach, audit

Section 3 Risk ASJ Stages of an Audit Audit Approaches ASJ In this approach, audit

ASJ Section 3 Risk ASJ Stages of an Audit Audit Approaches ASJ In this approach, audit resources are targeted on testing large volumes of transactions and account balances without any particular focus on specified Substantive areas of

271 views • 16 slides
Presentation on Bank Audit Audit Procedures, LFAR, Tax Audit, Certification , Demonetization etc.

Presentation on Bank Audit Audit Procedures, LFAR, Tax Audit, Certification , Demonetization etc.

Presentation on Bank Audit Audit Procedures, LFAR, Tax Audit, Certification , Demonetization etc. VIP Chartered Accountants Study Circle By Rishi Khator FCA, CPA(US), CIFRS March 26, 2017 Traditional banking to high level financial

868 views • 64 slides
Striving Towards a Better PRESENTATION HERE> Audit in 2017 Who we are At Audit Solutions

Striving Towards a Better PRESENTATION HERE> Audit in 2017 Who we are At Audit Solutions

<INSERT TITLE OF Striving Towards a Better PRESENTATION HERE> Audit in 2017 Who we are At Audit Solutions Queensland, our focus is on providing a comprehensive, independent and efficient audit process. Our difference is our personal

606 views • 59 slides
Task: Draw up an audit programme Please take the following facts and instructions as a basis: The

Task: Draw up an audit programme Please take the following facts and instructions as a basis: The

Audit Case Workshop about applying the checklist on Financial Audit of Public Procurement Task: Draw up an audit programme Please take the following facts and instructions as a basis: The audit plan for the next six months includes an audit of

229 views • 5 slides
Audit Partner Characteristics, Audit Quality and Audit Pricing in the U.S. Ally Zimmerman,

Audit Partner Characteristics, Audit Quality and Audit Pricing in the U.S. Ally Zimmerman,

Audit Partner Characteristics, Audit Quality and Audit Pricing in the U.S. Ally Zimmerman, Northern Illinois University, azimmerman5@niu.edu Al Nagy, John Carroll University, alnagy@jcu.edu 2016 Deloitte/KU Audit Symposium, May 20 8/16/2016 1

553 views • 17 slides
Audit Committee denvergov.org/Auditor Timothy M. O'Brien, CPA, Auditor 2 Audit Committee

Audit Committee denvergov.org/Auditor Timothy M. O'Brien, CPA, Auditor 2 Audit Committee

1 Audit Committee denvergov.org/Auditor Timothy M. O'Brien, CPA, Auditor 2 Audit Committee Affordable Housing Audit December 2018 Jared Miller, Audit Supervisor Pat Schafer, Audit Supervisor Shaun Wysong, Senior Auditor Chris Wilson,

485 views • 47 slides
MUS Workforce Data Reporting Performance Audit Audit Conducted by the Montana Legislative Audit

MUS Workforce Data Reporting Performance Audit Audit Conducted by the Montana Legislative Audit

MUS Workforce Data Reporting Performance Audit Audit Conducted by the Montana Legislative Audit Division Presented to the Montana Legislature, Legislative Audit Committee on February 2, 2016 Office of the Commissioner of Higher Education

605 views • 25 slides
Dependent Eligibility Audit Dependent Eligibility Audit Purpose: The dependent eligibility audit

Dependent Eligibility Audit Dependent Eligibility Audit Purpose: The dependent eligibility audit

Quick Guide to the Dependent Eligibility Audit Dependent Eligibility Audit Purpose: The dependent eligibility audit will help us comply with regulatory requirements and control costs by confirming that only eligible dependents receive coverage

506 views • 6 slides
TAM Audit for BRC August 2015 TAM Audit 2015 ? Purpose: Close 2014 TAM Audit Inspect

TAM Audit for BRC August 2015 TAM Audit 2015 ? Purpose: Close 2014 TAM Audit Inspect

TAM Audit for BRC August 2015 TAM Audit 2015 ? Purpose: Close 2014 TAM Audit Inspect TAM KPIs Sign-off 2014B Universe Update LSM issues on TAM Panel Improve HH weighting efficiency Preparing TAMS for the future

703 views • 27 slides
Audit in Screening Dr LS Wilkinson What is clinical audit? Clinical audit is a process that has

Audit in Screening Dr LS Wilkinson What is clinical audit? Clinical audit is a process that has

South West London Breast Screening Service London, UK Audit in Screening Dr LS Wilkinson What is clinical audit? Clinical audit is a process that has been defined as "a quality improvement process that seeks to improve patient care and

517 views • 23 slides
Percentage of Residents 100% 80% Initial audit 60% Re- audit 40% 20% 0% MUST on MUST

Percentage of Residents 100% 80% Initial audit 60% Re- audit 40% 20% 0% MUST on MUST

Percentage of Residents 100% 80% Initial audit 60% Re- audit 40% 20% 0% MUST on MUST MUST Care plan Factors Snacks Food admission accuracy monthly reviewed affecting and drinks fortified monthly food Audit Standards

511 views • 3 slides
Framework for Audit Quality Framework for Audit Quality Key Elements that Create an Environment

Framework for Audit Quality Framework for Audit Quality Key Elements that Create an Environment

Framework for Audit Quality Framework for Audit Quality Key Elements that Create an Environment for Audit Quality Jon Grant Page 1 Background to the Audit Quality Project For an external audit to fulfill its objective the users of

297 views • 15 slides
2018 Annual Audit Report to the Commission GCPUD Audit Department 11/13/18 1 Meeting

2018 Annual Audit Report to the Commission GCPUD Audit Department 11/13/18 1 Meeting

2018 Annual Audit Report to the Commission GCPUD Audit Department 11/13/18 1 Meeting Objectives: 1. Principles of Audit Plan Development 2. Status of the 2018 Audit Plan 3. Review 2019 Audit Plan 4. Moving Forward GCPUD Audit Department

807 views • 60 slides
IMPACTFUL COMMUNICATION BETWEEN IA AND THE AUDIT COMMITTEE GOJ AUDIT COMMISSION CONFERENCE

IMPACTFUL COMMUNICATION BETWEEN IA AND THE AUDIT COMMITTEE GOJ AUDIT COMMISSION CONFERENCE

IMPACTFUL COMMUNICATION BETWEEN IA AND THE AUDIT COMMITTEE GOJ AUDIT COMMISSION CONFERENCE Oct-17 OBJECTIVES OF THIS PRESENTATION To clarify governance To discuss setting the right tone at the top. To identify the roles of Audit

641 views • 26 slides
Agenda Internal Controls Audits and Auditors Audit Process Overview How to Prepare

Agenda Internal Controls Audits and Auditors Audit Process Overview How to Prepare

12/11/2017 WA S H I N G T O N S T AT E U N I V E R S I T Y Award Administration ard Administration Part Three: Part Three: Audits and Audits and Audit Issues Audit Issues Presented by: Heather Lopez Chief Audit Executive, Internal Audit

461 views • 25 slides
On the Testbed NorduGrid Tutorial, LCSC 2002 1 overview of a Grid session user formulates the

On the Testbed NorduGrid Tutorial, LCSC 2002 1 overview of a Grid session user formulates the

NorduGrid Tutorial On the Testbed NorduGrid Tutorial, LCSC 2002 1 overview of a Grid session user formulates the job requirements by editing an xrsl file having a valid proxy submits the job with ngsub the broker from the UI selects the

342 views • 12 slides
Licensed Pipelines & the Planning System Council Briefing 2019 Critical Infrastructure

Licensed Pipelines & the Planning System Council Briefing 2019 Critical Infrastructure

Licensed Pipelines & the Planning System Council Briefing 2019 Critical Infrastructure Licensed pipelines are licensed under the Pipelines Act 2005 Licensed pipelines can carry natural gas, petroleum, oxygen, carbon dioxide,

386 views • 19 slides
LDAP for MySQL Cluster back-ndb Howard Chu CTO, Symas Corp. hyc@symas.com Chief Architect,

LDAP for MySQL Cluster back-ndb Howard Chu CTO, Symas Corp. hyc@symas.com Chief Architect,

LDAP for MySQL Cluster back-ndb Howard Chu CTO, Symas Corp. hyc@symas.com Chief Architect, OpenLDAP hyc@openldap.org OpenLDAP Project Open source code project Founded 1998 Three core team members A dozen or so contributors

596 views • 34 slides
INVESTOR PRESENTATION 17 February 2020 TR AN S F O R MI N G THROUGH T AL E N T AND TECHNOLOGY

INVESTOR PRESENTATION 17 February 2020 TR AN S F O R MI N G THROUGH T AL E N T AND TECHNOLOGY

INVESTOR PRESENTATION 17 February 2020 TR AN S F O R MI N G THROUGH T AL E N T AND TECHNOLOGY 1 | H I N D U S T A N O I L E X P L O R A T I O N C O M P A N Y L I M I T E D SAFE HARBOUR Investor presentation Q3 2019-20 This presentation

560 views • 30 slides
Password Policy John Hally John.hally@comcast.net Why This Policy? Very important aspect of

Password Policy John Hally John.hally@comcast.net Why This Policy? Very important aspect of

Password Policy John Hally John.hally@comcast.net Why This Policy? Very important aspect of security Can easily be the weakest link Set standards for: Creation of strong passwords Password protection Frequency of

202 views • 6 slides
Preliminary results of Preliminary results of Preliminary results of Invalda Preliminary results

Preliminary results of Preliminary results of Preliminary results of Invalda Preliminary results

Preliminary results of Preliminary results of Preliminary results of Invalda Preliminary results of Invalda Invalda Invalda AB AB AB AB group group group group for the period 6 months ending June for the period 6 months ending June 3

791 views • 29 slides
ITCC September 16,2015 ITD Room 438 Agenda 1:00 Update on EA Activity Jeff Quast 1:20 Update

ITCC September 16,2015 ITD Room 438 Agenda 1:00 Update on EA Activity Jeff Quast 1:20 Update

ITCC September 16,2015 ITD Room 438 Agenda 1:00 Update on EA Activity Jeff Quast 1:20 Update on ITD Activity Gary Vetter 1:45 Websphere 8 Eli Cornell 2:00 Password Reset Process Art Bakke 2:15 Windows 10 test site Ron Zarr 2:30 SIRT

404 views • 13 slides
Diego Pino Garca <dpino@igalia.com> Fosdem 2012, 5 Feb What's LibrePlan? LibrePlan is a

Diego Pino Garca <dpino@igalia.com> Fosdem 2012, 5 Feb What's LibrePlan? LibrePlan is a

Diego Pino Garca <dpino@igalia.com> Fosdem 2012, 5 Feb What's LibrePlan? LibrePlan is a project management tool for planning, monitoring and control any kind of project www.libreplan.com How it looks like? www.libreplan.com Main

417 views • 15 slides

More recommend