[PPT] - HOW TO MECHANISE AN IT AUDIT Chris Parker chris.parker@uq.edu.au PowerPoint Presentation

SLIDE 1

HOW TO MECHANISE AN IT AUDIT

Chris Parker chris.parker@uq.edu.au

SLIDE 2

Chris Parker chris.parker@uq.edu.au

The University of Queensland

$1.6 Billion Organisation
40+ Sites
400+ Buildings
100+ Institutes, Schools, and Centres
50,000+ Students
100,000+ Network Ports

SLIDE 3

Chris Parker chris.parker@uq.edu.au

UQ Uses IT

Effective Use of IT

SLIDE 4

Chris Parker chris.parker@uq.edu.au

UQ Uses A Lot Of IT

Effective Use of IT

SLIDE 5

Chris Parker chris.parker@uq.edu.au

IT is used to Attract, enrol, teach, assess and graduate students

Effective Use of IT For Students

Attract Enrol in Classes eLearning Recordings Online Assessment Graduation

SLIDE 6

Chris Parker chris.parker@uq.edu.au

IT is used to Create, store, protect & share and publish research material

Effective Use of IT For Researchers

Create Store Protect Share Publish

SLIDE 7

Chris Parker chris.parker@uq.edu.au

Effective Use of IT For Researchers

SLIDE 8

Chris Parker chris.parker@uq.edu.au

Organisation’s Use of IT

SLIDE 9

Chris Parker chris.parker@uq.edu.au

SLIDE 10

Chris Parker chris.parker@uq.edu.au

Purpose of the Audit

To identify and understand the IT services at UQ,
how important they are
who looks after them
How they interconnect

SLIDE 11

Chris Parker chris.parker@uq.edu.au

Objectives of This Audit Identify the RISKS

SLIDE 12

Chris Parker chris.parker@uq.edu.au

Risk Categories

Risks are divided into 3 categories:

nfidentiality the risk of unauthorised access to data

ntegrity the risk of data being changed or incorrect

the risk of the service or data not being available when needed.

vailability

SLIDE 13

Chris Parker chris.parker@uq.edu.au

IT Risk Categories

Risks are divided into 3 categories: Common way of classifying risk in security

standards such as ISO 27001

SLIDE 14

Chris Parker chris.parker@uq.edu.au

IT Risk Categories - Confidentiality

nfidentiality is gauged by the type of data

stored in or captured by the service.

Student Identity information

= 7

Course & subject information

= 1

SLIDE 15

Chris Parker chris.parker@uq.edu.au

IT Risk Categories - Integrity

ntegrity of the data depends on the system that is using it.

Student Name for Diploma Printing

= 9

Student Name in the Student Portal

= 5

SLIDE 16

Chris Parker chris.parker@uq.edu.au

IT Risk Categories - Availability

vailability (uptime) will vary for each service

Staff Time-Sheeting System

= 4

e-Learning System - 24 x 7

= 9

SLIDE 17

Chris Parker chris.parker@uq.edu.au

Target

For each service we want to set a Target CIA and a Actual CIA (Actual is after controls)

SLIDE 18

Chris Parker chris.parker@uq.edu.au

Target

Questions about a service can contribute towards setting a target CIA: The data the service uses: Business impact of service outage: Data accuracy requirement: Business hours or 24/7:

   

SLIDE 19

Chris Parker chris.parker@uq.edu.au

Actual

Questions about a service can contribute towards setting a Actual CIA: (What controls are currently in place to protect the service in the three areas)

Behind firewalls: Type of equipment used: Location of equipment: Backup & recovery strategy:

       

SLIDE 20

Chris Parker chris.parker@uq.edu.au

Process

35 questions for each service, some multi-value

20,000+ pieces of information about the IT services in the organisation

SLIDE 21

Chris Parker chris.parker@uq.edu.au

Process

Processing the information centrally for reporting. Using a web based system allowing IT staff to enter their own service details.

How to capture all this information?

SLIDE 22

Chris Parker chris.parker@uq.edu.au

Process

Adding a new IT service Using ServiceView we are able to delegate the task of: Setting service dependencies on other services Setting data centre dependencies & failovers

SLIDE 23

Chris Parker chris.parker@uq.edu.au

SLIDE 24

SLIDE 25

Chris Parker chris.parker@uq.edu.au

Setting Service Dependencies on Other Services

Video SV Adding Service

SLIDE 26

Chris Parker chris.parker@uq.edu.au

LDAP BLACKBOARD LDAPA BLACKBOARD

Service Dependencies

REQUIRED FOR SERVICE DELIVERY

SLIDE 27

Chris Parker chris.parker@uq.edu.au

LDAP BLACKBOARD

Service Dependencies

REQUIRED FOR SERVICE DELIVERY

LECTURE RECORDINGS BLACKBOARD LECTURE RECORDINGS SERVI

CE B

SOME FEATURES

SLIDE 28

Chris Parker chris.parker@uq.edu.au

LDAP BLACKBOARD

Service Dependencies

REQUIRED FOR SERVICE DELIVERY

LECTURE RECORDINGS BLACKBOARD

SOME FEATURES

STUDENT SYSTEM BLACKBOARD STUDENT SYSTEM

UPDATES

NO UPDATES

SLIDE 29

Chris Parker chris.parker@uq.edu.au

Video SV Adding Service

SLIDE 30

SLIDE 31

SLIDE 32

Chris Parker chris.parker@uq.edu.au

Service Risk

Calculating the service risk

SLIDE 33

Chris Parker chris.parker@uq.edu.au

SLIDE 34

Chris Parker chris.parker@uq.edu.au

Each data type is classified for confidentiality centrally

SLIDE 35

Chris Parker chris.parker@uq.edu.au

SLIDE 36

Chris Parker chris.parker@uq.edu.au

SLIDE 37

Chris Parker chris.parker@uq.edu.au

SLIDE 38

Chris Parker chris.parker@uq.edu.au

How Well Is the Service Being Run?

OK OK OK The service is being run properly.

SLIDE 39

Chris Parker chris.parker@uq.edu.au

SLIDE 40

Chris Parker chris.parker@uq.edu.au

OK BAD VERY BAD The service is not being run properly.

How Well Is the Service Being Run?

SLIDE 41

Chris Parker chris.parker@uq.edu.au

How Important Is The Service?

Some services are more important to the organisation

Classify services into “Tier 1”, “Tier 2” etc based on their importance.

Blackboard

Tier 1

SLIDE 42

Chris Parker chris.parker@uq.edu.au

Risk Appetite

Classify services into “Tier 1”, “Tier 2” etc based on their importance. Any service this service depends on automatically classified in same tier or higher

Database LDAP Blackboard

Tier 1 Tier 1 Tier 1

Some services are more important to the organisation

SLIDE 43

Chris Parker chris.parker@uq.edu.au

Calculating Residual Risk?

Combine all this information to get residual risk

How well are we running this service How important is this service

+ =

RESIDUAL RISK

LOW MODERATE HIGH SIGNIFICANT

SLIDE 44

Chris Parker chris.parker@uq.edu.au

Confidentiality Important For All Services

We cannot expect hackers to only target our most important services, all services are equally venerable for confidentiality

How well are we running this service What data does this service use

+ =

RESIDUAL RISK

LOW MODERATE HIGH SIGNIFICANT

SLIDE 45

Chris Parker chris.parker@uq.edu.au

Reporting

How do we extract the information in a meaningful way

SLIDE 46

SLIDE 47

Chris Parker chris.parker@uq.edu.au

Reporting

Data Centre Dependency & Recovery Report

SLIDE 48

Chris Parker chris.parker@uq.edu.au

Reporting

SLIDE 49

Chris Parker chris.parker@uq.edu.au

Other uses of the information

SLIDE 50

Chris Parker chris.parker@uq.edu.au

Reporting

Complete Risk Report

SLIDE 51

SLIDE 52

Chris Parker chris.parker@uq.edu.au

Complete Risk Report

Services Service Dependencies Stored Data Target CIA Actual CIA

40 Seconds and 18,000 database queries later

SLIDE 53

Chris Parker chris.parker@uq.edu.au

SLIDE 54

Chris Parker chris.parker@uq.edu.au

Reporting

How do we know it works?

SLIDE 55

SLIDE 56

Chris Parker chris.parker@uq.edu.au

SLIDE 57

Chris Parker chris.parker@uq.edu.au

Complete Risk Report

Services Service Dependencies Stored Data Target CIA Actual CIA

Another 40 Seconds and 18,000 database queries later

SLIDE 58

Chris Parker chris.parker@uq.edu.au

SLIDE 59

Chris Parker chris.parker@uq.edu.au

More Information

If you would like more information email me at:

chris.parker@uq.edu.au

Thank you for your time.

SLIDE 60

Chris Parker chris.parker@uq.edu.au

What Constitutes an IT Service

Applications or other IT services that perform a critical business

functions without which would impact on your ability to conduct your business efficiently OR

Applications or other IT services which store sensitive data