140 likes | 314 Views
IT Governance. Teresa Furnish, CISA IT Senior Auditor Oregon Secretary of State – Audits Division. Agenda. Organization Structure Executive Order Audit Findings Consolidation and ORS 182.122 More Audit Findings Governance as Cause Other Causes List of Related Audits. Organization.
E N D
IT Governance NSAA IT Conference - September 2012 Teresa Furnish, CISA IT Senior Auditor Oregon Secretary of State – Audits Division
Agenda • Organization Structure • Executive Order • Audit Findings • Consolidation and ORS 182.122 • More Audit Findings • Governance as Cause • Other Causes • List of Related Audits
Organization • Department of Administrative Services (DAS) • Chief Information Office • Chief Information Officer • Enterprise Security Office (ESO) • Chief Information Security Officer • State Data Center (SDC) • Shared Service Delivery
1998 – Executive Order 98-05 • According to statute Oregon Revised Statute 291.038, DAS was to: • Ensure that resources fit together in a statewide system capable of providing ready access to information, computing and telecommunication resources. • Adopt statewide policies, procedures, standards, and guidelines to govern the state’s IT resources.
Information Resources Management Division (IRMD) 2001 • Strategy and policy for securing systems was entirely omitted from the IT plans. • No clear indication of the actions needed to accomplish the initiatives, principles, practices or vision. • Policies and procedures did not provide guidance on implementation, leaving agencies to interpret the criteria. • No monitoring for agency compliance.
IRMD Follow-up – 2003 • Improvements in methodology • No statewide rules, policies, procedures and guidelines addressing most significant risks • No monitoring for compliance • The policies and procedures to govern security, system development and disaster recovery are not at the agency level either.
Consolidation • Computing & Networking Infrastructure Consolidation (CNIC) 2004 • Combine three DAS data centers into the State Data Center (SDC) • Move 12 of the state’s major data processing centers into one facility • Mission: “Reduce costs while maintaining or improving service levels”
Oregon Revised Statute 182.122 • Gives DAS responsibility for and authority over information systems security…including taking all measures reasonably necessary to protect the availability, integrity or confidentiality of information systems. • Assigned specific tasks to DAS including • Establish a state information systems security plan and associated standards, policies and procedures • Conduct vulnerability assessments • Verify the security of information systems
State Data Center – 2008 • Consolidation objectives not yet achieved • Detailed end-state architecture not defined • Number of network servers or operating system platforms not reduced • Staffing levels not reduced • Operating procedures not consolidated • Operations not uniformly or effectively controlled • Processes to manage the configuration of SDC infrastructure not developed • Security issues
Enterprise Security Office – 2009 • Department had not • Developed complete security plans and associated standards, policies and procedures • Conducted vulnerability assessments of agency information systems • Reviewed or verified the security of information systems • Ensured remedial actions were taken to resolve identified security issues
State Data Center – 2010 • Security issues • Most of the security issues continued to exist • Could be mitigated without new or overly complex technical solutions • Configure or implement already acquired technology • Attention and resources of state agencies needed for others • Shared services governance structure not effective for managing security in a timely manner
Other Causes • No one has authority • Decision making through council –difficulty reaching consensus • Decentralized culture – too much autonomy
Related Audits • Information Resources Management Division Review 2001 • Information Resources Management Division Follow-up 2003 • CNIC (Computing & Networking Infrastructure Consolidation )Risk Assessment – 2006 • State Data Center (SDC) Review – 2008 • Enterprise Security Office (ESO) – 2009 • State Data Center Review – 2010 • State Data Center Review – 2012 Available at: http://www.sos.state.or.us/audits