1 / 12

2011-2012 IT Audit Summary

2011-2012 IT Audit Summary. Bruce Patrou Chief Information and Technology Officer St. Johns County School District Email: patroub@stjohns.k12.fl.us. Rick Laneau Data Center Manager, Information Services School District of Hillsborough County Email: rick.laneau@sdhc.k12.fl.us.

idania
Download Presentation

2011-2012 IT Audit Summary

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 2011-2012 IT Audit Summary Bruce Patrou Chief Information and Technology Officer St. Johns County School District Email: patroub@stjohns.k12.fl.us Rick Laneau Data Center Manager, Information Services School District of Hillsborough County Email: rick.laneau@sdhc.k12.fl.us

  2. User Account Mgt • Develop system to provision user accounts • Document your methods • Ensure your system handles account revocation • Link accounts to your Directory System (if able) • Project at St. Johns: • Working to employ Microsoft FIM (for employees) • Auto Provision accounts when new/changed in HR System • Auto account rights revocation/lockout • Groups and rights tied to role • Accounts cross multiple systems • Accounts tied to MS Active Directory

  3. User Access Rights • Limit Users to Role based system rights • Review Users rights • Document Results • Make changes from findings • Perform as often as practical • Document Account approval procedures • Avoid exceptions to your rules

  4. Data Loss Prevention • School Districts handle lots of sensitive data • Student Academic Records (many elements) • Staff sensitive data (SSN, Medical, etc.) • Loss or unauthorized disclosure can be damaging • Identify what is sensitive and where it’s located • Identify how it is accessed and via what systems • Identify how to control its transmission • Policies, Procedures • Monitoring • Encryption • User Awareness and Training

  5. Data Loss Prevention • Supported by multiple Documents: • Employee Acceptable Use Policy • Procedures for Handling Student Directory Information • IT Procedures Handbook • Procedures for handling and transmitting sensitive data • Location and security of sensitive/critical data • Data Inventory • Data Backup • Training and awareness

  6. Disaster Recovery and Testing • Identify critical processes • Identify key staff to participate • Cold or Hot remote site • Annual testing • Daily log file updates • Dedicated connection preferred

  7. User Authentication Security Settings • Password length (minimum 8) • Password complexity enabled • Password history • Password lockout after x number of attempts • Password expiration (60 days) • Document your settings

  8. Incident Response Procedures • Procedures for reporting the unauthorized release of sensitive Student or Staff data • Include who will do what and when

  9. IT Procedures Manual • Mission/Goal • Definitions • Documentation Standards • Org Chart (IT Dept) (include roles) • Major Software Acquisition • Project approval, selection and monitoring • Operational Procedures • Security Awareness Program • Security and Access • System Backups

  10. Security Risk Assessment • Security Risk Assessment Survey and Mitigation Plan (see template) • External/Internal penetration assessment • Helpful links to NIST and Florida AEIT • https://aeit.myflorida.com/sites/default/files/files/Security/2011FloridaITRiskAssessmentFinal.pdf • NIST SP800-30 Revision 1 (Sept 2011 Draft) • http://csrc.nist.gov/publications/PubsSPs.html

  11. Security Awareness Program • Publish SA notes for employees • Publish notice of changes • Provide training to staff on changes • Security Training (log via PD system) • Example

  12. Questions

More Related