1 / 26

Plan for Internal Audit and Assurance of Geo Designs IT Network

Plan for Internal Audit and Assurance of Geo Designs IT Network. Presentation to Audit Senior Leadership Team 2013-03-7. Prepared by: Qiaozi Ren Shan Jiang Greg Bellevue David Lanter MIS 5205 IT Prof. Liang Yao. Presentation Overview. Background Audit Scope – Boundaries of the review

kenyon-anderson
Download Presentation

Plan for Internal Audit and Assurance of Geo Designs IT Network

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Plan forInternal Audit and Assuranceof Geo Designs IT Network Presentation to Audit Senior Leadership Team 2013-03-7 Prepared by: QiaoziRen Shan Jiang Greg Bellevue David Lanter MIS 5205 IT Prof. Liang Yao

  2. Presentation Overview • Background • Audit Scope – Boundaries of the review • Key Risk Areas and Risk Ratings • High Level Work Plan • Level of Effort • Resources • Deliverables • Schedule

  3. Background… Our Firm Inc. • Goal 3 of Our Firm’s 2012’s 5-Year Strategic Plan is: “Our Investments must provide Reasonable Assurance of Information Security” • To meet this strategic goal, a multi-phase iterative program of Internal Information Security Audits (IISA) is being implemented across Our Firm’s IT investments This memorandum presents a plan for Our Firm Inc. conducting an audit that assesses risks and controls of the network environment of recently acquired Geo Designs subsidiary

  4. Background… • Geo Designs Inc. • 17 Staff • Located in Midwest facility • Value-adder and supplier of commercial data products based on federal data sources • National, regional and local census data, demographics and econometrics datasets • Venture capital funded start-up firm • Venture Capital provided by: Our Firm Inc.

  5. Background… • Geo Designs • Develops and packages data products • Uses Internet and professional magazines for advertising/marketing • Customers purchase data from web site • Email reply with receipt, link to FTP site, and download instructions • Data products acquired by customers by downloading over the internet via FTP

  6. Background… • Geo Designs • Leases internet connectivity from Computer Masters • Computer Masters designed, setup, and supports Geo Designs’ IT network

  7. Organization

  8. Background… Our Firm’s audit team contacted Mr. Dod Computer Master’s Network Administrator, who provided documentation on business contracts, scopes of services, and details of Geo Design’s network computer operating environment Network consists of: • Leased Internet line • DMZ on Switch and Externally facing router • Firewall • Corporate Network Switch • Router to Dev/QA Subnet • Production Servers Subnet • Business User’s Subnet

  9. Background… • No prior IT audits have been conducted • “Normal” amount of email phishing attacks, no other incidents… • As business grows, Geo Design’s business management becoming concerned about cyber threats, but unsure about IT Risks

  10. Boundaries of review… Proposed Network Audit In-Scope: • Coordination of Risk Governance between Geo Designs and Computer Masters • Movement of data products between Dev/QA and DMZ • Data Backup, Business Continuity, and Disaster Recovery • DMZ Network Design and Components • Firewall Design and Components • Corporate Network Design and Components

  11. Boundaries of review… Based on other planned audits, schedule, and budget the following are not in scope • Leased internet line • Transfer of eCommerce data between DMZ and User’s Subnet • Production Servers • Oracle Database • JEE Application Server Cluster • Load Balancer • App Web Server Farm

  12. Network Inherent Risk - Trust Zones… Untrusted Semi -trusted Trusted Trusted

  13. Key Risk Areas and Ratings…

  14. Risks Covered by Plan…

  15. Risk: Systems Operations (for example…) Primary Controls - Network Design • Prior Security Risk Analysis • Security Policy – Control Policy • Security Policy – Strategy • Third Party Providers • Trust Zones – Classification • Trust Zones – Network Segmentation • Hardened Systems – Server OS Configurations • Hardened Systems – Separation of Duties

  16. Risk: Systems Operations / Primary Controls – Network Design

  17. Key Risk Areas and Rating Details

  18. High Level Audit work plan… • Fieldwork and documentation • Issue discovery and validation • Solution development • Report drafting and issuance • Issue Tracking From Davis et al. 2011 IT Auditing: Using Controls to Protect Information Assets

  19. Level of Effort…

  20. Level of Effort

  21. Resources

  22. Deliverables The audit plan covered by this APM will result in the following deliverables: • Audit Report • Major Issues requiring mitigation and Action Plan summary • Key Controls in place, Closed Items, and Minor Issues • Audit work papers supporting conclusions

  23. Schedule

  24. Presentation Overview • Background • Audit Scope – Boundaries of the review • Key Risk Areas and Risk Ratings • High Level Work Plan • Level of Effort • Resources • Deliverables • Schedule

  25. Plan for Internal Audit and Assuranceof Geo Designs IT Network Prepared by: QiaoziRen Shan Jiang Greg Bellevue David Lanter MIS 5205 IT Prof. Liang Yao 2013-03-7

More Related