150 likes | 409 Views
Research Presentation October 27, 2011. PHS Internal Audit Services. Prepared by: John Schwartz – MHA, CISA, CIA IT Audit Manager – PHS Marcia Wong – CISA, CCNA, CCSE, MCP Senior IT Auditor – PHS. Contents. PHS Internal Audit Services (IAS) IS - Audit Risk Approach and Assessment
E N D
Research Presentation October 27, 2011 PHS Internal Audit Services Prepared by: John Schwartz – MHA, CISA, CIA IT Audit Manager – PHS Marcia Wong – CISA, CCNA, CCSE, MCP Senior IT Auditor – PHS
Contents • PHS Internal Audit Services (IAS) IS - • Audit Risk Approach and Assessment • Types of Control • Scope of a General Computer Controls (GCC) review • Research Computing - GCC Review outcome • Best Practices
Risk Approach & Assessment Approach • Take into consideration impact and likelihood (Risks to the Business) • Traditional risk assessment process may not be suitable for all IS risks and its assessment (need to identify) • IS Risk assessment process should • Consider all the layers of the IS environment. • Consider both static and dynamic risks. • Be should performed in depth every year, not just an update from prior year.
Types of IS Controls • A top-down approach used when considering controls to implement and determining areas on which to focus.
Types of IS Controls • Classification • Design General controls • User Application controls • Classification • Preventative • Detective • Corrective • Classification • Governance controls • Management controls • Technical controls
Scope of a GCC Review The scope of the engagement included a review of the following areas: • Governance Framework • Project/System Development Life Cycle (SDLC) • Change management • Data/information management • Systems’ maintenance management program and integrated testing of changes • Security management • Application access management • System security environment • System performance and interruption responses • Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP)
Research Computing - Areas Reviewed • Enterprise Research Infrastructure & Systems (ERIS) • Centralized Systems • MGH Research Computing and BWH Research Information Computing Systems (RICS) Site Support • Partners Bio-repository for Personalized Medicine • Research Patient Data Registry (RPDR) • Research Enterprise Applications
Observation Highlights Issue:Inconsistent Research Patient Data Registry (RPDR) Access Controls and Provisioning • The process to grant access to the data for Quality and Safety monitoring is not as rigorous as the IRB process and doesn’t limit access to specific data once access is granted. Formal access controls to the RPDR should be developed, documented, and monitored and include the following minimum standards: • Purpose / Need • Specific data requested • Authorized users • Authorization to grant access • How data will be stored
Observation Highlights Issue: System Security setup • VMWare’s operation system “root” account passwords have never been changed. The “root” account has the most powerful administration access rights and privileges on the operating system. A process should be implemented to change the “root” passwords every 90 days to be in compliance with PHS Password Management policy. • Consistent periodic review of user access rights is not in place at Research Computing and PHS TSO. Terminated and transferred employees from Research Computing and PHS TSO remain active as privileged users at the application, operating system, and database server levels. Research Computing and PHS TSO should have develop a formal user administration access review process to include user authorization, periodic review, and transfer/termination deactivation.
Observation Highlights Issue: Change Management • A formal governance process that controls, documents, and communicates system changes is not present. Documentation, request / approval procedures, testing, and sign off processes are inconsistent. We recommend that Research Computing and PHS TSO develop a formal change management process to ensure all changes are authorized and communicated. Issue: Inventory of Research Assets/Applications • Principal investigators (PI) and their departments that procure computers, servers, and applications outside the PHS IS guidelines are not tracked by PHS IS Asset Inventory, as a result may contain patient medical record information that is not secured. We recommend risks associated with the devices/applications be assessed and factored into the overall PHS IS Security Plan. In addition, governance over the use of technology outside of IS’ control should be established.
Take Aways!! Secure your IP (Intellectual Property) and Patient Heath Information (PHI) • Perform Periodic Risks Assessments • Take ownership of PHI by knowing “where and how” PHI is being transported and its electronic storage devices • Follow IS security policies and procedures and always keep IS security in the “back of your mind at all times” as the threats are all around you • Monitor and Manage the security of the IS environment and its data at all levels • These rules will only protect you but your IP and the PHI you possess