USG INFORMATION SECURITY PROGRAM

AUDIT:
ACHIEVING SUCCESSFUL AUDIT OUTCOMES

Cara King
Senior IT Auditor, OIAC

Topic Introduction

This presentation will highlight areas of

focus for the upcoming USG Information
Security Program Audit that will be
conducted at the University System
Office.

OIAC will be working closely with the USO and the USG
CISO

Some Institutional involvement will be essential during

the course of this audit

Expectations of the audit and examples of artifacts (to

drive successful audit outcomes) are derived from the
IT Handbook Section 3 & 5 and the
Audit Expectations Workbook.

Topic Objectives

Objective 1: Awareness of the audit as

Institutional
involvement may be required.

Objective 2: To Provide a Sneak Preview as the

procedures are still in development
more soon

Objective 3: Final plan will be distributed

accordingly upon its completion

Background Information
Board of Regents:
11.3 Information Security Policy

11.3.1 General Policy

11.3.2 System-Level Activities
11.3.3 Institutional Responsibilities

11.3.1 General Policy

The USO, all USG institutions, and the

GPLS shall create and maintain an
internal information security technology
infrastructure consisting of an
information security organization and
program that ensures the confidentiality,
availability, and integrity of all USG
information assets.

11.3.2 System-Level Activities

The USG CISO shall:

develop and maintain an information security

organization and architecture for support of
information security across the USG and support of
activities between institutions.

maintain information security implementation

guidelines that the USO, all USG institutions, and
the GPLS should consider in the development of
their individualized information security plans.

11.3.3 Institutional Responsibilities

ensure appropriate and auditable information security

controls are in place.
develop, implement, and maintain an individualized
information security plan and submit for periodic review
methods for ensuring that information regarding the
applicable laws, regulations, guidelines, and policies is
distributed and readily available to its user community
shall be included in the individualized information
security plan.
clear procedures for reporting and handling of
information security incidents shall be followed. These
procedures shall include reporting of incidents to the
USO in a timely manner, and shall be documented in
the individualized information security plan.

BOR Policy Manual

Background Information
Board of Regents:
11.3 Information Security Policy

We all play respective roles in 11.3 policy

adherence

One step toward adherence is the upcoming

USG Information Security Program Audit

USG Information Security

Program Audit
Timeline:

Planning phase: In progress

Field work: Will begin Summer 2014

Areas of Focus:

Information Security Management

Information Security Operations

Areas of Focus:
Information Security
Management
1.
2.

Governance
Risk Assessment (Procedures Still Being
Developed)

3.
4.

Policies
IT Security Plan

1. Governance

Objective: Processes are in practice to assure

applicable management oversight of the
information security function.

Purpose: The information security governance is

to ensure that the USO, SSC, USG, Georgia
Archives and GPLS are proactively implementing
appropriate information security controls to
support their mission in an effective manner, while
managing evolving information security risks.

1. Governance

Expectations for Audit:

security governance committee/security steering

committee exists

security steering committee includes

representation from key functional areas

committee members regularly attend committee

meetings

security management communication process

exists and reporting lines are clearly established

1. Governance:

Example Artifacts:

security governance committee/security

steering committee charter

charter membership list

meeting schedule

minutes of selected committee meetings

verification of communication process

2. Risk Assessment

Expectations for Audit:

Risk Assessments are regularly conducted

to prioritize information security initiatives
and ensure alignment with business risks.

Example Artifacts:

Recent risk assessment documents

3. Policies

Objective: Policies are created

according to a defined format and are
distributed following a distribution list
based on subject matter and relevance,
and the scope of the policies are
appropriate to ensure that the
information security is adequate to
address the risk tolerance.

3. Policies

Expectations for Audit

Information security policies are adequate

and complete.

There is adequacy of communication

practices related to the dissemination of
information security policies.

3. Policies

Example Artifacts

Security policies documents

An

agreement to comply with Information Security

policies (internal to IT/external to IT)

Appropriate Use Policy

Laptop/desktop computer security policy
Internet usage policy
Firewall policy
E-mail security policy

Proof of policy awareness/communications

Location/site of the readily available policies

4. IT Security Plan

Objective:

Translate business, risk and compliance

requirements into an overall IT security plan:
Taking

into consideration the IT infrastructure and the

security culture
Ensure that the plan is implemented in security
policies and procedures, together with appropriate
investments in services, personnel, software and
hardware.
Communicate security policies and procedures to
stakeholders and users.

The security plan is reviewed on a regular basis to

determine that it is updated to reflect changes to
the operating environment and new threats.

4. IT Security Plan:

Expectations for Audit:

There exists a Security Plan, by which the

security strategic plan isoperationalized or
implemented.

Adequacy and completeness of the Security

Plan.

The Security Plan is reviewed on a regular

basis to determine that it is updated to
reflect changes to the operating
environment and new threats.

4. IT Security Plan:

Example Artifact

A copy of the IT security plan including

version history

Areas of Focus:
Information Security
Operations
1.

Security Testing and Monitoring (Procedures Still

Being Developed)

2.

Incident Management (Procedures Still Being

Developed)

3.

Response and Monitoring

Endpoint Security Management (Procedures Still

Being Developed)
1.

4.

*Procedures will be developed in accordance with IT HB Sect 5

update as it is published.

Security Awareness, Training, and Education

4. SecurityAwareness,
Training, and Education

Objective:

One of the objectives/goals of the ITS Information

Technology Strategic Plan 2010 is to increase the
awareness of the workforce through a security
awareness program. The USG cannot protect the
confidentiality, integrity, and availability of
information and information systems in todays
highly networked environment without ensuring
that each person involved understands their roles
and responsibilities and is adequately trained to
perform them. (IT Handbook Section 5.9.3.1)

4. SecurityAwareness,
Training, and Education

Expectations for Audit

There is a strong Security Awareness, Training,

and Education program
Training

is conducted annually and attendance is

mandatory

Role-based

security education and awareness needs

have been identified and provided to those
individuals within the organization that have unique
or specific information security responsibilities

There

is record of completed and needed security

training maintained

4. SecurityAwareness, Training, and Education

Example Artifacts

Copy of the Security Awareness, Training,

and Education program

Documented record of completed and

needed security training

SUMMARY EXAMPLE
ARTIFACTS, THUS FAR:
Security governance committee/security
steering committee charter
2. Charter membership list
3. Meeting schedule
4. Minutes of selected committee meetings
5. Verification of communication process
6. Recent risk assessment documents
7. Security policies documents
8. Proof of policy awareness/communications
9. Location/site of the readily available policies
10. A copy of the IT security plan including version
history
11. Copy of the Security Awareness, Training, and
Education program
12. Documented record of completed and needed
security training
1.

Points of Contact
Kenyatta Morrison
Director of Information Technology Audit
Office: 404-962-3028
kenyatta.morrison@usg.edu
Cara King
Senior IT Auditor
Office: 404-962-3024
cara.king@usg.edu

Thank
You