DISC 2015 IT Audit. Presented by: Roni Argetsinger, Diocese of Des Moines Scott Long, Diocese of Charlotte

Transcription

1 DISC 2015 IT Audit Presented by: Roni Argetsinger, Diocese of Des Moines Scott Long, Diocese of Charlotte

2 IT Audit Why audit? Finding an auditor Scope of the audit Audit process Results Remediating Benefits

3 Diocese of Charlotte Bishop Peter J. Jugis installed 2003 Split from Diocese of Raleigh DOC formed in 1972 Only 4 bishops! Geography consists of 46 counties in the western half of NC 93 parishes 19 schools 195 dioceses in the US 2/3 of the dioceses in the US are larger than DOC Home to St. Matthew Parish with over 11,000 member families

4 Why? Diocese of Charlotte Understanding the history of IT at DOC What does DOC IT Manage? Current size of IT at DOC IT Director, Systems Administrator, (2) Helpdesk, Web Developer Security #1 issue facing our organization Being strategic Running into roadblocks setting and executing a strategy Use audit report as a mandate to drive the strategy

5 Finding an Auditor Diocese of Charlotte DOC underwent a thorough audit of IT in 2003 RGP Global (Deloitte spin-off) conducted the audit in 03 Consisted of survey to stakeholders In-depth audit of people, systems, architecture, security, etc. Audit report showed many IT weaknesses People, processes, network design, security, policies Management made a decision to not make any significant investment or changes to the IT Department Decided to use RGP again

6 Scope Diocese of Charlotte IT Operations, Processes & Management IT Management Role of IT in the organization Personnel Helpdesk Policies Planning & Strategy Cost Management SLAs for services provided End user computing

7 Scope Diocese of Charlotte IT Operations, Processes & Management Procurement Vendor management Purchasing Delivering equipment to customers

8 Scope Diocese of Charlotte Security of Information & Equipment Physical Security Physical Access Control Protection of environment Information Security Security policy Security management Logical access control

9 Scope Diocese of Charlotte Overall Architecture & Quality Systems Architecture Physical network, switches, cabling, APs, firewall/filtering, etc. WAN, VLAN, DHCP, DNS, Servers (physical and virtual) Applications SQL evaluation Systems Management Servers Network Desktop

10 Scope Diocese of Charlotte Overall Architecture &Quality Continuity of Systems Backup & recovery Capacity management Problem management Continuity planning Operations management

11 Audit Process Diocese of Charlotte 3-4 weeks of collecting data Collection/review of documentation Strategy, policies, procedures Interviews with staff, stakeholders / customers IT employees, Department Heads, school principals and technology contacts at schools Issued audit team AD accounts w/ Allowed the auditors full access to systems

12 Results Diocese of Charlotte Presentation showing accurate state of IT Strengths and weaknesses Risks re: people, processes, systems, and security Opportunities for improvement Recommendations for change Associated a timeline with recommendations

13 Diocese of Des Moines Bishop Richard Pates Installed May 29, 2008 Diocese of Des Moines Created in 1911 Covers 12,446 Square Miles in the SW Corner of Iowa About 97,000 Catholics of a total population of about 742, parishes 18 schools 60 active diocesan priests, and 3 Catholic hospitals.

14 Why? Recommended by Risk Assessment Committee Subcommittee of Diocesan Finance Council Technology Department Staff Me! (Technology Manager) Support Diocesan Staff, Catholic Charities Staff (local and remote), CFSWIA, CTO, and Sr. Housing. (About 125 staff). Provide some Technical Support to parishes & schools

15 Scope & Process Very similar to DOC Executive Report on I.T. Controls submitted June 2013 Risk Assessment Rankings: High/Moderate/Low 16 High s 10 Moderate s Identified Risk (ie. No formal end user security awareness training ) Resource Requirements (ie. Monthly training sessions, educational documents) Description (ie. Why this item is important) Control Area (ie. Human Resources) Business Impact (ie. What happens if not addressed) Recommendation (ie. Ways to address the identified risk)

16 Scope & Process Action Plan Technology Advisory Committee Review & Re-rank Created action plans for each identified item & Timeline Some items re-evaluated to be Low Risk/No Action required Worked on High risk items first Worked on Moderate risk items next Updated Executive Report with our actions & comments Submitted to Risk Management Committee early 2014 To date, two identified moderate risk items remain Computer Security Incident Response Plan Final Draft goes to Finance Council in June 2015! No organizational oversight for Business Continuity Planning This has been started/stopped/started/ It s next!

17 I.T. Audits of Parishes & Schools 2008 Annual Financial Review Form (AFR) Annual Questionnaire All parishes/schools complete and return to Diocese Finance Office Responses tracked Glaring issues were addressed Implemented Parish Finance Council Training to address items No I.T. Questions on this AFR

18 I.T. Audits of Parishes & Schools Three Year Audit Plan Diocese Parish Accounting Committee 3-Year Plan to bring all parishes & Schools into Compliance with AFR Accountability Transparency Internal Controls Eight Critical Control Areas Identified Written Finance Council meeting minutes EOY Financial Statements Presented to parishioners/parents Firewall & A/V Installed on all devices Pastor has signatory power for all checking/investment accounts All bank statements reconciled monthly by someone other than a check signor Tamper Resistant bags used for all Mass Collections Responsible party for assigning bag numbers & verifying those used Mass collections counted by at least 2 unrelated people

19 I.T. Audits of Parishes & Schools Three Year Audit Plan 2011 AFR = 51 parishes (of 81) had at least 1 Critical Control missing December 2011 Letter to Pastor & Finance Council Chair Address missing key controls by June 30, 2012 Included list of solutions for overcoming obstacles that might hinder implementation Respond with plans for implementation w/in 45 days Non-Responders & Interesting Statistics 2 nd letter sent 60 days later Extended deadline for 2 more weeks 94% of all parishes provided responses to implement controls by June 30, 2012 Three parishes did not respond Maximum # of missing controls was 5 (there were 8 total) Most frequent control not implemented was the verification of pre-numbered tamperresistent bags.

20 I.T. Audits of Parishes & Schools Three Year Audit Plan Year Two = Peer Review One Person from each parish/school reviews one other parish/school Provided list of Controls/Procedures to review Prepare Report upon completion Learning Process / Non-Threatening / Sharing of Information 2012 AFR Now includes small section on Information Technology Controls Online banking/separate computer Firewall, anti-virus, anti-malware, spam filter Password policy I.T. Staff # of Devices & Infrastructure Makeup Wireless Information

21 I.T. Audits of Parishes & Schools Three Year Audit Plan Year Two = Peer Review Separate I.T. Controls Worksheet Responses provided by Diocese w/recommendations Letter to Pastor & Finance Council Chair Year Three = Internal Audits Volunteers (retired CPA s) & Diocese Finance Manager & Controller Audit Reports reviewed directly following the audit Diocese response sent immediately to the parish Business Manager & Pastor Action Items need response by parish w/in 60 days

22 I.T. Audits of Parishes & Schools Three Year Audit Plan Year Three = Internal Audits What if they say No? Diocesan Finance Council Responds first If parish continues to decline to address an identified item, they must appeal to Bishop to not do what we ve asked. Information Technology Compliance has been great Only item that has been of contention with very few reviewed parishes is the segregated device for online banking. We re still holding firm on that one though. I ve not heard of any parish taking any of the Finance controls to the Bishop yet.

23 I.T. Audits of Parishes & Schools

24 I.T. Audits of Parishes & Schools Roni Argetsinger Scott Long Diocese of Des Moines Diocese of Charlotte