Putnam Valley Central School District. Information Technology Internal Audit Report August 2017

Similar documents
ASSESSMENT AND EVALUATION OF THE CITY OF PHILADELPHIA S INFORMATION TECHNOLOGY GENERAL CONTROLS FISCAL 2016

GOVERNANCE AES 2012 INFORMATION TECHNOLOGY GENERAL COMPUTING CONTROLS (ITGC) CATALOG. Aut. / Man. Control ID # Key SOX Control. Prev. / Det.

Ms. Jeanine Rufo, President, Board of Education

Collaboration with Business Associates on Compliance

County of Sutter. Management Letter. June 30, 2012

SOX 404 & IT Controls

The North Suburban Emergency Communications Center (NSECC) Managed Information Technology Services. Request For Proposal

Outsourcing and the Need for Supplier Audits

REGULATORY HOT TOPIC Third Party IT Vendor Management

your resume to Initial screening of candidates to occur no later than May 1, Position open until filled.

Hastings-on-Hudson Union Free School District Risk Assessment Update FY 2015/16 & Recommended Audit Plan

REQUEST FOR PROPOSALS

City of Markham. Report of the Auditor General Human Resources Information System ( HRIS ) Implementation Audit. Presented to:

CHAPTER 5 INFORMATION TECHNOLOGY SERVICES CONTROLS

3/16/2016. How to Implement a Monitoring Program Presented by: Kelly Nueske April 2016 OBJECTIVES AGENDA

St. Charles County Auditor's Office

Lake Geauga Computer Association

David E. Moran, Director of Education Practice

American Well Hosting Operations Guide for AmWell Customers. Version 7.0

Outline of the Discussion

General IT Controls Review of the Division of Technology. Fiscal 2008

Policy Outsourcing and Cloud-Based File Sharing

{Buffalo County} IT Managed Services REQUEST FOR PROPOSAL BUFFALO COUNTY

IT Plan Instructions for FY18-FY19

STATE OF NORTH CAROLINA

CEBOS CLOUD PROGRAM DOCUMENT

ISAE 3402 Type 2. Independent auditor s report on general IT controls regarding operating and hosting services for to

MANAGED NOC AND HELP DESK SERVICES

Gartner IT Key Metrics Data

Oracle Cloud Hosting and Delivery Policies Effective Date: Dec 1, 2015 Version 1.6

External Supplier Control Obligations. Information Security

REQUEST FOR PROPOSALS: INFORMATION TECHNOLOGY SUPPORT SERVICES

1 P a g e. IT Tailored to Your Needs

Ensuring Organizational & Enterprise Resiliency with Third Parties

City of Markham. Human Resource Information System ( HRIS ) Implementation Audit. June 18, Richmond Street West Toronto, ON M5H 2G4

Buying IoT Technology: How to Contract Securely. By Nicholas R. Merker, Partner, Ice Miller LLP

Request for Proposals (RFP) Shared Information Technology (IT) Services for Rural Communities of Scott County, Iowa

IT Audit Process. Michael Romeu-Lugo MBA, CISA March 27, IT Audit Process. Prof. Mike Romeu

Section II: Schedule of Requirements

Telecommuting Program Manual

Security Monitoring Service Description

Service Planning Survey

How to Choose a Managed Services Provider

JOB DESCRIPTION. IT Network Manager

AffirmX. New York Credit Union Association. AffirmX. Linda Bow, CUCE, CRCM Director of Compliance

PCI Information Session. May NCSU PCI Team

Audit Report# May 30, 2017

PREDICTIVE INTELLIGENCE SECURITY, PRIVACY, AND ARCHITECTURE

Standard Operating Procedures

Employes Retirement System of the City of Milwaukee:

Building an IT Roadmap. Planning for technology initiatives aid in successful and timely implementation of IT projects

CITY OF KOTZEBUE REQUEST FOR PROPOSAL ADMINISTRATION IT SERVICES FOR FY18 REQUEST FOR PROPOSAL INFORMATION TECHNOLOGY SUPPORT SERVICES

ACA COMPLIANCE PROVIDER REQUEST FOR PROPOSAL (RFP)

Application Performance Management Advanced for Software as a Service

No. Question Answer IT Qualification Statement 1 SITE CONTACT

External Supplier Control Obligations. Information Security

INFORMATION TECHNOLOGY SERVICES

Zynstra Software for the Retail Edge Datasheet

REQUEST FOR PROPOSAL FOR INFORMATION TECHNOLOGY SERVICES

1. Describe the staffing levels maintained in the IT department (change titles as needed): Administrative Analyst II To be hired in August 2007/1

Supplier Security Directives

Service Level Agreement (SLA) for IPA Offices By. Dubuque Internal Medicine

Payment Card Industry Compliance. May 12, 2011

CREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 04/29/2016

DISC 2015 IT Audit. Presented by: Roni Argetsinger, Diocese of Des Moines Scott Long, Diocese of Charlotte

Sir Winston Churchill once said,

Ambulance Contract Billing Report October 12, 2016 KEY CONTROL FINDING RECOMMENDATION STATUS The City should:

The County Council and County Executive of Wicomico County, Maryland:

Group Technology Committee Charter

Electronic I-9 Documentation Guardian Electronic I-9 and E-Verify Compliance with 8 CFR 274a.2

6 MONTH SUPPORT CONTRACT

REQUEST FOR PROPOSAL NO. 1004/KB/08 For INFORMATION TECHNOLOGY SERVICES ADDENDUM NO. 2

Agenda. Agenda. Why Audit Suppliers. Outsourcing / Offshoring. Supplier Risks. Minimum Security Standards. Audit Focus

JOHN W. R. SHAFFER 251 Middlebrook Dr. Fairfield CT 06824

INFORMATION SYSTEMS CONTROL AND AUDIT

ACTION Agenda Item I ANNUAL AUDIT REPORT December 6, 2002

GMS NETWORK PLUS PRODUCT SPECIFICATION 1. INTRODUCTION 2. SERVICE DEFINITION. 2.1 Service Overview. GMS Network Plus

IT Relation A/S. ISAE 3402 Type 2

REPORT 2014/115 INTERNAL AUDIT DIVISION. Audit of information and communications technology management at the United Nations Office at Geneva

Success in Joint Ventures: Sustained Compliance and Audit Oversight

Oracle Tech Cloud GxP Position Paper December, 2016

Model ICT Contingency Plan

IBM Cloud Service Description: IBM Kenexa Skills Manager on Cloud

Rick Ensenbach, CISSP-ISSMP, CISA, CISM, CCSFP Senior Manager, Wipfli Risk Advisory Services OBJECTIVES

Request for Proposal. Request for Proposal: Information Technology Support. Date Posted: September 19, 2016 Date Closed: October 19, 2016

Guidelines for Self-Assessment of HMIS Grantee Implementation and Operations. HMIS Grant Administration Programmatic Self-Monitoring Guide

GUIDELINES FOR IMPLEMENTING A PRIVACY MANAGEMENT PROGRAM For Privacy Accountability in Manitoba s Public Sector

Questionnaire. Identity Management Maturity Scan for SWITCHaai. Thomas Lenggenhager, SWITCH Thomas Siegenthaler & Daniela Roesti, CSI Consulting AG

Evergreen Solutions Shatter the mold. With Evergreen

Delivering high-integrity accounting with Xero

ICT and Computing Curriculum leader, Business Manager and ultimately the Headteacher

Task 5. Layout of the dog kennel site. Case Study: Rufus Kennels

COLUMBIA UNIVERSITY CREDIT CARD ACCEPTANCE AND PROCESSING POLICY

Utility Systems Access Rights Audit

Position Description. Senior Systems Administrator. Purpose and Scope

REQUEST FOR PROPOSAL INFORMATION TECHNOLOGY SUPPORT SERVICES

Security overview. 2. Physical security

DISASTER PREPAREDNESS Guide & Template

1.1 This report provides committee members with an update on the current position of ICT services.

GENERAL INFORMATION. Title: IT Systems and Infrastructure Administrator. Classification: Exempt

Transcription:

Putnam Valley Central School District Information Technology Internal Audit Report August 2017

August 30, 2017 Audit Committee Putnam Valley Central School District 146 Peekskill Hollow Road Putnam Valley, NY 10579 Dear Audit Committee members: We have completed our internal audit of the Information Technology (IT) General Computer Control Environment of the Putnam Valley Central School District ("the District"). This area was recommended for audit in our FY16/17 risk assessment update report. This internal audit report includes background information, the audit scope and objectives, a summary of audit procedures performed, a summary of audit findings and ratings, and our observations and recommendations. The audit procedures performed included various tests, reviews, and evaluations in accordance with the International Standards for the Professional Practice of Internal Auditing promulgated by the Institute of Internal Auditors We appreciate the fine level of cooperation provided to us by the District's staff during our audit and look forward to working with them in the future. Very truly yours, Accume Partners Tower 49, 12 East 49 tr Street New York. NY 10017 p: 646.375.9500 f: 646.328.0011 occumeportners.com

Background Accume Partners performed an IT General Computer Controls Review at the District. We reviewed the adequacy and effectiveness of controls supporting the computing environment and management oversight. Audit Scope and Ob!ectives The purpose of the review was to evaluate and assess the adequacy of the procedures and controls in order to ensure that the District's computer systems are managed in a controlled manner. The procedures were performed in accordance with the District's Internal Audit Plan, which was reviewed and approved by management and the Audit Committee. Our work included the following areas: IT Strategy and Planning Outsourced Vendor Management Business Continuity Planning IT Infrastructure and Maintenance Information Security Systems Development and Maintenance System Operations IT Governance Critical Systems Summary of Audit Procedures Performed Our procedures included Interviewing key personnel, reviewing policies and procedures, inspecting certain documents and reports, and testing the effectiveness of identified controls. We performed the following specific procedures: Reviewed management's oversight of the IT environment to determine if policies and procedures exist, are being followed, and are suitable for the IT environment. Reviewed the current Strategic Technology Plan and Technology Committee Meeting Minutes to identify the District's goals, action plans and the strategic planning process. Reviewed Board of Education Meeting Minutes to determine whether the Board is kept informed of information technology activities. Reviewed controls over third party vendors to determine if there was proper selection and oversight, and if adequate documentation was maintained to support vendor relationships. An Internal Audit Report Poge2 occumeportners.com

Reviewed vendor contracts and service level agreements for existence and compliance with terms. Reviewed network and application backup procedures for appropriateness and adequacy. Reviewed security administration procedures and user access reports for adequacy and appropriateness. Reviewed the District's IT Policies for completeness and adequacy. Reviewed the physical security environmental controls of the server room. Reviewed the Technology Organization Chart and IT job functions to determine whether such functions are appropriately segregated. Reviewed application security administration and password controls. Reviewed remote access (VPN) for appropriateness. Reviewed that only active employees, or authorized vendors and consultants of the District, had access to critical application systems, by comparing a listing of application level IO's to a listing of active and terminated employees provided by Human Resources. Reviewed application system password parameters for appropriateness. Reviewed the wireless LAN security parameters and encryption standards for adherence to best practices. Reviewed network monitoring controls and sample reports for existence. Reviewed the anti-virus software to determine whether it was operational and updated. Reviewed the Network Diagram to confirm the District's connectivity. Reviewed the Disaster Recovery and Business Continuity Planning procedures for appropriateness. Reviewed Disaster Recovery Test results for adequacy. Toured the Lower Hudson Regional Information Center (LHRIC) and reviewed the IT controls surrounding the processing that the LHRIC performs on behalf of the District. Reviewed the District's measures to address Cybersecurity. An Internal Audit Report Page 3 occumepartners.com

Summary of Audit Findings and Ratings As a result of the work performed, we noted the following observations that resulted in recommendations to improve internal controls and enhance operating policies and procedures. Detailed observations and recommendations follow this section. Audit Area Key Processes/Documents Reviewed Recommendations Rating IT Strategy and Instructional Technology Plan None Satisfactory Planning Smart Schools Investment Plan ' OSC IT Questionnaire IT Organization Chart IT Job Descriptions Technology Committee Charter Technology Committee Meeting Minutes Board Of Education Meeting Minutes Status of Current IT Projects and Planned IT Projects Technology Budget Equipment Insurance Outsourced Purchasing Policy and Procedures The District should Satisfactory Vendor LHRIC Service Level Agreement monitor vendor Management LHRIC Installment Purchase Service Level Agreement Agreements (SLA's) LHRIC IT Controls to ensure that LHRIC Service Organization Control agreed upon 2 (SOC2) Report services are being Vendor Contracts (PowerSchool, delivered. Google For Education & CSI) (Observation #1} ' Business Data Recovery and Disaster Plan None Satisfactory Continuity Business Operatio.ns Continuity and Disaster Preparedness Plan LHRIC Finance Manager Disaster Recovery (DR) and Backup Procedures (nvision) Finance Manager DR Test Results Memo (nvision)! An Internal Aud"t Report Page 4 accumepartners.com

Audit Area Key Processes/Documents Reviewed Recommendations Rating IT Infrastructure Network Topology Diagrams None Satisfactory and Maintenance LHRIC Wide Area Network Security Procedures LHRIC Data Center Controls & SOC2 Report Hardware and Software Inventories Hardware Disposal Procedures I Firewall Configuration and Event Monitoring logs Anti-Virus and Malware Monitoring Wireless Security Controls Intrusion Protection Procedures and Event Monitoring! LHRIC Internet Access Event Monitoring CSI Remote Monitoring Agreement Sample Monitoring Reports (Equipment, Network and Firewall) Users with VPN Access I Information Process for Enabling/Disabling The District should Satisfactory Security Employee User Accounts perform a periodic Employee listings (Active, New user entitlement i Hires and Terminations) review of system Sample New Hire and Termination access for all Approval Forms applications. User Access listings (Finance (Observation #2) Manager, PowerSchool, IEP Direct and VPN) Application Password Parameters Screen Inactivity Settings Login Monitoring Reports PVCSD and LHRIC Data Center Physical and Environmental Controls Server Room Key Sign-in Logs I. Systems Patch Management Process and None Satisfactory Development and Settings Maintenance Sample Patch Reports An Internal Audit Report PogeS occumepartners.com

Audit Area Key Processes/Documents Reviewed Recommendations Rating System Operations IT Governance Student Use of District Technology The District should Satisfactory Agreement LHRIC Remote Backup Service None Satisfactory Backup Process at Xand Co-location Backup Log Snapshot Helpdesk Reports/Logs Sample Backup Restore Policy Internet Safety Policy Computer, Internet and E-mail Use provide formal cybersecurity training to all system users on an annual basis. Laptop and Mobile Device Loan Agreement {Observation #3) Student Privacy Policy Computer Resources and Data Management Policy Information Security Breach and Notification Policy Audit Ratings Satisfactory Needs Improvement Unsatisfactory Indicates an acceptable system of internal control and satisfactory compliance with applicable policies, procedures and regulatory requirements. Findings indicate modest weaknesses that require management's attention. Indicates weaknesses in the system of internal control and/or compliance with related policies, procedures and regulatory requirements. These findings require management's prompt resolution to prevent further deterioration and possible losses. Indicates significant weaknesses in the system of internal control and/or compliance with related policies, procedures and regulatory requirements. Management's immediate attention to these findings is required to prevent loss to the institution. An Internal Audit Report Page 6 occumeportners.com

Observations and Recommendations 1. Outsourced Vendor Management - Vendor Service level Agreements (SLA's) Observation: The District utilizes third party vendors to provide ff services including application support for the Student Information System (PowerSchool) and Network Monitoring (CSI). We noted that the PowerSchool SLA included Security Advisory Services and Quarterly Security Audits; however, there was no evidence that these services were provided to the District. In addition, the Network Assessment described in the CSI SLA has not been performed. School District Risk and/or Opportunity: The District's vendors may not be meeting the obligations of service level or contractual agreements. Recommendation: Review the current vendor SLA's and evaluate contractual vendor compliance with agreed upon terms and conditions. Management's Response: We agree with the observation and will review vendor SLA's for compliance. Proposed Implementation Date: Immediately. Responsible Party: Michael Lee 2. Information Security- User Access Entitlement Review Observation: A formal periodic review of user access entitlements is not performed. During our testing of application user access, we identified one former employee active in PowerSchool and several former employees with disabled accounts. It was determined that the former employee's account needed to remain active for a period of time. The password was changed to prevent unauthorized access from the original account holder. In addition, there were many users with IEP Direct system access who were not on the active employee list; however, upon further review, it was determined that these users were consultants who required access. School District Risk and/or Opportunity: Lack of a user access entitlement review could result in unauthorized system access. Recommendation: We recommend that the District perform a periodic review of system access rights for all applications to ensure that user ID's are for active employees or approved consultants and that rights align with job responsibilities. In addition, disabled accounts for former employees should be removed. An lnterna' Audit Report Page 7 accumepartners.com

Management's Response: We agree with the observation and will develop a formal review process for system access rights. Proposed Implementation Date: November 1, 2017 Responsible Party: Michael Lee 3. Governance - Cybersecurlty Awareness Training Observation: While we recognize that District staff are re-briefed on the Computer Use Agreements annually, formal cybersecurity awareness training has not been performed. School District Risk and/or Opportunity: Lack of cybersecurity training and preparedness may result in loss of data and affect the confidentiality of non-public information. Recommendation: With the continued risk of cybersecurity threats, we recommend that the District provide user awareness training for safe computing practices and response actions to all employees who have access to systems and data. Training should address the protection of non-public information and include information security basics as well as cybersecurity threats (I.e., Ransomware, Safe Web Browsing, Mobile Device Security, Phishing/Social Engineering, and Domain Spoofing). Management's Response: We agree with the observation and will explore the best options for delivering cybersecurity training to all staff. Proposed Implementation Date: 17-18 School Year Responsible Party: Technology, Curriculum, and HR Departments. An Internal Audit Report Poge8 accumeportners.com

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback