how to mechanise an it audit
play

HOW TO MECHANISE AN IT AUDIT Chris Parker chris.parker@uq.edu.au - PowerPoint PPT Presentation

HOW TO MECHANISE AN IT AUDIT Chris Parker chris.parker@uq.edu.au The University of Queensland $1.6 Billion Organisation 40+ Sites 400+ Buildings 100+ Institutes, Schools, and Centres 50,000+ Students 100,000+ Network


  1. HOW TO MECHANISE AN IT AUDIT Chris Parker chris.parker@uq.edu.au

  2. The University of Queensland • $1.6 Billion Organisation • 40+ Sites • 400+ Buildings • 100+ Institutes, Schools, and Centres • 50,000+ Students • 100,000+ Network Ports Chris Parker chris.parker@uq.edu.au

  3. Effective Use of IT UQ Uses IT Chris Parker chris.parker@uq.edu.au

  4. Effective Use of IT UQ Uses A Lot Of IT Chris Parker chris.parker@uq.edu.au

  5. Effective Use of IT For Students IT is used to Attract, enrol, teach, assess and graduate students eLearning Enrol in Online Attract Graduation Recordings Assessment Classes Chris Parker chris.parker@uq.edu.au

  6. Effective Use of IT For Researchers IT is used to Create, store, protect & share and publish research material Create Protect Share Publish Store Chris Parker chris.parker@uq.edu.au

  7. Effective Use of IT For Researchers Chris Parker chris.parker@uq.edu.au

  8. Organisation’s Use of IT Chris Parker chris.parker@uq.edu.au

  9. Chris Parker chris.parker@uq.edu.au

  10. Purpose of the Audit • To identify and understand the IT services at UQ, • how important they are • who looks after them • How they interconnect Chris Parker chris.parker@uq.edu.au

  11. Objectives of This Audit Identify the RISKS Chris Parker chris.parker@uq.edu.au

  12. Risk Categories Risks are divided into 3 categories: onfidentiality the risk of unauthorised access to data ntegrity the risk of data being changed or incorrect vailability the risk of the service or data not being available when needed. Chris Parker chris.parker@uq.edu.au

  13. IT Risk Categories Risks are divided into 3 categories: Common way of classifying risk in security standards such as ISO 27001 Chris Parker chris.parker@uq.edu.au

  14. IT Risk Categories - Confidentiality onfidentiality is gauged by the type of data stored in or captured by the service. = 1 Course & subject information = 7 Student Identity information Chris Parker chris.parker@uq.edu.au

  15. IT Risk Categories - Integrity ntegrity of the data depends on the system that is using it. = 5 Student Name in the Student Portal = 9 Student Name for Diploma Printing Chris Parker chris.parker@uq.edu.au

  16. IT Risk Categories - Availability vailability (uptime) will vary for each service = 9 e-Learning System - 24 x 7 = 4 Staff Time-Sheeting System Chris Parker chris.parker@uq.edu.au

  17. Target For each service we want to set a Target CIA and a Actual CIA (Actual is after controls) Chris Parker chris.parker@uq.edu.au

  18. Target Questions about a service can contribute towards setting a target CIA:  The data the service uses:  Business impact of service outage:  Data accuracy requirement:  Business hours or 24/7: Chris Parker chris.parker@uq.edu.au

  19. Actual Questions about a service can contribute towards setting a Actual CIA: ( What controls are currently in place to protect the service in the three areas )   Behind firewalls:  Type of equipment used:    Location of equipment:   Backup & recovery strategy: Chris Parker chris.parker@uq.edu.au

  20. Process 35 questions for each service, some multi-value 20,000+ pieces of information about the IT services in the organisation Chris Parker chris.parker@uq.edu.au

  21. Process How to capture all this information? Using a web based system allowing IT staff to enter their own service details. Processing the information centrally for reporting. Chris Parker chris.parker@uq.edu.au

  22. Process Using ServiceView we are able to delegate the task of: Adding a new IT service Setting service dependencies on other services Setting data centre dependencies & failovers Chris Parker chris.parker@uq.edu.au

  23. Chris Parker chris.parker@uq.edu.au

  24. Setting Service Dependencies on Other Services Video SV Adding Service Chris Parker chris.parker@uq.edu.au

  25. Service Dependencies B LACKBOARD LDAPA LDAP R EQUIRED FOR S ERVICE D ELIVERY B LACKBOARD Chris Parker chris.parker@uq.edu.au

  26. Service Dependencies LDAP R EQUIRED FOR S ERVICE D ELIVERY B LACKBOARD S ERVI CE B L ECTURE L ECTURE S OME F EATURES B LACKBOARD R ECORDINGS R ECORDINGS Chris Parker chris.parker@uq.edu.au

  27. Service Dependencies LDAP R EQUIRED FOR S ERVICE D ELIVERY B LACKBOARD L ECTURE S OME F EATURES B LACKBOARD R ECORDINGS S TUDENT S TUDENT B LACKBOARD U PDATES S YSTEM S YSTEM N O U PDATES Chris Parker chris.parker@uq.edu.au

  28. Video SV Adding Service Chris Parker chris.parker@uq.edu.au

  29. Service Risk Calculating the service risk Chris Parker chris.parker@uq.edu.au

  30. Chris Parker chris.parker@uq.edu.au

  31. Each data type is classified for confidentiality centrally Chris Parker chris.parker@uq.edu.au

  32. Chris Parker chris.parker@uq.edu.au

  33. Chris Parker chris.parker@uq.edu.au

  34. Chris Parker chris.parker@uq.edu.au

  35. How Well Is the Service Being Run? OK OK OK The service is being run properly. Chris Parker chris.parker@uq.edu.au

  36. Chris Parker chris.parker@uq.edu.au

  37. How Well Is the Service Being Run? OK BAD VERY BAD The service is not being run properly. Chris Parker chris.parker@uq.edu.au

  38. How Important Is The Service? Some services are more important to the organisation Classify services into “Tier 1”, “Tier 2” etc based on their importance. Blackboard Tier 1 Chris Parker chris.parker@uq.edu.au

  39. Risk Appetite Some services are more important to the organisation Classify services into “Tier 1”, “Tier 2” etc based on their importance. Any service this service depends on automatically classified in same tier or higher Blackboard Tier 1 LDAP Database Tier 1 Tier 1 Chris Parker chris.parker@uq.edu.au

  40. Calculating Residual Risk? Combine all this information to get residual risk How well are we running this service + How important is this service = RESIDUAL RISK LOW MODERATE HIGH SIGNIFICANT Chris Parker chris.parker@uq.edu.au

  41. Confidentiality Important For All Services We cannot expect hackers to only target our most important services, all services are equally venerable for confidentiality How well are we running this service + What data does this service use = RESIDUAL RISK LOW MODERATE HIGH SIGNIFICANT Chris Parker chris.parker@uq.edu.au

  42. Reporting How do we extract the information in a meaningful way Chris Parker chris.parker@uq.edu.au

  43. Reporting Data Centre Dependency & Recovery Report Chris Parker chris.parker@uq.edu.au

  44. Reporting Chris Parker chris.parker@uq.edu.au

  45. Other uses of the information Chris Parker chris.parker@uq.edu.au

  46. Reporting Complete Risk Report Chris Parker chris.parker@uq.edu.au

  47. Complete Risk Report Service Dependencies Services 40 Seconds and Actual 18,000 database queries later CIA Stored Data Target Chris Parker CIA chris.parker@uq.edu.au

  48. Chris Parker chris.parker@uq.edu.au

  49. Reporting How do we know it works? Chris Parker chris.parker@uq.edu.au

  50. Chris Parker chris.parker@uq.edu.au

  51. Complete Risk Report Service Dependencies Services Another 40 Seconds and Actual 18,000 database queries later CIA Stored Data Target Chris Parker CIA chris.parker@uq.edu.au

  52. Chris Parker chris.parker@uq.edu.au

  53. More Information If you would like more information email me at: chris.parker@uq.edu.au Thank you for your time. Chris Parker chris.parker@uq.edu.au

  54. What Constitutes an IT Service • Applications or other IT services that perform a critical business functions without which would impact on your ability to conduct your business efficiently OR • Applications or other IT services which store sensitive data Chris Parker chris.parker@uq.edu.au

Recommend


More recommend