W a s h i n g t o n S t a t e A u d i t o r ’ s O ffi c e
Washington’s Statewide IT Risk Assessment
National State Auditors AssociationIT Conference
September 24, 2015
Troy Niemeyer, Deputy Director of State Audit
W a s h i n g t o n S t a t e A u d i t o r ’ s O ffi c e 2
About the Washington State Auditor’s Office
What is a statewide IT risk assessment, and why did we conduct one?
What were we looking for?
How to start?
Who to include?
Results! Survey results from other states Next steps Risk assessment tool
About today’s presentation
W a s h i n g t o n S t a t e A u d i t o r ’ s O ffi c e 3
Established in state constitution Based in the state capitol of Olympia, Washington State Auditor is elected every four years Jan Jutte, CPA, CGFM – Acting State Auditor
First “acting” elected official in Washington state history First CPA to hold the State Auditor role First female State Auditor
About our Office
W a s h i n g t o n S t a t e A u d i t o r ’ s O ffi c e 4
We audit: 190 state agencies
Comprehensive Annual Financial Report (CAFR), Statewide Single Audit (SWSA), accountability (compliance), performance, fraud and state whistleblower program
1,950+ local governments Financial, single, accountability and fraud
About our Office
W a s h i n g t o n S t a t e A u d i t o r ’ s O ffi c e 5
390 audit and support staff Three state agency audit teams
Includes the Statewide Technology Audit Team (STAT)
13 local audit teams throughout the state Includes Local Information Systems Audit (Team LISA)
One Performance Audit team
About our Office
W a s h i n g t o n S t a t e A u d i t o r ’ s O ffi c e 6
Roadmap Tool Guide A three-year audit plan for our IT audit team
Can be updated Can be repeated
IT Risk Assessment: What it is
W a s h i n g t o n S t a t e A u d i t o r ’ s O ffi c e 7
Not an audit No public report
No findings or opinions No conclusions No recommendations to agencies
IT Risk Assessment: What it’s not
W a s h i n g t o n S t a t e A u d i t o r ’ s O ffi c e 8
Desire to do additional IT audit work Priority of state auditor
Recent IT performance audits Safe Data Disposal: Protecting confidential information Opportunities to Improve State IT Security
Improving state budget Earlier approach fragmented and lacked
strategic direction
Why conduct a risk assessment?
W a s h i n g t o n S t a t e A u d i t o r ’ s O ffi c e 9
Internally? How long would it take? How much would it cost?
Hire a contractor? We wanted an outside, independent perspective
“We don’t know what we don’t know” Provides instant credibility
How should we go about it?
W a s h i n g t o n S t a t e A u d i t o r ’ s O ffi c e 10
Inventory of state IT systems What are the biggest risks facing our state? What is our role in auditing those risks? How should the Office be organized to do additional
IT audit work?
Contract deliverables
W a s h i n g t o n S t a t e A u d i t o r ’ s O ffi c e 11
Consider materiality to CAFR & SWSA Eliminate one-timers
Eliminate universities and community/technical colleges Include State Board of Community & Technical Colleges
Brainstorm to judgmentally add or eliminate others
No more than 25 agencies
Ended up with 27 state agencies, including the three IT oversight agencies
Which agencies should we include?
W a s h i n g t o n S t a t e A u d i t o r ’ s O ffi c e 12
Chief Information Officer Consolidated Technology Services Enterprise Services
Financial Management Social and Health Services Health
Veterans Affairs Revenue Transportation
Commerce Corrections State Investment Board
Employment Security Military Department (National Guard) Labor and Industries
Natural Resources Early Learning Ecology
Fish and Wildlife State Board of Community & Technical Colleges
Administrative Office of the Courts
Superintendent of Public Instruction Licensing Retirement Systems
State Patrol State Treasurer Health Care Authority
The 27 agencies we included in the assessment
W a s h i n g t o n S t a t e A u d i t o r ’ s O ffi c e 13
Letter to all agencies (included or not) Key IT leaders at OCIO, CTS, DES Agency directors and deputies Audit liaisons Governor's Office Entrance/kickoff
61 people attended
Exit conference next month
Preliminary steps: Outreach
W a s h i n g t o n S t a t e A u d i t o r ’ s O ffi c e 14
Try to make the process painless Gather information centrally Use information that already exists Limit the amount of agency staff time needed
Easing the pain
W a s h i n g t o n S t a t e A u d i t o r ’ s O ffi c e 15
Policies, reports, project dashboard on the OCIO website
Disaster Recovery/Business Continuity Plan IT portfolio information IT audit results (three years) Agency IT risk assessment results Vulnerability assessment results Penetration testing results
Documents reviewed
W a s h i n g t o n S t a t e A u d i t o r ’ s O ffi c e 16
Planning and Managing IT Portfolios Approval and oversight of IT Investments
IT Risk Assessment Managing IT projects
Ensuring security of IT assets Disaster recovery/business continuity
Enterprise architecture Enterprise-wide services
Emerging technologies Contracting and procurement
Vendor management System life cycle requirements
Maintenance and operations
Statewide and agency risk categories
W a s h i n g t o n S t a t e A u d i t o r ’ s O ffi c e 17
Statewide and agency survey questions
Annual IT Budget? Security incidents in the last 12 months?
Number of IT staff? Number of users? (internal & external)
Formal IT risk assessment process? Percent of IT staff to total staff?
Mobile devices used? Do you have a CISO?
Formal project management? IT Security compliance audit?
DRP/BCP in place? DRP/BCP adequately funded?
IT projects in process? DRP/BCP tested?
Security management program updated? Inventory of systems up to date?
W a s h i n g t o n S t a t e A u d i t o r ’ s O ffi c e 18
Application risk categories
Security Management
Access Control
Contingency Planning
Configuration Management
Segregation of Duties
Business Process
Interface Controls
Data Management Controls
W a s h i n g t o n S t a t e A u d i t o r ’ s O ffi c e 19
Last security assessment? Categories of data in system? Critical or core?
Last review of access controls? Last penetration test? Last vulnerability
assessment?
Number of transactions monthly?
Security event logs monitored? Where physically hosted?
Does this support other applications?
Processing controls in place? Adequate funding?
Change control process? Version support? Resource reliability?
To be decommissioned? Online service?
Application-specific questions
W a s h i n g t o n S t a t e A u d i t o r ’ s O ffi c e 20
Three teams performed IT audit work Statewide Technology Audit Team (STAT) Local Information System Audit (Team LISA) Performance Audit
Three managers reported to three deputy directors
Teams operated in silos, resulting in: Poor communication
Strained relationships
Different priorities Fragmented approach
How should our Office be organized for IT audits?
W a s h i n g t o n S t a t e A u d i t o r ’ s O ffi c e 21
Reviewed NSAA - “Auditing in the States”
Interviewed 17 states – Thank you for your help!
States we interviewed
W a s h i n g t o n S t a t e A u d i t o r ’ s O ffi c e 22
Sample questions Is your state auditor elected or appointed?
How is your office organized for IT audit?
What type of IT audits do you do?
How many total staff? How many IT audit staff?
Separate budget? Or part of the CAFR team’s budget?
Certifications required for IT auditors?
Do you offer incentives for certifications?
Are IT auditors paid more?
Questions we asked other SAO’s
W a s h i n g t o n S t a t e A u d i t o r ’ s O ffi c e 23
Responses from other states
Question 5: Staffing levelsIT audit staff size (out of 16 IT audit functions)
No IT audit functions had an IT audit staff size of 15-19
W a s h i n g t o n S t a t e A u d i t o r ’ s O ffi c e 24
Responses from other states
Question 7: Training & certificate requirements
W a s h i n g t o n S t a t e A u d i t o r ’ s O ffi c e 25
Responses from other states
Question 9: Budgets for IT & non-IT audit work
W a s h i n g t o n S t a t e A u d i t o r ’ s O ffi c e 26
Responses from other states
Question 10: Types of IT audit teams
W a s h i n g t o n S t a t e A u d i t o r ’ s O ffi c e 27
Washington statewide risk ratings
Low Planning and Managing IT Portfolios High Approval and oversight of
IT Investments
Med IT Risk Assessment Med Managing IT projects
Med Ensuring security of IT assets Med Disaster recovery/business continuity
Med Enterprise architecture Med Enterprise-wide services
Low Emerging technologies Med Contracting and procurement
Low Vendor management Med System life cycle requirements
Low Maintenance and operations
W a s h i n g t o n S t a t e A u d i t o r ’ s O ffi c e 28
Dashboards provide at-a-glance summaries
W a s h i n g t o n S t a t e A u d i t o r ’ s O ffi c e 29
Dashboards provide at-a-glance summaries
W a s h i n g t o n S t a t e A u d i t o r ’ s O ffi c e 30
Project Preliminary Objective(s) Budget Hours
Managing IT projects/IT investments (OCIO)
Determine if right processes and controls in place to ensure that projects are delivered on time, on budget, and with right resources.Determine whether controls in place to measure achieved benefits against intended benefits after project completion.
750
Enterprise-wide services/Enterprise architecture
Perform security and/or performance review of CTS provided statewide services including but not limited to firewall services, active directory services, data center services and wide area networks. The scope could include whether CTS services, which agencies are mandated to use, are adequately meeting the service level requirements required by the user agencies’ mission and functions.
800
System interfaces Security review of the integrity and operation of interfaces for a selected number of applications at a sample of agencies. 750
Department of Fish and Wildlife
Application and general controls review of the Cody System, Lift 2000, or WILD applications with a focus on security management, access control, configuration management, and segregation of duties.
750
Suggested audit plan – year one
W a s h i n g t o n S t a t e A u d i t o r ’ s O ffi c e 31
Contractor’s deliverables to our Office Report Tool User guide
Deliverables to agencies PDF version of individual results Working version for individual agencies
Tour of the Risk Assessment Tool!
Next steps
W a s h i n g t o n S t a t e A u d i t o r ’ s O ffi c e 32
QUESTIONS?
Troy NiemeyerDeputy Director of State Audit
Washington State Auditor’s [email protected]
(360)725-5363
Statewide IT Risk Assessment