TECHNOLOGY AUDIT PLAN —-BCSY UNIVERSITY TEAM MEMBER: MARSHA

TECHNOLOGY AUDIT PLAN ----BCSY UNIVERSITY TEAM MEMBER: MARSHA BILLUPS QIYU CHEN PING SUN RUBY (QIANRU) YANG

AGENDA 1.BACKGROUND 2.AUDIT SCOPE 3.FINDINGS 4.CONCLUSION

BACKGROUND BCSY University is a private university located in Downtown Boston. There is a Intensive English Language Program (IELP) department in BCSY university attracts students from all over the world to the historic city of Boston, a cultural and culinary center. The objective of this audit is to review Temple University Intensive English Language program’s Enterprise Database security controls. The Database mainly store student PII information. This audit shall focus primarily on Vulnerability Management, Change Management, Access Control and Data Loss Prevention. We shall explore current control processes, find 3

AUDIT SCOPE Database integrity and consistency System development life cycle process Physical and logical access to database servers Data Protection Data Accuracy Analysis Data Backup and recovery processes 4

FINDING 1:UNAUTHORIZED PHYSICAL ACCESS Fact – Lack of adequate security measures that prevents and limits entry points physical access to the servers. Standards – NIST SP 800-116 presents that how and why organizations should deploy PACS (Physical Access Control Systems). Root Cause of the issue - Lack of pay attention to data security control beside technology field. Impact - High Recommendations - 1. Using physical individual ID cards to 5

FINDING 2: WEAK CHANGE MANAGEMENT IMPLEMENTATION FACTS: 1. IT Change Review Board approved all changs, however, for 26 of 30 samples selected, the business approval was a blanket approval for as many changes required for the overall project, as opposed to individual changes 2. For 25 of 30 samples selected, the change request was not formally documented with the BCSY’s IT Tracking (ITRAC) system prior to System Owner approval 3. For 29 of 30 samples selected, evidence of business User Acceptance Testing (UAT) was not formally documented 4. Although Emergency Change procedures are formally 6

FINDING 2: WEAK CHANGE MANAGEMENT IMPLEMENTATION STANDARDS: 1. 2. 3. 4. BCSY IT Change Management Procedures BCSY IT Internal Control Handbook IELP System Change Management Work Instructions (CMWI) Change Management SOX Controls ROOT CAUSE: 5. IELP System Change Management Work Instructions did not address all areas identified in the BCSY IT Change Management Procedures 6. IELP CMWI not followed 7

FINDING 2: WEAK CHANGE MANAGEMENT IMPLEMENTATION IMPACT: Strong change control procedures such as proper approvals, formally documenting UAT, and time frames for obtaining formal approval for emergency changes, helps to ensure only authorized and proper changes that are in line with university needs are transferred into production and allow for traceability of changes. RECOMMENDATIONS: 1) Update the IELP System Change Management Work Instructions to clearly document the requirement the Business approval for each individual change, & immediately communicate and ensure adherence to this procedure. 2) Ensure that all Change request are formally documented within within ITRAC prior to obtaining System Owner approval. 3) Formally document & retain evidence of UAT for all System Owner related changes, & update the CMWI to retain evidence of testing within ITRAC or provide traceability to evidence. 8

FINDING 3: REMOVABLE DEVICES USING Fact – Students’ PII were copied from the database via portable USB devices which were not Encrypt. Standards -NIST Special Publication 800-124 Revision 1 Root Cause of the issue - Student workers were not fully educated about policy. Impact - High Recommendations- Training for every student workers. Limitation of access to sensitive data 9

FINDING 4: BAD BACKUP POLICY Fact – The data stored in the database from half year ago did not have a backup Standards – According to NIST 800-34, system data should be backed up regularly. Policies should specify the minimum frequency and scope of backups (e.g., daily or weekly, incremental or full) based on data criticality and the frequency that new information is introduced. ) Root Cause of the issue: the administrator of database backup data randomly Impact to the business:high, losing data bring huge damage to student and bring bad reputation to the university. 10

CONCLUSION Overall overall rating for effectiveness of the processes and controls: Unsatisfactory Four high risk rating finding: 1.Unauthorized Physical Access 2.Weak Change Management Implementation 3.Removable Devices Using 4.Bad backup policy 11