Transcription
ITRM Guideline SEC512-0107/01/2013 (Revision 1)COMMONWEALTH OF VIRGINIAInformation Technology Resource ManagementINFORMATION TECHNOLOGY SECURITYAUDIT GUIDELINEVirginia Information Technologies Agency (VITA)
Information Technology Security Audit GuidelineITRM Guideline SEC512-0107/01/13 (Revision 1)ITRM Publication Version ControlITRM Publication Version Control: It is the user’s responsibility to ensure that they havethe latest version of this ITRM publication. Questions should be directed to the VITA Policy,Practice and Architecture (PPA) Division. PPA will issue a Change Notice Alert, post on theVITA Web site and provide an e-mail announcement to the Agency Information TechnologyResources (AITRs) and Information Security Officers (ISOs) at all state agencies andinstitutions as well as other parties PPA considers interested in the change.This chart contains a history of this ITRM publication’s revisions:VersionDatePurpose of RevisionOriginalDecember 20,2007Base Document03/15/2013This update addresses the recent changes to IT security governancestructure in the Commonwealth by aligning the InformationTechnology Security Audit Guideline with Information TechnologySecurity Audit Standard. The guideline also includes new audit planand corrective action plan templates.Revision 1Identifying Changes in This Document See the latest entry in the table aboveVertical lines in the left margin indicate that the paragraph has changes or additions.Specific changes in wording are noted using italics and underlines; with italics onlyindicating new/added language and italics that is underlined indicating language thathas changed.The following examples demonstrate how the reader may identify updates and changes:Example with no change to text – The text is the same. The text is the same. Thetext is the same.Example with revised text – This text is the same. A wording change, update orclarification has been made in this text.Example of new section – This section of text is new.i
Information Technology Security Audit GuidelineITRM Guideline SEC512-0107/01/13 (Revision 1)Review ProcessEnterprise Solutions and Governance Directorate ReviewPolicy, Practices, and Architecture (PPA) Division provided the initial review of thispublication.Online ReviewAll Commonwealth agencies, stakeholders, and the public were encouraged to provide theircomments through the Online Review and Comment Application (ORCA). All commentswere carefully evaluated and individuals that provided comments were notified of the actiontaken.ii
Information Technology Security Audit GuidelineITRM Guideline SEC512-0107/01/13 (Revision 1)PREFACEtechnology security audit requirementsdefined by ITRM Standard SEC502.Publication DesignationITRM GuidelineGeneral Responsibilities(Italics indicate quote from the Codeof Virginia)SubjectInformation Technology Security AuditGuidelineSecretary of TechnologyReviews and approves statewidetechnical and data policies, elatedsystemsrecommended by the CIO.Effective Date03/15/2013SupersedesCOV ITRM Guideline SEC512-00dated December 20, 2007Chief Information Officer of theCommonwealth (CIO)Develops and recommends to theSecretary of Technology statewidetechnical and data policies, standardsandguidelinesforinformationtechnology and related systems.Scheduled VITA ReviewOne (1) year from effective dateAuthorityCode of Virginia, §§ 2.2-2005 – 2.22032.(Creation of the Virginia InformationTechnologies Agency; “VITA;”Appointment of Chief InformationOfficer (CIO))Chief Information Security Officer(CISO)The Chief Information Officer (CIO)has designated the Chief InformationSecurity Officer (CISO) to developInformationSecuritypolicies,procedures, and standards to protectthe confidentiality, integrity, andavailability of the Commonwealth ofVirginia’sinformationtechnologysystems and data.ScopeThis Guideline is offered as guidanceto all executive branch agencies,independent agencies and institutionsofhighereducation(collectivelyreferred to as “Agency”) that manage,develop,purchase,anduseinformation technology databases ordatacommunicationsintheCommonwealth. However, academic“instruction or research” systems areexempt from this Guideline.Thisexemption, does not, however, relievetheseacademic“instructionorresearch” systems from meeting therequirements of any other State orFederal Law or Act to which they aresubject. This Guideline is offered onlyas guidance to local ation of theVirginia Information TechnologiesAgency (VITA)At the direction of the CIO, VITA leadsefforts that draft, review and updatetechnical and data policies, standards,andguidelinesforinformationtechnology and related systems. VITAuses requirements in IT technical anddata related policies and standardswhen establishing contracts, reviewingprocurement requests, agency ITprojects,budgetsrequestsandstrategic plans, and when developingand managing IT related services.intheinformationiii
Information Technology Security Audit GuidelineITRM Guideline SEC512-0107/01/13 (Revision 1)Information Technology AdvisoryCouncil (ITAC)Advises the CIO and Secretary ofTechnology on the development,adoption and update of statewidetechnical and data policies, standardsandguidelinesforinformationtechnology and related systems.Rules Committee of the GeneralAssembly to identify their needs.Related ITRM Policy and StandardsITRM Policy, SEC500-02: InformationTechnology Security Policy (Revised07/17/2008) (Superseded by gySecurityStandard (Revised 04/04/2011)ITRMStandardSEC502-02:Information Technology Security AuditStandard (Revised 12/05/2011)Executive Branch AgenciesProvide input and review during thedevelopment, adoption and update ofstatewide technical and data policies,standardsandguidelinesforinformation technology and relatedsystems.Complywiththerequirements established by COVpolicies and standards.Apply forexceptions to requirements whennecessary.In accordance with the Code ofVirginia § 2.2-2010, the CIO hasassigned the Technology Strategiesand Solutions Directorate the followingduties: “Develop and adopt policies,standards,andguidelinesformanaging information technology bystate agencies and institutions.”All Executive Branch, Legislative,Judicial Branches and IndependentState Agencies and institutions ofHigher EducationIn accordance with §2.2-2009 of theCode of Virginia, To provide for thesecurity of state government electronicinformation from unauthorized uses,intrusions or other security threats,the CIO shall direct the developmentof policies, procedures and standardsforassessingsecurityrisks,determining the appropriate securitymeasures and performing securityauditsofgovernmentelectronicinformation. Such policies, procedures,and standards will apply to theCommonwealth'sexecutive,legislative, and judicial branches, andindependent agencies and institutionsof higher education. The CIO shallwork with representatives of the ChiefJustice of the Supreme Court and Jointiv
Information Technology Security Audit GuidelineITRM Guideline SEC512-0107/01/13 (Revision 1)TABLE OF CONTENTSPREFACE . iiiPublication Designation . iii1 INTRODUCTION .71.1Information Technology Security .71.2IT Security Audits .71.3Roles and Responsibilities .72 PLANNING .72.1Coordination.72.2IT Security Audit Plan .83 PERFORMANCE.83.13.1.1Scope .9Objectives .93.2Schedule .93.3Preparation for IT Security Audits .103.4Qualifications of IT Security Auditors .103.5Documentation .103.6Audit Process .104 DOCUMENTATION .114.1Work Papers .114.2Reports .114.3Corrective Action Plan.114.4CAP Periodic Reporting .11v
Information Technology Security Audit GuidelineITRM Guideline SEC512-0107/01/13 (Revision 1)APPENDICES .14APPENDIX B – EXAMPLE / IT SECURITY AUDIT ENGAGEMENT LETTERTEMPLATE .17APPENDIX C – EXAMPLE / IT SECURITY AUDIT CHECKLIST OFACCESS REQUIREMENTS TEMPLATE .21Appendix E - Corrective Action Plan and IT Security Audit QuarterlySummary Template excel.xlsx .24Appendix F - Corrective Action Plan and IT Security Audit QuarterlySummary Template Word.docx .25vi
Information Technology Security Audit Guideline1ITRM Guideline SEC512-0107/01/13 (Revision 1)Introduction1.1 Information Technology SecurityThis Guideline presents a methodology for Information Technology (IT) security auditssuitable for supporting the requirements of the Commonwealth of Virginia (COV)Information Security Policy (ITRM Policy SEC519), the Information Security Standard (ITRMStandard SEC501), and the Information Technology Security Audit Standard (ITRMStandard SEC502). These documents are hereinafter referred to as the “Policy”, “Standard”,and “Audit Standard”, respectively.The function of the Policy is to define the overall COV IT security program, while theStandard defines high-level COV IT security requirements, and the IT Security AuditStandard defines requirements for the performance and scope of IT security audits. ThisGuideline describes methodologies for agencies to use when meeting the IT security auditrequirements of the IT Security Policy, Standard, and Audit Standard. Agencies are notrequired to use these methodologies, however, and may use methodologies from othersources or develop their own methodologies, if these methodologies meet the requirementsof the Policy, Standard, and Audit Standard.1.2 IT Security AuditsInformation security audits are a vital tool for governance and control of agency IT assets.IT security audits assist agencies in evaluating the adequacy and effectiveness of controlsand procedures designed to protect COV information and IT systems. This Guidelinesuggests actions to make the efforts of auditors and agencies more productive, efficient,and effective.1.3 Roles and ResponsibilitiesAgencies should assign an individual to be responsible for managing the IT Security Auditprogram for the agency. While the individual assigned this responsibility will vary fromagency to agency, it is recommended that this responsibility be assigned either to theagency Internal Audit Director, where one is available or to the Information Security Officer(ISO).2Planning2.1 CoordinationAs stated in the Audit Standard, at a minimum, IT systems that contain sensitive data, orreside in a system with a sensitivity of high on any of the criteria of confidentiality, integrity,or availability, shall be assessed at least once every three years. All IT security audits mustfollow either the generally accepted government auditing standards GAGAS Yellow Book(Generally Accepted Government Auditing Standards) or the international standardsfor the professional practice of internal auditing IIA Red Book (Institute of Internal Auditors’Standards).7
Information Technology Security Audit GuidelineITRM Guideline SEC512-0107/01/13 (Revision 1)For maximum efficiency, the agency’s IT Security Audit Program should be designed toplace reliance on any existing audits being conducted, such as those by the agency’sinternal audit organization, Auditor of Public Accounts, or third party audits of any serviceprovider. When contracting for sensitive systems to be hosted at or managed by a privatesector third party service provider, a contractual term requiring compliance with the ITRM ITSecurity Policy and Standards should be included as well as a requirement that a third pa
Information Technology Security Audit Guideline ITRM Guideline SEC512-01 07/01/13 (Revision 1) For maximum efficiency, the agency’s IT Security Audit Program should be designed to place reliance on any existing audits being conducted, such as those by the agency’s internal audit organization, Auditor of Public Accounts, or third party audits of any service provider. When contracting for .
