IT Audit '08 – What will this mean?
September 20, 2008 | By Damon Armour, IT Security Officer
Augusta State was selected for an Information Technology Audit by the University System of Georgia, a process that is routinely performed at multiple institutions throughout the system every four years. The audit process is done to ensure that university, state, and University System standards are being followed, rather than for any investigation of a specific issue.
The audit will focus on three primary areas within our business processes in IT. First will be a focus on network/perimeter security, which will confirm that our network is secure on the inside as well as from external threats. ASU has consistently taken steps to ensure the integrity and security of all our network resources.
The next two primary focuses will be on identity management and access control. Identity management looks at the life cycle of accounts across campus. Each of us has some form of an account on campus. The portal/email account is a prime example. Faculty and staff may also have accounts for Banner, PeopleSoft, etc. ITS and the departments have documentation that supports the life cycle of these accounts from their creation, change, and finally termination/resignation. This assists in verifying that the accounts are being properly managed as to the individuals having accounts as well as controlling how long an account is in existence.
Access control is a key component of the IT use in business. Is the access to a particular account appropriate to job function or should more access be granted? Key shareholders across campus review and approve user access in their systems to ensure that proper access is authorized without overextending an individual's access to information. An example would be in an individual having access to social security numbers when that information is not necessary for the job being performed.
The audit is a great tool for ASU to verify areas in which it is compliant and exceeding compliance. It is also a tool to indicate areas that may need follow-up for improvement. So, how will this affect individuals at Augusta State?
Most individuals will not be directly affected by the audit; however, the auditor will be speaking with some individuals, in which case it is urged that faculty and staff be factual and honest in their responses. This is just another check to ensure best practice. The auditor will be on campus from October 6 - 21. If you have questions or concerns on this process, contact firstname.lastname@example.org and I'll be glad to help. If any changes occur after the audit, it will be only to benefit the campus for the future.