...
| Panel | ||
|---|---|---|
| ||
Objective: Minimize the impact of audit activities on operational systems. |
Auditing of operational systems needs to be managed and communicated so as not effect the system in an adverse manner. The up-time and availability of operational systems is critical to support business requirements. Any and all audit activity, to assess an operational system, should always be managed to minimize any impact on the system during required hours of operation. Any testing of operational systems that could pose an adverse effect to the system should be conducted during off hours.
Operations Security of page
...
It is important to ensure that all IT controls and information security audits are planned events, rather than reactive 'on-the-spot' challenges. Most universities undergo a series of audits each year ranging from financial IT controls reviews to targeted assessments of critical systems. Audits that include testing activities can prove disruptive to campus users if any unforeseen outages occur as a result of testing or assessments.
Through working with campus leadership, it should be possible to determine when audits will occur and obtain relevant information in advance about the specific IT controls that will be examined or tested.
Develop an 'audit plan' for each audit that provides information relevant to each system and area to be assessed. These audit plans should take into consideration:
Asset Inventory with contact information for system administrators/owners;
Requirements for testing/maintenance windows;
Information about backups (if applicable) in case systems later need to be restored due to unplanned outages;
Checklists or other materials provided in advance by auditors, etc.
If applicable, work with IT and campus departments to provide audit preparation services to ensure that everyone understands their roles in the audit and how to respond to auditors' questions, issues and concerns. Protecting sensitive information during audits is critical, and documents provided to auditors should be recovered if possible, shortly before audits are completed.
Any and all audit activity, to assess an operational system, should always be managed to minimize any impact on the system during required hours of operation. Any testing of operational systems that could pose an adverse effect to the system should be conducted during off hours.
Operations Security of page
| Anchor | ||||
|---|---|---|---|---|
|
Resources
...
Resources
| Panel | ||
|---|---|---|
| ||
Campus Case Studies On This Page EDUCAUSE Resources
HEISC Toolkits/Guidelines
Templates/Sample Plans
Security Professionals Conference 2014 Security Professionals Conference 2013
Enterprise IT Leadership Conference 2013 EDUCAUSE Annual Conference 2012
Security Professionals Conference 2012
Southeast Regional Conference 2012
Mid-Atlantic Regional Conference 2012 EDUCAUSE Annual Conference 2011
Security Professionals Conference 2011
EDUCAUSE Annual Conference 2010
Security Professionals Conference Archives 2008-2010 Management and Operations: Policy and Compliance:
Corporate and Campus Solutions:
Strategic Security: Technology Concepts:
Advanced Technology:
Initiatives, Collaborations, & Other Resources
|
...