Dodi Smith C.P.A., C.I.S.AInformation Security Manager

Michigan Office of the Auditor General

Information Security & The Auditor

– Overview of Michigan– Information Security, Why Should We Care– Michigan’s Ongoing Information Security

Efforts– Information Security:

• Before an Audit• As We Audit• Finishing An Audit

Program Outline

A little about Michigan…

State of Michigan– 18 Executive Branch Departments – 47,000+ state employees – $48.7 billion budget– 1.6 million recipients of food assistance– 1.9 million residents in the Medicaid program– 13,000 children in foster care– 1.6 million pupils– 5 million individual income taxpayers– 43,000+ prisoners– 530,000 customers in the retiree system

A little more about Michigan…

Michigan Office of Auditor General– 136 employees – $20 million budget– Audits FY 2014 thru August• 20 financial/single audit• 33 performance • 6 follow-up reports • 17 contract audits

A little about me…

– My role includes…• Develop overall security strategy• Develop policy and procedure• Designated liaison with state departments

for information exchange • Security Awareness

What is the big deal about information security?

According to PrivacyRights.org, to date in 2014, government agencies are

responsible for 19 known data breaches.

Breaking down the numbers

72,358 is the number of KNOWN records that contained either bank information, credit card information, and/or ssn

The 72,358 records came from only 6 of the breaches. The other 13 breaches they were not able to measure the number of records or individuals impacted

Information is our Business

The ability to obtain and analyze data has improved our audit efficiency.

Data Analytics:– Better Quantify Issues– Gain a better understanding of risk– Increase/strengthen audit coverage– Facilitate discussion

But we need data to realize these improvements.

With the Information Access Comes GreatER Responsibility.

Understand & Accept Responsibilities:

• Trustworthy Custodians• Consistent interpretation and application

of policies & procedures• Endorse good data management practices• Appropriate Disclosure

Behind the Scenes

Office of Information Technology• Firewalls• Encryption• Anti-virus• Spam filters• Monitoring Tools• Security Awareness

Information SecurityBefore We Audit

• Research applicable laws governing the data

• Access forms and security agreements• Only request the data you need• Process if you are denied access to data

Information SecurityAs We Audit

• Follow policies and procedures• Ensure safe handling, storage, access, and

transfer• Immediately report any security incidents

Information SecurityFinishing An Audit

• Ensure only necessary information is retained

• Ensure appropriate destruction of data• Ensure all system access is removed• Provide any required destruction

notifications

Ongoing Challenges

• Increased Threats• Maintaining the balance security and

productivity• Keeping Information Security Fresh