Post on 01-Jan-2016
Dodi Smith C.P.A., C.I.S.AInformation Security Manager
Michigan Office of the Auditor General
Information Security & The Auditor
– Overview of Michigan– Information Security, Why Should We Care– Michigan’s Ongoing Information Security
Efforts– Information Security:
• Before an Audit• As We Audit• Finishing An Audit
Program Outline
A little about Michigan…
State of Michigan– 18 Executive Branch Departments – 47,000+ state employees – $48.7 billion budget– 1.6 million recipients of food assistance– 1.9 million residents in the Medicaid program– 13,000 children in foster care– 1.6 million pupils– 5 million individual income taxpayers– 43,000+ prisoners– 530,000 customers in the retiree system
A little more about Michigan…
Michigan Office of Auditor General– 136 employees – $20 million budget– Audits FY 2014 thru August• 20 financial/single audit• 33 performance • 6 follow-up reports • 17 contract audits
A little about me…
– My role includes…• Develop overall security strategy• Develop policy and procedure• Designated liaison with state departments
for information exchange • Security Awareness
What is the big deal about information security?
According to PrivacyRights.org, to date in 2014, government agencies are
responsible for 19 known data breaches.
Breaking down the numbers
72,358 is the number of KNOWN records that contained either bank information, credit card information, and/or ssn
The 72,358 records came from only 6 of the breaches. The other 13 breaches they were not able to measure the number of records or individuals impacted
Information is our Business
The ability to obtain and analyze data has improved our audit efficiency.
Data Analytics:– Better Quantify Issues– Gain a better understanding of risk– Increase/strengthen audit coverage– Facilitate discussion
But we need data to realize these improvements.
With the Information Access Comes GreatER Responsibility.
Understand & Accept Responsibilities:
• Trustworthy Custodians• Consistent interpretation and application
of policies & procedures• Endorse good data management practices• Appropriate Disclosure
Behind the Scenes
Office of Information Technology• Firewalls• Encryption• Anti-virus• Spam filters• Monitoring Tools• Security Awareness
Information SecurityBefore We Audit
• Research applicable laws governing the data
• Access forms and security agreements• Only request the data you need• Process if you are denied access to data
Information SecurityAs We Audit
• Follow policies and procedures• Ensure safe handling, storage, access, and
transfer• Immediately report any security incidents
Information SecurityFinishing An Audit
• Ensure only necessary information is retained
• Ensure appropriate destruction of data• Ensure all system access is removed• Provide any required destruction
notifications
Ongoing Challenges
• Increased Threats• Maintaining the balance security and
productivity• Keeping Information Security Fresh