Dodi Smith C.P.A., C.I.S.A Information Security Manager Michigan Office of the Auditor General...

15
Dodi Smith C.P.A., C.I.S.A Information Security Manager Michigan Office of the Auditor General Information Security & The Auditor

Transcript of Dodi Smith C.P.A., C.I.S.A Information Security Manager Michigan Office of the Auditor General...

Page 1: Dodi Smith C.P.A., C.I.S.A Information Security Manager Michigan Office of the Auditor General Information Security & The Auditor.

Dodi Smith C.P.A., C.I.S.AInformation Security Manager

Michigan Office of the Auditor General

Information Security & The Auditor

Page 2: Dodi Smith C.P.A., C.I.S.A Information Security Manager Michigan Office of the Auditor General Information Security & The Auditor.

– Overview of Michigan– Information Security, Why Should We Care– Michigan’s Ongoing Information Security

Efforts– Information Security:

• Before an Audit• As We Audit• Finishing An Audit

Program Outline

Page 3: Dodi Smith C.P.A., C.I.S.A Information Security Manager Michigan Office of the Auditor General Information Security & The Auditor.

A little about Michigan…

State of Michigan– 18 Executive Branch Departments – 47,000+ state employees – $48.7 billion budget– 1.6 million recipients of food assistance– 1.9 million residents in the Medicaid program– 13,000 children in foster care– 1.6 million pupils– 5 million individual income taxpayers– 43,000+ prisoners– 530,000 customers in the retiree system

Page 4: Dodi Smith C.P.A., C.I.S.A Information Security Manager Michigan Office of the Auditor General Information Security & The Auditor.

A little more about Michigan…

Michigan Office of Auditor General– 136 employees – $20 million budget– Audits FY 2014 thru August• 20 financial/single audit• 33 performance • 6 follow-up reports • 17 contract audits

Page 5: Dodi Smith C.P.A., C.I.S.A Information Security Manager Michigan Office of the Auditor General Information Security & The Auditor.

A little about me…

– My role includes…• Develop overall security strategy• Develop policy and procedure• Designated liaison with state departments

for information exchange • Security Awareness

Page 6: Dodi Smith C.P.A., C.I.S.A Information Security Manager Michigan Office of the Auditor General Information Security & The Auditor.

What is the big deal about information security?

According to PrivacyRights.org, to date in 2014, government agencies are

responsible for 19 known data breaches.

Page 7: Dodi Smith C.P.A., C.I.S.A Information Security Manager Michigan Office of the Auditor General Information Security & The Auditor.

Breaking down the numbers

72,358 is the number of KNOWN records that contained either bank information, credit card information, and/or ssn

The 72,358 records came from only 6 of the breaches. The other 13 breaches they were not able to measure the number of records or individuals impacted

Page 8: Dodi Smith C.P.A., C.I.S.A Information Security Manager Michigan Office of the Auditor General Information Security & The Auditor.

Information is our Business

The ability to obtain and analyze data has improved our audit efficiency.

Data Analytics:– Better Quantify Issues– Gain a better understanding of risk– Increase/strengthen audit coverage– Facilitate discussion

But we need data to realize these improvements.

Page 9: Dodi Smith C.P.A., C.I.S.A Information Security Manager Michigan Office of the Auditor General Information Security & The Auditor.

With the Information Access Comes GreatER Responsibility.

Page 10: Dodi Smith C.P.A., C.I.S.A Information Security Manager Michigan Office of the Auditor General Information Security & The Auditor.

Understand & Accept Responsibilities:

• Trustworthy Custodians• Consistent interpretation and application

of policies & procedures• Endorse good data management practices• Appropriate Disclosure

Page 11: Dodi Smith C.P.A., C.I.S.A Information Security Manager Michigan Office of the Auditor General Information Security & The Auditor.

Behind the Scenes

Office of Information Technology• Firewalls• Encryption• Anti-virus• Spam filters• Monitoring Tools• Security Awareness

Page 12: Dodi Smith C.P.A., C.I.S.A Information Security Manager Michigan Office of the Auditor General Information Security & The Auditor.

Information SecurityBefore We Audit

• Research applicable laws governing the data

• Access forms and security agreements• Only request the data you need• Process if you are denied access to data

Page 13: Dodi Smith C.P.A., C.I.S.A Information Security Manager Michigan Office of the Auditor General Information Security & The Auditor.

Information SecurityAs We Audit

• Follow policies and procedures• Ensure safe handling, storage, access, and

transfer• Immediately report any security incidents

Page 14: Dodi Smith C.P.A., C.I.S.A Information Security Manager Michigan Office of the Auditor General Information Security & The Auditor.

Information SecurityFinishing An Audit

• Ensure only necessary information is retained

• Ensure appropriate destruction of data• Ensure all system access is removed• Provide any required destruction

notifications

Page 15: Dodi Smith C.P.A., C.I.S.A Information Security Manager Michigan Office of the Auditor General Information Security & The Auditor.

Ongoing Challenges

• Increased Threats• Maintaining the balance security and

productivity• Keeping Information Security Fresh