the imperative of risk based audit planning - isaca presentations/the... · it audit in the health...
TRANSCRIPT
Health and Social Care ICT Landscape in Ireland
HSE has 70,000 staff
35,000 Desktops, Laptops and Tablets
000,s of mobile phones and smart phones
50,000+ users of ICT Systems
Circ. 70 Server Sites
300,000 Support Calls Annually
At the time – 9 Separate Networks
1,700 Separate Applications!!!!!!
IT Audit in the Health Service
2008
Well Established Finance and Operational Audit units in place with strong methodologies
Prior to 2008 there was no ICT Audit unit in the Health Service
Highly regulated environment – HIQA, PHECC, C&AG, DPER/CMOD/OGCIO
Challenge
Establish ICT Audit unit
Decide on a standard to audit against - COBIT
Develop an audit plan
Get approval from the Audit Committee
Get on with it
Just yourself and 200 man days of external help!
Developing the Audit Plan
Temptation to start with financial and HR systems
Why? Because they are BIG and carry obvious financial risk
STOP! But is that the biggest risk to the organisation?
What is the Risk Landscape / Universe?
Confidentiality Probably the most sensitive data held by any organisation
Integrity Lives are at risk & large amounts of public money at risk
Availability Lives can depend on high availability systems
Developing the Audit Plan
Decision was made to adopt the National Institute of Standards and Technology methodology
1. System Characterization – Boundaries, Functions, Criticality and Sensitivity
2. Threat Identification – Hacking, Physical Environment, Crashes, Nature, Virus etc.
3. Vulnerability Identification – Untested BCP or DR, Access Weaknesses, External reliance etc.
4. Control Analysis – Was not in scope although a summary analysis informed a rating against the Control Maturity Model
Developing the Audit Plan
5. Likelihood Determination – Threat source motivation & capability, nature of the vulnerability
6. Impact Analysis – Factors = Purpose, Criticality, Sensitivity
7. Risk Determination – Adapted NIST approach to include HSE wide risk determination process ISO31000:2009
Developing the Audit Plan – Determining the Control Maturity
Stage 0
Non-existent
Stage 1
Initial
Stage 2
Repeatable but
Intuitive
Stage 3
Defined Process
Stage 4
Managed and
Measurable
Stage 5
Optimised
At this level, there is a complete lack of any recognizable control process or the existence of any related procedures. The
organization has not even acknowledged that there is an issue to be addressed; therefore, no communication about the issue is
generated.
There is some evidence that the organization recognizes that controls and related procedures are important and need to be
addressed. However, controls and related policies and procedures are not in place and documented. An event and disclosure
process does not exist. Employees are not aware of their responsibility for control activities. The operating effectiveness of control
activities is not evaluated on a regular basis. Control deficiencies are not identified.
Controls and related policies and procedures are in place but not always fully documented. An event and disclosure process is in
place but not documented. Employees may not be aware of their responsibility for control activities. The operating effectiveness of
control activities is not adequately evaluated on a regular basis and the process is not documented. Control deficiencies may be
identified but are not remedied in a timely manner.
Controls and related policies and procedures are in place and adequately documented. An event and disclosure process is in
place and adequately documented. Employees are aware of their responsibility for control activities. The operating effectiveness
of control activities is evaluated on a periodic basis (e.g., quarterly); however, the process is not fully documented. Control
deficiencies are identified and remedied in a timely manner.
Controls and related policies and procedures are in place and adequately documented, and employees are aware of their
responsibility for control activities. An event and disclosure process is in place and is adequately documented and monitored,
but it is not always re-evaluated to reflect major process or organizational changes. The operating effectiveness of control
activities is evaluated on a periodic basis (e.g., weekly), and the process is adequately documented. There is limited,
primarily tactical, use of technology to document processes, control objectives and activities.
Stage 5 meets all of the characteristics of stage 4. An enterprise wide control and risk management program exists such that
controls and procedures are well documented and continuously reevaluated to reflect major process or organizational changes. A
self-assessment process is used to evaluate the design and effectiveness of controls. Technology is leveraged to its fullest extent
to document processes, control objectives and activities; identify gaps; and evaluate the effectiveness of controls.
Developing the Audit Plan - Identify the Focus Areas
A review of the ICT Audit Universe identified 11 areas of focus in the risk assessment
1) Governance 2) Strategy & Planning
3) Organisation & Resources 4) Programme & Project Management
5) Procurement 6) 3rd Party Management
7) Data Protection / Information Governance 8) Security
9) BCP / DR 10) Network Management
11) Applications
Developing the Audit Plan – Categorise / Summarise / Prioritise / Test
List all risks against each focus area
Rate the risks according to the risk methodology
Prioritise ALL risks in all categories by degree of Likelihood x Impact
Summarise the overall risk status for each focus area
Review this list with;
Financial/Operational/Clinical Auditors – validation based on their observations
Senior ICT Management – Beware you will be their auditor – Bum Steers!
Audit Committee Chair – Make sure you test the water before diving in!
Developing the Audit Plan – Implementation
Now the task of balancing risk against the audit resource available
QUESTION – Start at the top of the entire list of high rated risks or start at the top of the overall “focus area” risks?
For HSE this trade-off was on the basis of available audit resource
DECISION – Start with the highest priority focus areas in a Pareto analysis form where 80% of audits came from the Highest prioritisedfocus areas and 20% from High rated individual risk systems /
infrastructures / projects contained in lower rated overall focus areas
What has been the experience?
Like all change it was difficult at the start
What is COBIT and why am I being audited against that standard when I haven't adopted that standard to my service?
Why are you auditing my hospital / office / system?
Risk – This system has been running for years without a problem – What risk??
It’s easy for you auditors, you don’t have to deal with the demands of the business every day!
Started to use ICT Audit in an Intervention Model manner
Policy/procedure development, early stage project review etc.
What has been the experience?
Needed to adjust to meet organisational needs of the HSE as it changed and developed
IT Audit has directly contributed to the development of more robust ICT Security and Information Governance policies and procedures
Compliance is increasing and repeated findings are decreasing
Major Programmes are being implemented successfully e.g. NIMIS
The Governance of ICT in the HSE is now clearly understood and the organisation now has a CIO at the top table with a major project underway to develop an operating model for ICT
The HSE is close to finalising an ICT Strategy focused on delivering the Government’s eHealth Strategy
Where to from here?
Implementing the National eHealth Strategy will see exponential growth in the use of ICT in Health
While the overall number of systems will reduce through rationalisation and consolidation of systems, the application of ICT will increase
Electronic Health Records
Personal Health Records
Telehealth
Self Management Apps
Health & Wellbeing Apps
Connected Health Devices
Where to from here? How will ICT Audit respond?
The Audit Landscape / Universe will be huge
More clinical systems raises the risk impact factor
Patient to Clinician interaction will increase the number of interfaces raising the likelihood factor
Health Service investing in ICT Audit – Trebling the internal staff
Legacy systems with associated weaknesses will slowly disappear
ICT Audit will need to assist in “building in” compliance into the architecture