Distributed Information Systems Management Auditing

Distributed Information Systems Management (DISM) makes up information technology (IT) resources that are managed outside of an organization’s central IT department. A DISM environment can be as small as a few unmanaged laptops or a full-scaled IT shop with applications, a data center, networks, and endpoints.

In higher education, central IT most often supports enterprise-wide IT services, such as human resource systems, financial systems, student information systems, collaboration services (e.g., email, calendar), networking (wireless/wired), and learning management systems. Although central IT typically runs these services across the enterprise, some institutions may be completely decentralized, requiring units within the organization to run their own services, or a hybrid of centralized and decentralized allowing units to choose to run their own services, such as email. Occasionally, the unit has specialized software and hardware needs and must run their own DISM because central IT does not offer the specialized services.

It is important to understand both the advantages and disadvantages to units having their own DISM. Some of the advantages that a unit would benefit from by having their own DISM include:

• Control over the IT environment by personalizing services to faculty and students
• Agility and speed when implementing new technologies (generally, smaller implementations take less time than larger enterprise solutions)
• Ability to be tailored to meet specialized needs, such as libraries, research, engineering, and sciences

While advantages exist in a DISM environment, it is important to understand the hidden costs. From an auditor’s perspective, DISM environments can be a risk nightmare. Often, we find that IT controls are not in place, which can lead to a plethora of IT-related issues. To reduce IT risk with these DISMs, conducting audits are crucial to ensuring policies, procedures, and best practices are followed.

Relevant IT controls can be found in a variety of IT security frameworks, such as the ISO 27000 Series or NIST SP 800-53. IT security frameworks provide the auditor with a list of controls to test within focused control areas (e.g., access controls, cryptographic technology, business continuity).

• Insufficient security vulnerability management: Lack of maintenance for servers and endpoints can lead to a hacker exploiting the software to gain access and steal data. Vulnerability scanning and analysis can help identify potential security holes.
• Lack of IT training for DISM administrators: Those expected to support the DISM environment are not properly trained and may not configure, or secure, the environment properly.
• Improper and/or untimely provisioning and deprovisioning: Not limiting access based on the need to know or timely removing access when a user’s role changes can lead to unauthorized access and the theft of intellectual property. 
• Lack of security software: Many distributed units lack simple security software, such as anti-virus protections, especially on Linux machines. Identifying this weakness and correcting this simple control could help prevent malicious software from being installed or run on a machine. 
• Inappropriate administrative user access management: Allowing users to have root or administrative access on the endpoint assigned to them will allow the user to install unauthorized software, which could be malware. In addition, the user has the ability to change configurations, which could leave the machine open to a security breach. 
• User confusion: The central IT helpdesk has no knowledge of the DISM environment and the DISM helpdesk has limited knowledge of central IT systems. The lack of shared knowledge leaves users confused by not knowing who to contact for support. Without support, these users may take matters into their own hands, only exacerbating the problem.

• Use centralized IT commodities, such as an active directory, email services, and data storage. This will allow the department to gain economies of scale and reduce the risk. More importantly, this will allow the DISM to focus on unique IT solutions that are essential to their success.
• Develop a DISM IT focus group to foster collaboration between central IT and DISM IT staff. Establishing a focus group ensures the distributed department is up to date on changes to policies and procedures, as well as security issues.
• Consult with central IT before purchasing and implementing any software or devices. This creates the opportunity to take advantage of best pricing and reduce possible negative impacts on the enterprise security and architecture.

The DISM environment can often provide cutting-edge technologies and services that are attractive to prospective faculty and students. However, this level of service can have a security cost if proper controls are not in place. Auditors spend a tremendous amount of time auditing the central IT systems. Yet, these same IT control deficiencies exist in the DISM environment and pose comparable risk to the enterprise. Adopting an IT security framework to audit against IT controls can help the auditor provide reasonable assurance that the right controls are in place across the entire enterprise, allowing the organization to better protect its assets.

About the Author

Lynn Walker

Lynn Walker is currently a Senior IT Auditor at the University of Virginia with over 28 years of information technology experience, including over 25 years in the higher education industry. She received her M.S. in Management of Information...
Read Full Author Bio

Lynn Walker

Lynn Walker is currently a Senior IT Auditor at the University of Virginia with over 28 years of information technology experience, including over 25 years in the higher education industry. She received her M.S. in Management of Information Technology and is a Certified Information Systems Auditor (CISA). Lynn also speaks frequently at conferences, including the 2019 UVA Shield Conference and 2018 Ivy+ Directs Conference.
 

Articles
Distributed Information Systems Management Auditing