Basic IT Tests for Departmental Audits

Publication Date: December 4, 2023

Audits tend to fall into two categories: process and departmental. Process audits focus on a single university process using a highly unique audit program. These often involve many clients and can take a lot of time. Departmental audits focus on a single client. These tend to be shorter engagements with repeatable processes, with the intent of systematically providing similar coverage for all departments. This article focuses on IT tests that can be applied at the departmental level by both IT and non-IT auditors.

Challenges in Creating a Departmental IT Program

The first challenge faced when creating an IT audit program for use in repeatable departmental audits is making assumptions about the computing environment. A typical office has numerous devices including laptops, desktop computers, and potentially tablets. The environment may also involve remote work, capabilities, employee-owned smartphones, one or more printers, workgroup storage, essential applications, a local network, internet access, and a source of technical support.

The next challenge is aligning information security goals to the environment. While our emphasis tends to focus on the disclosure of sensitive information, auditors should also consider the impact of disruptions to the availability of data and the computing environment. Auditors should be willing to look beyond cybersecurity to the physical world. Information on paper can be equally sensitive and unauthorized physical access to computers is undesirable.

Another challenge revolves around defining accountability for the state of the computing environment. Auditors may discover the business unit believes the IT department is responsible while the IT department believes it is the business unit’s responsibility. In reality, the responsibility is shared. The business unit establishes goals, manages day-to-day operations, and delegates technical issues to the IT department. The ultimate responsibility for securely handling sensitive information belongs to the business unit because they control the entire process.

Simplified IT Audit Tests

 What follows is a brief discussion of a number of tests that can be part of an IT audit program for a departmental audit that could be structured in a way to not need an experienced IT auditor.

Computer Inventories – A maxim posed by the Center for Internet Security is “you cannot manage what you don’t know you have.” Conducting an inventory can determine if the client is aware of      their entire computing environment. There can be computers that were never registered with IT and do not receive periodic updates. There can be computers transferred between departments that still show on the original department’s inventory. There can be mothballed computers which still contain sensitive data sitting on shelves or forgotten in closets with weak physical security. By rigorously maintaining an up-to-date inventory, organizations can ensure every component of their computing environment is accounted for and secured.

Review Installed Software – Collaboration with the IT department is crucial to reviewing installed software. Once an accurate inventory of computers is established in systems such as Microsoft Endpoint Configuration Manager (MEMCM) and/or Jamf (for Mac/IoS devices), those systems can provide lists of software installed. You can compare installed versions of operating systems and software packages to what is currently supported by their vendors. You will have to select software packages to monitor. Packages of concern are usually browsers (Chrome, Edge, Firefox, Safari, etc.) and applications used to interact with Internet content, such as Adobe Acrobat and other PDF readers.
You may find there is no existing standard embodied in your University’s policies or in industry best practices. In such cases, auditors must establish their own criteria. For instance, you may wish to accept that 90% of the installed browsers must be either the most current version or a version that was supported within the last 60 days. Achieving 100% compliance is impractical due to inevitable exceptions and the volume of ongoing updates across a sizable computer population.

The best results from this test will be realized over many departmental audits, perhaps combined with a periodic University-wide IT General Controls audit. While a one-time cleanup is beneficial, a sustained and widespread series of audits yields more substantial long-term benefits.

Auditors may find it best to partner with an Information Security Office to interpret the results. It is important for non-IT auditors and client departments to recognize that automation is the key to applying updates at scale. Reliance on manual updates is untenable across large populations of computers due to the sheer volume of patches required.

Review Service Level Agreements and Contracts – Internal agreements and external contracts that apply to computing devices or services can indicate who is responsible for maintenance and how frequently the maintenance should take place. Maintenance is important in eliminating known vulnerabilities. The lack of internal agreements is not necessarily an issue by itself as many internal processes are informal. The lack of a contract with an external source would be unusual.

Websites – Departmental websites present two principal risks: unintentional disclosure of sensitive data and non-compliance with accessibility standards. In both cases, specialized tools are needed to make an assessment because of the volume of pages and documents to be reviewed. A tool like Spirion can crawl through websites looking for unprotected sensitive data.

An audit function can partner with an accessibility office who might have a tool to generate accessibility reports that produce a scorecard to compare to Web Content Accessibility Guidelines (WCAG) and organizational goals. Auditors are likely to need assistance from an accessibility specialist to interpret details of the report. Expect accessibility issues to be persistent, expensive, and dependent on tools and vendors.

Social Media – A department may manage numerous social media accounts across various platforms. Additionally, there may be old or forgotten accounts, which can pose challenges in terms of tracking and management. Sometimes, the credentials for these accounts may be lost, especially if the individual managing the account has left the organization. In such cases, the recovery of account access might require collaboration with the legal department.

To ensure proper use of social media accounts, it is beneficial to conduct regular audits comparing account activity to the standards set by the University’s communications team. This can help identify any discrepancies or areas of non-compliance.

However, departments must also be mindful of privacy and reputation management. Sharing sensitive or inappropriate content can lead to privacy breaches. Additionally, how a departmental account interacts with individuals, such as students, on social media can impact the department’s image. For instance, a departmental account following students and engaging with their personal content could raise concerns and should be approached with caution.

Public Computers – Departments often provide kiosks and public computers to enhance customer convenience. A frequent issue arises when all users share a common account, potentially leaving files, including those with sensitive data, accessible to subsequent users. Additionally, there is the risk of these public computers being used for unintended purposes.
Conducting an audit on public computers need not be a complex task. Simple checks, such as inspecting download folders for sensitive data and testing browser settings to assess access to potentially inappropriate content, can yield valuable insights into the security and proper use of these resources.

Physical Security – The replacement cost of a computer may only be a few thousand dollars, but the value of sensitive data it holds could potentially lead to millions of dollars in damages if compromised. Additionally, the theft or vandalism of computing equipment can result in significant productivity losses due to the unavailability of essential tools.

Enhancing physical security doesn’t necessarily require advanced penetration testing skills. Simple tools such as traveler’s hooks, J-tools, and under-door tools, which can be acquired for around $100, can be used to assess the vulnerability of doors. Furthermore, conducting an after-hours walkthrough can reveal unlocked doors and windows, highlighting areas in need of improved security measures.

It’s also crucial to evaluate the management of physical keys, including maintaining an up-to-date inventory and records of issued keys, to ensure that only authorized individuals have access to secure areas.

Adding basic IT tests into departmental audits creates a repeatable process that increases your IT coverage across campus.

About the Author

Bruce Tong

Bruce Tong is a Sr. IT Auditor in Ohio University’s Office of Audit, Risk, and Compliance, and an Adjunct Professor teaching courses in Network Security and IT Compliance in the J. Warren McClure School of Emerging Communication Technologies, and a former Software Engineer.