IT audit services both the University and Penn Medicine and assesses the critical IT systems, related architecture, and IT processes to assess whether information assets are secured, reliable, available, and compliant with policies and applicable laws and regulations. We also emphasize the importance of mitigating privacy and security risks throughout our audits. We are committed to delivering our services in an independent, objective, and professional manner.
IT Audit follows the COBIT framework, which is a set of best practices for IT management created by the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI) in 1992. COBIT provides managers, auditors, and IT users with a set of generally accepted measures, indicators, processes and best practices to assist them in maximizing the benefits derived through the use of information technology and developing appropriate IT governance and control in a company. As a result, management and business process owners are provided with an information technology (IT) governance model that helps in delivering value from IT and understanding and managing the risks associated with IT. COBIT emphasizes regulatory compliance, helps organizations to increase the value attained from IT, enables alignment and simplifies implementation of the COBIT framework.
IT Audit services include the following:
Information Security Services
Network Security Reviews
Assessments of the security processes and controls for the network and related IT infrastructure to verify that configurations are secure and to identify computer security best practices.
Web Application Security Reviews
Assessments of the control environment and logical security that support web applications. Additionally, licensed scanning tools are used for the identification of potential security vulnerabilities within the web application itself or at the server level. Applications are scanned to evaluate, for example, exposures to data injection and manipulation attacks, sessions and authentication, and server and general HTTP attacks. Web server scans feature high-speed discovery, configuration auditing, asset profiling, sensitive data discovery, and vulnerability analysis of your security posture. OACP’s scanning software licenses allow us to scan any machine owned by the University or Health System.
Wireless Security Reviews
Evaluations of system administrator duties, system configurations, and physical security for the wireless network infrastructure to identify the strengths and vulnerabilities of the wireless network configuration and implementation.
Governance, Risk, and Compliance Services
Generally performed at the Departmental/Center level. These projects (1) determine the effectiveness of IT general and application controls for organization-specific applications and systems, (2) evaluate network and systems security for infrastructure managed by Department/Center resources, and (3) determine the organization’s software licensing compliance. IT general control areas include logical security, physical security, computer operations, and change management.
Application Controls Reviews
Evaluate the control objectives of security, privacy, data integrity, and effectiveness of the application in conjunction with policies, industry best practices, and applicable laws and regulations.
Information Processing Facilities (Data Centers) Audits
Verification that the processing facility is controlled to ensure timely, accurate, and efficient processing of applications under normal and potentially disruptive conditions.
Both the Operational and IT Audit teams during which we review the overall project management of the project, as well as assist in the design and deployment of effective internal controls for key business processes and ensure the implementation of sound security controls. These projects seek to determine whether:
- The new system meets the functional requirements of the business
- Project tasks are defined in sufficient detail which identifies all of the components of the project
- Adequate testing is being performed to ensure that the system functions as intended
- The data conversion strategy ensures that all data is migrated to the new system with integrity
For internally-developed solutions, OACP links the Systems Development Lifecycle phases to COBIT Control Domains to perform the audit. If a vendor-provided solution is being implemented, OACP typically will audit the same areas with the exception of requirements definition/analysis and ensuring that effective program version control is in place.
Evaluate the effectiveness of the system development after the system has been in production for a period of time (usually 6 months). The review results are provided to strengthen the system as well as system development procedures. The objectives are to determine whether the system does what it was designed to do, for example:
- The new system supports the user as required in an effective and efficient manner
- The system successfully delivered the expected functionality, performance, and benefit
- Life-cycle development activities that produced the system were effective.
Evaluate security, privacy, and data integrity controls in various applications to assess compliance with the HIPAA Security Rule and the HITECH Act. During these audits, a software based survey tool is used to gather data from application owners and technical support personnel in order to assess the application's compliance. We then review supporting documentation and perform testing to validate the effectiveness of HIPAA/HITECH controls.
Special Requests/Advisory Services
Requests for these services will be balanced against our current work load and the related levels of risk. If our schedule allows us to accommodate the request, the nature and scope of these services are developed collaboratively with client management and are intended to add value. These services include controls consultation, privacy and security advice, and more specifically:
- Solution Selection: The University and Health System are continually looking for ways technology can add value and ensure that technology aligns with business objectives. OACP can be a resource as your existing committees/groups consider investing in new applications/systems. OACP can specifically add value to your initiatives by ensuring that proposed solutions have appropriate controls and security, meet University/Health System policies, and address regulatory and compliance requirements.
- Web Application Security Scanning: The scanning procedures discussed in the Web Application Security Reviews above can be performed on University servers upon request of management with the scan results provided to the appropriate administrator. Licensed scanning tools are used for the identification of potential security vulnerabilities within the web application itself or at the server level. Applications are scanned to evaluate, for example, exposures to data injection and manipulation attacks, sessions and authentication, and server and general HTTP attacks. Web server scans feature high-speed discovery, configuration auditing, asset profiling, sensitive data discovery, and vulnerability analysis of your security posture.
- Special Attesting Reporting (e.g., “SAS 70”) / Vendor Management: The University and Health System rely on numerous third parties to provide IT services or hosting services for systems and applications. Depending on the type of IT audit OACP has been engaged to perform within your organization, the team determines in the planning phase of the audit the parties responsible for managing, supporting, and hosting the infrastructure/data. OACP will request contracts or service-level agreements that you have with third parties to better understand the responsibilities of each party and whether a service organization report is available.
OACP can be a resource even if we are not performing an audit at your organization. Please refer to the Special Attestation Reporting whitepaper for more information on what you can do to proactively manage your vendors and how OACP can assist you.