Stanford IT Audits
On this page:
Introduction
Information Technology Audit Team (IT Audit) works to identify areas of technical risk including application, infrastructure, systems, and process risks for the University, Stanford Hospital & Clinics, and Lucile Packard Children's Hospital.<top>
Stanford IT Audit Information
An IT audit is an examination of the controls within the Information Technology infrastructure. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement. An IT audit is the process of collecting and evaluating evidence of an organization's information systems, practices, and operations. Obtained evidence evaluation can ensurethat the organization's information systems safeguard assets, maintain data integrity, and are operating effectively and efficiently to achieve the organization's goals or objectives.- Control Objectives for Information and related Technology - (CobiT)
Stanford's
IT Audit Team follows
the CobiT
framework, which is a set
of best practices for IT management created by the Information Systems
Audit and Control Association (ISACA),
and the IT
Governance Institute (ITGI)
in
1992. COBIT provides managers, auditors, and IT users with a set of
generally accepted measures, indicators, processes
and best practices to assist them in maximizing the benefits derived
through the use of information technology and developing appropriate IT
governance and control in a company.to provide management and business
process owners with an information
technology (IT) governance model that helps in delivering value from IT
and understanding and managing the risks associated with IT.
COBIT emphasizes regulatory compliance, helps organizations to increase the value attained from IT, enables alignment and simplifies implementation of the COBIT framework.
COBIT emphasizes regulatory compliance, helps organizations to increase the value attained from IT, enables alignment and simplifies implementation of the COBIT framework.
<top>
Types of IT Audits
IT Audits can focus on a myriad of purposes in the evaluation of the system's internal control design and effectiveness. This includes, but is not limited to, efficiency and security protocols, development processes, and IT governance or oversight. Types of IT Audits we perform include:- Systems and Applications - To verify that systems and applications are appropriate, are efficient, and are adequately controlled to ensure valid, reliable, timely, and secure input, processing, and output at all levels of a system's activity.
- Information Processing Facilities (Data Centers) - To verify that the processing facility is controlled to ensure timely, accurate, and efficient processing of applications under normal and potentially disruptive conditions.
- Systems Development - to verify that the systems under development meet the objectives of the organization, and to ensure that the systems are developed in accordance with generally accepted standards for system development.
- Management of IT and Enterprise Architecture - to verify that IT management has developed an organizational structure and procedures to ensure a controlled and efficient environment for information processing.
- Client, Server, Telecommunications, Intranets and Extranets - To verify communications controls are in place (and effective) on clients, servers and the network.
- Data Center Audit Plan (pdf) (doc)
- Project Development Audit Plan (pdf) (doc)
- Pre-Implementation Review Session - Agenda (pdf) (doc)
<top>
Preparation for an IT Audit
Preparation for an IT Audit should begin before the audit starts. Preparation steps include:- Are you aware of the University’s policies and procedures?
- Do you perform activities that are not covered by the University’s policies and procedures? If so -
- Are the procedures documented?
- Are the documented procedures readily accessible by staff?
- Are the documented procedures being followed?
- Are the procedures current?
For more information, please contact the Internal Audit and Institutional Compliance Department (mail).
<top>
Related Documents and References
Stanford University is committed to protecting its information resources from accidental or intentional intrusion or damage and is equally committed to preserving and nurturing the open, information-sharing requirements of its academic mission of teaching, learning and research. Protecting information assets is driven by a variety of considerations including legal, academic, financial and other business requirements. Here are a few related documents and references regarding information security requirements imposed on the University:- Health Insurance Portability and Accountability Act of 1996 (HIPAA)
- Family Educational Rights and Privacy Act of 1974 (FERPA)
- Graham-Leach-Bliley Act of 1999 (GLBA)
- California Civil Code 1798.82-85 (aka SB-1386)
- Payment Card Industry Data Security Standards (PCI-DSS_v2.0)
- http://ecommerce.stanford.edu/
- PCI-DSS Standards Overview
- PCI Self-Assessment
Questionnaire -
- Other Software Licensing and Copyright issues
- Stanford Report Article
- (11/29/06)
<top>
External Auditors
External Auditors requesting access to Stanford's network for Internet or access to University systems should follow this procedure regarding requesting access to Stanford.<top>
Other Information
Information Security Office’s SecureComputing websiteStanford’s Essential Stanford Software (ESS)
<top>
Last
modified
Thursday, 29-Mar-2012 10:11:24 AM
© Stanford University. All Rights Reserved. Stanford, CA 94305. (650) 723-2300. Terms of Use | Copyright Complaints