Audit Committee Materials-November 2017 Background Image
Table of Contents Table of Contents
Previous Page  18-19 / 264 Next Page
Information
Show Menu
Previous Page 18-19 / 264 Next Page
Page Background

Institution

Report

Release

Date

Recommendation

Responsible Staff

Date

Management’s

Actions to be

Implemented

Revised Date

Management’s

Actions to be

Implemented

# of Changes to

Date

Management's

Actions to be

Implemented

Initial Date

of Internal

Audit

Follow-up

Most

Recent Date

of Internal

Audit

Follow-up

Status

NeSCC

17-Feb-17 NeSCC ITGCR #4 - Need for cloud strategy - Document your strategy for moving data to a cloud

environment. Include the type of cloud environment and how such data will be secured in the

strategy.

CIO, Fred Lewis

15-Aug-17

1-Sep-17

1

18-Sep-17 18-Sep-17

Action

Completed

NeSCC

17-Feb-17 NeSCC ITGCR #5 - Hardware Asset Management Inventory - Consider a better format to have an

asset management inventory for IT management purposes.

CIO, Fred Lewis

15-Aug-17

1-Sep-17

1

18-Sep-17 18-Sep-17

Action

Completed

NeSCC

17-Feb-17 NeSCC ITGCR # 6 - Potential for unauthorized device connection - Implement means to better

prevent the attached connectivity of devices onto the college's network.

15-Aug-17

1-Sep-17

1

18-Sep-17 18-Sep-17

Action

Completed

NeSCC

17-Feb-17 NeSCC ITGCR # 2 Addendum - Mobile Device Agreement / Procedure - Implement a mobile device

agreement for any user who brings their own device but uses that device to access college business

information.

CIO, Fred Lewis

15-Aug-17

1-Sep-17

1

18-Sep-17 18-Sep-17

Action

Completed

NeSCC

17-Feb-17 NeSCC ITGCR # 11 of 18 - Improved Topology Diagram - Update the current network topology

diagram to better depict the college's network, its ingress/egress points and the layered security in

place at each of these points.

CIO, Fred Lewis

15-Aug-17

1-Sep-17

1

18-Sep-17 18-Sep-17

Action

Completed

NeSCC

17-Feb-17 NeSCC ITGCR # 13 of 18 - Reviewing Anti-virus definition deployments - Ensure all college owned

workstations are properly protected with the anti-virus solution.

CIO, Fred Lewis

15-Aug-17

1-Sep-17

1

18-Sep-17 18-Sep-17

Action

Completed

NeSCC

17-Feb-17 NeSCC ITGCR #14 of 18 - PCI rule changes - Investigate the current situation versus new PCI

requirements for a need to have PCI testing performed.

CIO, Fred Lewis

15-Aug-17

1-Sep-17

1

18-Sep-17 18-Sep-17

Action

Completed

NeSCC

17-Feb-17 NeSCC ITGCR #15c of 18 - Password Policy Compliance - Review the current setting on the Default

Domain Policy and make adjustments as need to better comply with TBR password policy.

CIO, Fred Lewis

15-Aug-17

1-Sep-17

1

18-Sep-17 18-Sep-17

Action

Completed

NeSCC

17-Feb-17 NeSCC ITGCR #1 of 18 - Including awareness training in Security program - Complete the

implementation of the SANS Information Security Awareness Training Program.

CIO, Fred Lewis

15-Aug-17

1-Sep-17

1

18-Sep-17 18-Sep-17

Action

Completed

NeSCC

17-Feb-17 NeSCC ITGCR #16 of 18 - Server Room Security - Contact the authorized source that provides keys to

the server room to identify who all has keys. If unknown parties have keys consider have the key

part of the lock changed.

CIO, Fred Lewis

15-Aug-17

1-Sep-17

1

18-Sep-17 18-Sep-17

Action

Completed

NeSCC

17-Feb-17 NeSCC ITGCR #17 of 18 - Alert content - Investigate whether alerts can be changed to better serve

the needs of the college.

CIO, Fred Lewis

15-Aug-17

1-Sep-17

1

18-Sep-17 18-Sep-17

Action

Completed

NeSCC

17-Feb-17 NeSCC ITGCR # 18 of 18 - Hard drive data preservation - Enhance and document the process to

confiscation computer hard drives when such may be required for legal purposes.

CIO, Fred Lewis

15-Aug-17

1-Sep-17

1

18-Sep-17 18-Sep-17

Action

Completed

ROCC

2-Mar-16 ROCC monies appear to be spent on computer devices that are possibly not being used for ROCC

purposes and/or not being managed in the same manner that other computer devices are to ensure

effective asset management. Consider documenting a process for how this unit will function,

improve the equipment inventory to allow equipment use and life to be tracked for asset

management, and consider retrieving items that are not being utilized to match the new

documented program criteria.

Jim Dye, CIO

7-Oct-16

31-Aug-17

3

1-Sep-17

1-Sep-17

Action

Completed

TBR

23-May-14 "IT General Controls Review:

Recommendation 2 of 16: Develop a change management procedure, for use by the system office,

which identifies how management maintains and documents the maintenance of hardware,

software and the network through patching, anti-virus, help desk and general maintenance

functions."

CIO Tom Danford

1-Dec-14

11-Aug-17

5

11-Aug-17 11-Aug-17

Action

Completed

TBR

23-May-14 "IT General Controls Review:

Recommendation 10 of 16: Consider implementing at the TBR system office, a mobile device service

agreement for users assigned a mobile device and with access to personally identifiable

information."

CIO - Tom Danford

1-Jun-15

11-Aug-17

5

11-Aug-17 11-Aug-17

Action

Completed

TBR

23-May-14 "IT General Controls Review:

Recommendation 16 of 16: Reassess and document the process for logging and monitoring system

utilization data and alerts."

CIO - Tom Danford

1-Dec-14

11-Aug-17

5

11-Aug-17 11-Aug-17

Action

Completed

TBR SWIA - Status Report on Internal Audit Recommendations- Information Systems

(Reports sorted by Status, Institution, Report Release Date)

10