OWLS, INC.
Social Security Number Policy Audit Plan and Testing Procedures
Version 1.1
Abstract
This document contains the auditing plan and testing procedures for the audit of Owls, Inc.’s Social Security Number Policy. This
document is confidential and should not be shared with anyone outside of the company.
Ariana Levinson, Shakiya Lisane, Marcus Wilson, Vu Do
Table of Contents
Introduction
Audit Objective .......................................................................................................................................................................................................... 3
Audit Process.............................................................................................................................................................................................................. 3
Understanding the Audit Results ............................................................................................................................................................................... 4
Audit Considerations .................................................................................................................................................................................................. 4
Controls
1. Technical Security of SSN Data
1.1 – Masking SSNs .................................................................................................................................................................................................... 6
1.2 – Encrypting SSNSs ............................................................................................................................................................................................... 6
1.3 – Protecting SSNs ................................................................................................................................................................................................. 6
1.4 – Vulnerability Scanning....................................................................................................................................................................................... 6
1.5 – Secure Data Entry .............................................................................................................................................................................................. 6
1.6 – Backups ............................................................................................................................................................................................................. 6
2. Reducing SSN Usage to Reduce Risk
2.1 – SSN Usage for Authentication ........................................................................................................................................................................... 7
3. Logical Access Controls
3.1 – User Registration ............................................................................................................................................................................................... 8
3.2 – User Rights Review ............................................................................................................................................................................................ 8
3.3 – Non-Disclosure Agreement ............................................................................................................................................................................... 8
3.4 – Security of Physical Data ................................................................................................................................................................................... 8
3.5 – Security of Infrastructure .................................................................................................................................................................................. 8
1
Appendices
Appendix A – Audit Calendar/Schedule ..................................................................................................................................................................... 9
Version
1.1 – Document Created
Date Updated
4/13/2016
Updated By
Ariana Levinson & Marcus Wilson
2
Introduction
Owls Assurance and Advisory Team (OAAT) Social Security Number Audit Plan
SSN Audit Objective:
The overall objective of the social security number (SSN) audit is to evaluate the design and effectiveness of the operational processes
related to the storage, use, and transmission of SSNs. This audit plan will outline the audit areas and audit process used.
The Owl Assurance and Advisory Team is an internal business assurance and consulting organization that is designed to improve business
processes and operations. The engagements teams are responsible for assisting management understand the effectiveness of internal
controls and policies by testing and reviewing scope areas that are deemed critical by the Audit Universe and recommendations from the
Audit Committee.
SSN Audit Process:
An OAAT engagement team will be assigned to the SSN audit once an audit engagement timeframe has been established in reference the
SSN Audit Calendar. OAAT leadership and the Executive Leadership team reserve the right to schedule ad-hoc audits based on overall
organization risk analysis. The audit team will consist of an Engagement Director, Engagement Manager, and 1-2 Engagement staff as
needed.
The SSN audit engagement will be performed in three phases:
Planning: Finalizing scope areas, reviewing SSN controls, meeting with SSN stake holders, etc.
The planning phase will include reviewing the SSN audit calendar to determine what controls testing will be completed during the audit.
During this phase the audit team will reach out to the SSN control owner and brief them on the objectives of the audit and any potential
scheduling that needs to be discussed.
Execution: Performing testing of the SSN controls (Technical Security, SSN Usage. And Logical Access) and client inquiry around SSN
scope areas.
3
During the execution phase the audit team will use the SSN audit calendar and risk assessment tool to begin to test the SSN controls that
are in place. This will include IT department inquiry surrounding SSN processes, review of implemented code, and detailed review of
documentation and applications.
Reporting: Analyzing and building a final audit report with the results from the testing performed.
The final reporting phase will consist of reviewing and compiling any finding and deficiencies from the controls testing. The audit team
will have a final meeting with all of the SSN process owners to read out the final audit report and determine who the owners of any
corrective action plans will be.
Understanding the Results of an Audit:
Once OAAT has completed their SSN audit a final audit report will be issued to the General Auditor, business stakeholders, Executive
Leadership team, and the Audit Committee. The report will provide an overall score based on the results of the audit:
Green – Effective
Yellow – Needs Enhancement
Red - Insufficient
Based on the audit engagement team’s findings, the final audit report may issue audit observations that may be assigned to a Corrective
Action Plan (CAP). The CAP may be related, but not limited to several subject areas such as operational process inefficiencies, lack of
management oversight, security concerns, resource utilization, and overall compliance with corporate and regulated procedures and
policies. A CAP can be issued to multiple owners. It is the assigned business owner(s) responsibility to follow the timeline and complete
the CAP objective outlined by the audit engagement team.
In accordance with company policy, OAAT will follow-up to ensure that CAPs are effectively implemented. The business is responsible for
submitting status updates and evidence of CAP closure to the identified OAAT contact for the audit engagement. The status of all CAPs will
be reported quarterly to the Audit Committee, with specific details around any CAPs that are delayed past their due date.
Note: Audit CAPs are not being issued for an advisory audit engagement. As specified in the audit universe, the SSN audit will be an annual
assurance audit that can result in CAPs.
4
Audit Considerations:
Owl Assurance and Advisory Team audits are conducted in accordance with the Standards for the Professional Practice of Internal
Auditing. The Standards provide the basic requirements for the professional practice of internal auditing and for evaluating the
effectiveness and efficiency of financial, operational, and regulatory identified control objectives. Our Opinion is not guaranteed against
financial misstatements, operational sub-optimization, or regulatory non-compliance.
5
Technical Security of SSN Data
Control
Number
1.1
Control
Testing Procedures
Masking SSNs: SSNs should only be visible in
the following format: xxx-xx-1234. Only the
last four numbers should be visible.
Screenshots of any system that touches this data should be taken to see that the necessary
masking is in place. A screenshot showing un-masked SSNs would result in a finding. NOTE:
all screenshots must include a date and time stamp in order to be considered valid for
testing purposes. If a screenshot does not contain the date/time stamp of when it was
captured, auditors will request a new screenshot with the appropriate date/time stamp.
1.2
Encrypting SSNs for Transport: SSNs should
be strongly encrypted. Partial masking is not
enough.
Protecting SSNs: SSNs should be stored on
internally facing servers behind a firewall.
Vulnerability Scanning: Vulnerability scans
should be run on any systems that host SSN
data and any critical vulnerabilities found
(CVSS 4 or 5) should be remediated within
30 days of discovery.
Secure Data Entry: Any methods of data
entry that will be used for SSN data must be
secure.
Backups: Periodic backups should be done
regularly, tested, and secured.
Inquire of the IT department as to what type of encryption is being used, and request a walkthrough of the encryption process (using test data, not real SSN numbers).
1.3
1.4
1.5
1.6
Inspect firewall settings and configurations.
Inspect vulnerability scan configurations and scan results semi-annually to ensure they are
being performed correctly and all critical vulnerabilities are being remediated in a timely
manner.
Inspect the security configurations of any electronic method used for sensitive data entry.
Inspect the backup logs to ensure backups are being performed and tested regularly. If
backups are being stored electronically, security settings and configurations should be
inspected to validate security. If backups are being stored physically in the form of tapes,
physical access controls need to be inspected to ensure the backups are being housed
securely. If they are transported off-site, the method of transportation also needs to be
inspected.
6
Reducing SSN Usage to Reduce Risk
Control
Number
2.1
Control
Testing
SSN Usage for Authentication: SSNs should
be used as little as possible for user
authentication
Inspect the process documentation (which needs to be re-certified quarterly by the business
owner) that states the acceptable methods of identification and authentication.
7
Logical Access Controls
Control
Number
3.1
3.2
3.3
3.4
3.5
Control
Testing
User Registration: Access is to be
granted on an as-need basis, and
terminated users must have permissions
removed within 2 business days of
termination.
The current user lists from the application, database, and operating system layers should be
compared to HR lists generated the same day and examined for new, removed, and
transferred users. A sample should be taken from each group and evidence (tickets, emails,
etc.) of provisioning/deprovisioning should be requested for each individual in each sample.
User Rights Review: The list of everyone
who has access to view SSN data should be
reviewed quarterly and signed off on by the
business owner
Non-Disclosure Agreement: All users are
required to sign a non-disclosure agreement
Inspect the user rights reviews that were completed and signed off on by the Business
Owner. If any changes were requested by the Business Owner, follow up and ask for
evidence (tickets, emails, etc.) of those changes to validate that they were correctly made.
Security of Physical Data: Any forms,
papers, etc. that has SSN data on them
should either be securely locked up or crossshredded once they are no longer required.
Security of Infrastructure: Any servers that
are used to host SSN data must be properly
secured.
Inspect the process documentation (which needs to be re-certified quarterly by the business
owner) that states the methods of physical security and proper destruction of any data that
will not be entered digitally.
The current user lists should also be compared to the termination list. All terminated users
who are found to still have access to the application/database/operating system should be
selected for testing.
Inspect the records of filed NDAs to ensure all new users sign the agreement before
permissions are assigned.
For servers that are hosted in business offices, inspect the physical security controls. Are
badges required for office entry? Are servers further secured to only authorized personnel
within the office? Are badges/tokens/pins/etc. properly provisioned and removed when
needs change?
8
For any servers that are outsourced to a hosting provider, the SSAE16 should be reviewed at
least once a year to ensure the physical access controls at the vendor facilities remain
secure.
9
Appendix A: Audit Calendar/Schedule
Control
Number
1.1
Control
Q1
Q2
Q3
Q4
Masking SSNs
Initial Testing
n/a
Interim Testing
1.2
Encrypting SSNs for Transport
Initial Testing
n/a
Interim Testing
1.3
Protecting SSNs
Initial Testing
n/a
Interim Testing
1.4
Vulnerability Scanning
Initial Testing
Interim Testing
Interim Testing
1.5
Secure Data Entry
Initial Testing
n/a
Interim Testing
1.6
Backups
Initial Testing
n/a
Interim Testing
2.1
SSN Usage for Authentication
Initial Testing
n/a
Interim Testing
3.1
User Registration
Initial Testing
n/a
Interim Testing
3.2
User Rights Review
Initial Testing
Interim Testing
Interim Testing
3.3
Non-Disclosure Agreement
Initial Testing
n/a
Interim Testing
3.4
Security of Physical Data
Initial Testing
n/a
Interim Testing
3.5
Security of Infrastructure
Initial Testing
n/a
Interim Testing
Inquiry based Update Testing or full examination
Remediation Testing is findings exist
Inquiry based Update Testing or full examination
Remediation Testing is findings exist
Inquiry based Update Testing or full examination
Remediation Testing is findings exist
Inquiry based Update Testing or full examination
Remediation Testing is findings exist
Inquiry based Update Testing or full examination
Remediation Testing is findings exist
Inquiry based Update Testing or full examination
Remediation Testing is findings exist
Inquiry based Update Testing or full examination
Remediation Testing is findings exist
Inquiry based Update Testing or full examination
Remediation Testing is findings exist
Inquiry based Update Testing or full examination
Remediation Testing is findings exist
Inquiry based Update Testing or full examination
Remediation Testing is findings exist
Inquiry based Update Testing or full examination
Remediation Testing is findings exist
Inquiry based Update Testing or full examination
Remediation Testing is findings exist
10