OWLS, INC. Social Security Number Policy Audit Plan and Testing Procedures Version 1.1 Abstract This document contains the auditing plan and testing procedures for the audit of Owls, Inc.’s Social Security Number Policy. This document is confidential and should not be shared with anyone outside of the company. Ariana Levinson, Shakiya Lisane, Marcus Wilson, Vu Do Table of Contents Introduction Audit Objective .......................................................................................................................................................................................................... 3 Audit Process.............................................................................................................................................................................................................. 3 Understanding the Audit Results ............................................................................................................................................................................... 4 Audit Considerations .................................................................................................................................................................................................. 4 Controls 1. Technical Security of SSN Data 1.1 – Masking SSNs .................................................................................................................................................................................................... 6 1.2 – Encrypting SSNSs ............................................................................................................................................................................................... 6 1.3 – Protecting SSNs ................................................................................................................................................................................................. 6 1.4 – Vulnerability Scanning....................................................................................................................................................................................... 6 1.5 – Secure Data Entry .............................................................................................................................................................................................. 6 1.6 – Backups ............................................................................................................................................................................................................. 6 2. Reducing SSN Usage to Reduce Risk 2.1 – SSN Usage for Authentication ........................................................................................................................................................................... 7 3. Logical Access Controls 3.1 – User Registration ............................................................................................................................................................................................... 8 3.2 – User Rights Review ............................................................................................................................................................................................ 8 3.3 – Non-Disclosure Agreement ............................................................................................................................................................................... 8 3.4 – Security of Physical Data ................................................................................................................................................................................... 8 3.5 – Security of Infrastructure .................................................................................................................................................................................. 8 1 Appendices Appendix A – Audit Calendar/Schedule ..................................................................................................................................................................... 9 Version 1.1 – Document Created Date Updated 4/13/2016 Updated By Ariana Levinson & Marcus Wilson 2 Introduction Owls Assurance and Advisory Team (OAAT) Social Security Number Audit Plan SSN Audit Objective: The overall objective of the social security number (SSN) audit is to evaluate the design and effectiveness of the operational processes related to the storage, use, and transmission of SSNs. This audit plan will outline the audit areas and audit process used. The Owl Assurance and Advisory Team is an internal business assurance and consulting organization that is designed to improve business processes and operations. The engagements teams are responsible for assisting management understand the effectiveness of internal controls and policies by testing and reviewing scope areas that are deemed critical by the Audit Universe and recommendations from the Audit Committee. SSN Audit Process: An OAAT engagement team will be assigned to the SSN audit once an audit engagement timeframe has been established in reference the SSN Audit Calendar. OAAT leadership and the Executive Leadership team reserve the right to schedule ad-hoc audits based on overall organization risk analysis. The audit team will consist of an Engagement Director, Engagement Manager, and 1-2 Engagement staff as needed. The SSN audit engagement will be performed in three phases: Planning: Finalizing scope areas, reviewing SSN controls, meeting with SSN stake holders, etc. The planning phase will include reviewing the SSN audit calendar to determine what controls testing will be completed during the audit. During this phase the audit team will reach out to the SSN control owner and brief them on the objectives of the audit and any potential scheduling that needs to be discussed. Execution: Performing testing of the SSN controls (Technical Security, SSN Usage. And Logical Access) and client inquiry around SSN scope areas. 3 During the execution phase the audit team will use the SSN audit calendar and risk assessment tool to begin to test the SSN controls that are in place. This will include IT department inquiry surrounding SSN processes, review of implemented code, and detailed review of documentation and applications. Reporting: Analyzing and building a final audit report with the results from the testing performed. The final reporting phase will consist of reviewing and compiling any finding and deficiencies from the controls testing. The audit team will have a final meeting with all of the SSN process owners to read out the final audit report and determine who the owners of any corrective action plans will be. Understanding the Results of an Audit: Once OAAT has completed their SSN audit a final audit report will be issued to the General Auditor, business stakeholders, Executive Leadership team, and the Audit Committee. The report will provide an overall score based on the results of the audit: Green – Effective Yellow – Needs Enhancement Red - Insufficient Based on the audit engagement team’s findings, the final audit report may issue audit observations that may be assigned to a Corrective Action Plan (CAP). The CAP may be related, but not limited to several subject areas such as operational process inefficiencies, lack of management oversight, security concerns, resource utilization, and overall compliance with corporate and regulated procedures and policies. A CAP can be issued to multiple owners. It is the assigned business owner(s) responsibility to follow the timeline and complete the CAP objective outlined by the audit engagement team. In accordance with company policy, OAAT will follow-up to ensure that CAPs are effectively implemented. The business is responsible for submitting status updates and evidence of CAP closure to the identified OAAT contact for the audit engagement. The status of all CAPs will be reported quarterly to the Audit Committee, with specific details around any CAPs that are delayed past their due date. Note: Audit CAPs are not being issued for an advisory audit engagement. As specified in the audit universe, the SSN audit will be an annual assurance audit that can result in CAPs. 4 Audit Considerations: Owl Assurance and Advisory Team audits are conducted in accordance with the Standards for the Professional Practice of Internal Auditing. The Standards provide the basic requirements for the professional practice of internal auditing and for evaluating the effectiveness and efficiency of financial, operational, and regulatory identified control objectives. Our Opinion is not guaranteed against financial misstatements, operational sub-optimization, or regulatory non-compliance. 5 Technical Security of SSN Data Control Number 1.1 Control Testing Procedures Masking SSNs: SSNs should only be visible in the following format: xxx-xx-1234. Only the last four numbers should be visible. Screenshots of any system that touches this data should be taken to see that the necessary masking is in place. A screenshot showing un-masked SSNs would result in a finding. NOTE: all screenshots must include a date and time stamp in order to be considered valid for testing purposes. If a screenshot does not contain the date/time stamp of when it was captured, auditors will request a new screenshot with the appropriate date/time stamp. 1.2 Encrypting SSNs for Transport: SSNs should be strongly encrypted. Partial masking is not enough. Protecting SSNs: SSNs should be stored on internally facing servers behind a firewall. Vulnerability Scanning: Vulnerability scans should be run on any systems that host SSN data and any critical vulnerabilities found (CVSS 4 or 5) should be remediated within 30 days of discovery. Secure Data Entry: Any methods of data entry that will be used for SSN data must be secure. Backups: Periodic backups should be done regularly, tested, and secured. Inquire of the IT department as to what type of encryption is being used, and request a walkthrough of the encryption process (using test data, not real SSN numbers). 1.3 1.4 1.5 1.6 Inspect firewall settings and configurations. Inspect vulnerability scan configurations and scan results semi-annually to ensure they are being performed correctly and all critical vulnerabilities are being remediated in a timely manner. Inspect the security configurations of any electronic method used for sensitive data entry. Inspect the backup logs to ensure backups are being performed and tested regularly. If backups are being stored electronically, security settings and configurations should be inspected to validate security. If backups are being stored physically in the form of tapes, physical access controls need to be inspected to ensure the backups are being housed securely. If they are transported off-site, the method of transportation also needs to be inspected. 6 Reducing SSN Usage to Reduce Risk Control Number 2.1 Control Testing SSN Usage for Authentication: SSNs should be used as little as possible for user authentication Inspect the process documentation (which needs to be re-certified quarterly by the business owner) that states the acceptable methods of identification and authentication. 7 Logical Access Controls Control Number 3.1 3.2 3.3 3.4 3.5 Control Testing User Registration: Access is to be granted on an as-need basis, and terminated users must have permissions removed within 2 business days of termination. The current user lists from the application, database, and operating system layers should be compared to HR lists generated the same day and examined for new, removed, and transferred users. A sample should be taken from each group and evidence (tickets, emails, etc.) of provisioning/deprovisioning should be requested for each individual in each sample. User Rights Review: The list of everyone who has access to view SSN data should be reviewed quarterly and signed off on by the business owner Non-Disclosure Agreement: All users are required to sign a non-disclosure agreement Inspect the user rights reviews that were completed and signed off on by the Business Owner. If any changes were requested by the Business Owner, follow up and ask for evidence (tickets, emails, etc.) of those changes to validate that they were correctly made. Security of Physical Data: Any forms, papers, etc. that has SSN data on them should either be securely locked up or crossshredded once they are no longer required. Security of Infrastructure: Any servers that are used to host SSN data must be properly secured. Inspect the process documentation (which needs to be re-certified quarterly by the business owner) that states the methods of physical security and proper destruction of any data that will not be entered digitally. The current user lists should also be compared to the termination list. All terminated users who are found to still have access to the application/database/operating system should be selected for testing. Inspect the records of filed NDAs to ensure all new users sign the agreement before permissions are assigned. For servers that are hosted in business offices, inspect the physical security controls. Are badges required for office entry? Are servers further secured to only authorized personnel within the office? Are badges/tokens/pins/etc. properly provisioned and removed when needs change? 8 For any servers that are outsourced to a hosting provider, the SSAE16 should be reviewed at least once a year to ensure the physical access controls at the vendor facilities remain secure. 9 Appendix A: Audit Calendar/Schedule Control Number 1.1 Control Q1 Q2 Q3 Q4 Masking SSNs Initial Testing n/a Interim Testing 1.2 Encrypting SSNs for Transport Initial Testing n/a Interim Testing 1.3 Protecting SSNs Initial Testing n/a Interim Testing 1.4 Vulnerability Scanning Initial Testing Interim Testing Interim Testing 1.5 Secure Data Entry Initial Testing n/a Interim Testing 1.6 Backups Initial Testing n/a Interim Testing 2.1 SSN Usage for Authentication Initial Testing n/a Interim Testing 3.1 User Registration Initial Testing n/a Interim Testing 3.2 User Rights Review Initial Testing Interim Testing Interim Testing 3.3 Non-Disclosure Agreement Initial Testing n/a Interim Testing 3.4 Security of Physical Data Initial Testing n/a Interim Testing 3.5 Security of Infrastructure Initial Testing n/a Interim Testing Inquiry based Update Testing or full examination Remediation Testing is findings exist Inquiry based Update Testing or full examination Remediation Testing is findings exist Inquiry based Update Testing or full examination Remediation Testing is findings exist Inquiry based Update Testing or full examination Remediation Testing is findings exist Inquiry based Update Testing or full examination Remediation Testing is findings exist Inquiry based Update Testing or full examination Remediation Testing is findings exist Inquiry based Update Testing or full examination Remediation Testing is findings exist Inquiry based Update Testing or full examination Remediation Testing is findings exist Inquiry based Update Testing or full examination Remediation Testing is findings exist Inquiry based Update Testing or full examination Remediation Testing is findings exist Inquiry based Update Testing or full examination Remediation Testing is findings exist Inquiry based Update Testing or full examination Remediation Testing is findings exist 10