common root causes for major it findings
TRANSCRIPT
Common Root Causes for Major IT Findings
Alex Gard, Principal IT Auditors, KansasPeg Bodin, Assistant Director of IT Audit, Washington
NSAA – ITSeptember 28, 2021
Kansas - intro
• Est’d 1971
• Seated within the Legislative branch
• Agency top executive – Appointed
• Size: ~25 staff, 4 IT staff (all present)
• Does not conduct financial audits• But we used to!
2
What is Kansas Legislative Division of Post Audit?
Kansas - intro
• Conducts • performance audits
• efficiency / effectiveness of programs • targeted questions
• IT security audits• State agencies, boards, commissions, universities, school districts • All sizes (5,000 FTE to 2-3 persons)
• IT project monitoring • Loosely embedded staff to alert Legislature to potential major issues • High-level focus on project scope, cost, schedule, and security
3
What We Do
4
• Includes school districts, library districts, diking and drainage districts, and many others
• We also audit state agencies, such as Department of Social and Health Services as well as universities and community colleges
• In addition, we audit the finances of the state as a whole
We Audit Every Government in the State
~ 2,300local governments
Information
5
Agenda- Our processes
- Two common methods
- 5 Whys
- Fishbone
- Exercises
• Quick YB Refresh! • 4 parts of an audit finding (YB 6.17)
• Condition – The What – what is observed or measured• Criteria – What is being measured against, usually best practice, statute,
or other standard• Cause – The Why – underlying reason(s) behind the condition• Effect – The So What, Who Cares
Parts of an Audit Finding – Yellow Book
6
• OLD PROCESS (up until 2018) –
• Developed individualized causes for individual audit findings• Created as the work on individual tests was done
• Overall root cause for the entire entity.• Largely developed by tying similar themed causes from individual
findings together. • Occasionally added other information (e.g. observations, auditor
judgment, etc.)
Something Old…
• Criteria 1: Passwords shall not be changed more frequently than once every 15 days without system administrator intervention. User accounts should have a maximum lifespan of 90 days.
• Condition 1: Users’ passwords in System X application are static.
• Cause 1: The application code does not allow users to change their passwords.
• Criteria 2: Accounts shall be restricted to a maximum of 5 consecutive failed log in attempts before being locked out.
• Condition 2: System X application settings allowed 500 consecutive failed attempts before being locked out.
• Cause 2: The agency thought its contractor handled these settings, and the contractor was unaware of state IT requirements.
Example Under Old Method
• NEWER PROCESS (2019 to present) –
• No longer formally develop individualized causes • Often developed at end of fieldwork as the report is put together
• Overall root cause for the entire entity• Developed now by tying together common themes from the audit
areas (e.g. Access Control findings, Physical Security findings etc.)• More fluid than old process
Something New…
• Finding 1: Users’ passwords in the System X application are static.
• Finding 2: System X application settings allowed 500 consecutive failed attempts before being locked out.
• Finding 3: The agency does not have a formal MOU with the contractor who administers its System X application.
• Cause: The agency’s poor IT security posture stems from a combination of trusting its IT contractor to provide services and not having the in-house expertise to determine whether those services were being adequately provided.
Example under New Method
1111
Washington: Determining cause
Systems
• Share observations
• Correct?
• Why?
Cybersecurity
• Large scope
• Biggest strengths
• Most significant deficiencies
• Barriers
Table Talk
12
• 5 minutes
• Around the table
• Introductions
• How do you identify cause?
• What are common causes that you find?
Root Cause Analysis – 5 Whys
13
Root Cause Analysis: Fishbone
Originally designed as a quality management tool to aid in finding cause and effect
More open-ended approach vs. 5 Whys
Brainstorm-y
May work better when fewer facts are known or the opportunity to ask follow up questions is limited
14
15
Drawing a Fishbone
15
16
“Drawing” a Fishbone
16
Problem
MachinesMethodsMaterials
People Environment Measurement
17
Root Cause Analysis: Fishbone
17
Problem
Major security patches not implemented
MachinesMethodsMaterials
People Environment Measurement
Older
Legacy
Connectivity
Apple
Manual
Windows
Decentralized
Inherited
Configure
Missing
Expired
Access
No scan
configured
Decentralized
Priority
Unaware
WFH
Training
Role
Turnover
18
Instructions
• 5 minutes at your table to discuss a calculation error
• No right or wrong – Make up any details we didn’t provide. Just take your conversation wherever it goes
• Tables on the left use the 5 Why approach
• Tables on the right use the Fishbone approach
• When we come back, we’ll share the possible root causes we identified
Group Exercise – Prison Calculation
Group Exercise – Prison Calculation
Situation
• The Department of Corrections calculates the prison sentence for each person imprisoned in their facility.
• The calculation is complex considering the judge’s sentencing and behavioral adjustments, among other things.
• The error resulted in inmates being released early or held too long.
What is the cause?
Full group share
• What did you identify as a possible root cause?
19
20
Instructions
• 5 minutes at your table to discuss a calculation error
• No right or wrong – Make up any details we didn’t provide. Just take your conversation wherever it goes
• Tables on the right use the Why approach
• Tables on the left use the Fishbone approach
• When we come back, we’ll share the possible root causes we identified
Group Exercise – Default Passwords
21
Group Exercise – Default PasswordsSituation
• Our audit found the agency had the default password in their utility billing application that is internet facing.
What is the cause?
Full group share
• What did you identify as a possible root cause?
Questions
22
Information
23
Peg Bodin
(564) 999-0965
Alex Gard
(564) 999-0965