Educause Security Discussion mailing list archives

Re: Sensitive Data Self-assessments

From: "Cheek, Leigh" <lcheek () UTK EDU>
Date: Thu, 8 Jun 2006 08:38:59 -0400

Hi Carolann,

In compliance with the Tennessee Financial Integrity Act, the university
must conduct a comprehensive review of internal controls over a four
year period and report any material weaknesses to the State and report
any material weaknesses to the state.

Each year the university performs a self-evaluation of internal
accounting and administrative controls to comply with the Act. Audit
prepares a web questionnaires on two topics a year with all eight of the
following topics reviewed over a four year period:
(1) equipment, and (2) account receivable.
(3) personnel/payroll, (4) inventories, 
(5) computer usage, (6) money handling, 
(7) procurement of goods and services, (8) grant and contract
administration,

Last year, we our two topics were computer usage and money handling. We
asked about sensitive information at that time. A copy of the our 2005
self-assessment with answers can be found at
http://audit.tennessee.edu/pdf/sas2005.pdf

Other years' self-assessments are listed at
http://audit.tennessee.edu/sasindex.htm

This questionnaire will not be exactly what you are looking for, but
questions 13, 14, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 35,
65, and 66 will give you a place to start. 

Thanks, Leigh Cheek
(865) 974-4420


-----Original Message-----
From: C. Lazarus [mailto:CLazarus () BUSINESS BUFFALO EDU] 
Sent: Wednesday, June 07, 2006 10:45 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Sensitive Data Self-assessments

Well - interesting morning - I just returned from an ad-hoc meeting with
Student Affairs.  They were asked by their VP if what is happening with
the VA data could happen to them.  And the answer is -maybe.  So, they
want to protect their information, but they need to find out what's out
there, and do awareness training.  They would really like a risk
assessment, self-assessment type instrument that would supply them with
the information they want to collect, and also be a tool to educate
their users.  Anybody's organization have anything they would be willing
to share?  They want to see others because while I think we covered most
data (SSN, Bank Accounts, FERPA, Police, Grades, Drivers License,
Student Health) they want to make sure they haven't missed something
important. 
 
Thanks for any help.
 
Carolann G. Lazarus, CISA
IS Auditor - Internal Audit
University at Buffalo
645-5000 x1243
clazarus () business buffalo edu

Current thread:

Sensitive Data Self-assessments C. Lazarus (Jun 07)
- <Possible follow-ups>
- Re: Sensitive Data Self-assessments Waller, Michael A. (HSC) (Jun 07)
- Re: Sensitive Data Self-assessments Cheek, Leigh (Jun 08)
- Re: Sensitive Data Self-assessments Marc Scarborough (Jun 08)