Information technology (IT) is a key enabler for the university’s mission activities of educating students, creating knowledge and art and serving communities as well as for the administrative enterprise necessary to support the mission. As MSU increases its reliance on IT systems to conduct its activities and store its data, the availability and protection of its systems and data takes on greater significance and also leads to higher IT costs. An IT Auditor position should be created at MSU and staffed in the Institutional Audit & Advisory Services (IAAS) office to provide independent, objective IT assessments and advisory services to help ensure that we protect our student, employee and other data; maintain the availability of critical systems; and run efficient, effective and compliant IT operations.

IAAS, MSU’s internal audit function, is a four-campus office whose mission is to provide independent, objective audit and advisory services designed to add value and improve MSU’s operations. IAAS’ responsibilities include helping to ensure that risks (including compliance, financial, information security and operational) are appropriately identified and managed. Although IAAS has responsibility to monitor IT risks, it currently lacks technological expertise to sufficiently fulfill this responsibility.

Most very high research universities’ internal audit offices have IT auditors on their staffs because of IT’s significance to their organizations. Although MSU’s Information Technology Center includes the Enterprise Security Group (ESG), this group focuses more on preventing information security issues through providing security tools to campus; developing security policy; and providing voluntary assessments, scans, and training. IAAS’ IT Auditor would focus more on detecting security issues by conducting regular audits of both central and distributed IT functions. Having an IT auditor that works for the independent IAAS instead of within ITC would strengthen MSU’s ability to detect security issues because we would not have a “fox guarding the hen house” situation, although IAAS’ Director and IT Auditor would work closely with ESG to ensure that our respective efforts are complimentary and strengthen the institution’s information security profile.

MSU has experienced multiple exposures of data in recent years which may have been prevented if someone was proactively working with IT administrators to ensure that proper practices were being followed. Although MSU has a responsibility to be a good steward of its information resources, data exposures also lead to economic costs associated with data breach investigation, notification and potential legal costs. A significant or series of significant data exposures could also affect MSU’s reputation and damage its ability to recruit students and personnel and to successfully solicit donations from alumni and others.

MSU’s operations would be greatly hindered if its IT systems and data were unavailable for a significant amount of time. An IT Auditor would help to proactively review systems to ensure that good practices are followed to minimize the likelihood of system unavailability. In addition, MSU does not have a mature disaster recovery and business continuity program. An IT Auditor could help coordinate efforts for disaster recovery and business continuity among our multiple campuses and units.

Between its central and distributed functions, MSU-Bozeman spends a minimum of $18 million dollars annually on IT and employs approximately 140 IT staff. This is a significant percentage of the university’s operating budget and may increase as the use of IT becomes even more prevalent. An IT Auditor could help to ensure that MSU runs efficient and effective IT operations by helping to improve IT processes, identifying unnecessary redundancy and ensuring that statutory and legal requirements and good practices are followed by IT administrators.

In addition to these primary impacts and benefits, an IT Auditor could help the university to achieve Strategic Plan Objective D.2: Enhance infrastructure in support of research, discovery and creative activities. Internet2’s InCommon Assurance Program allows campuses to certify that, for those using more-sensitive information services, there is a stronger process for issuing credentials and granting access. In order to obtain the level of certification required for MSU to benefit from some of these services, an IT auditor would be required.

A search committee composed of multi-campus and Bozeman central and distributed IT staff would be formed to conduct the search in summer 2013.

After hiring the IT Auditor, the IAAS Director would work with him or her and ESG to adopt a framework for assessing information technology and systems before conducting an institutional IT risk assessment. The results of this assessment would be used to develop the IT section of IAAS’ annual audit plan, which would guide the actions of the IT Auditor. This process would then be repeated on a regular basis.

IAAS is currently refining its quality assessment program, which is required by International Standards of The Institute of Internal Auditors, in preparation for a quality assessment review to be conducted by peer university auditors during summer 2013. All of the IT Auditor’s work will be reviewed to help ensure that quality is maintained.

In addition, metrics that could be used to assess the effectiveness of the IT audit program include the following:

• Percent of IT administrators engaged for assessments and advisory services
• Risk assessment coverage of critical applications
• Percent of data classified in accordance with data stewardship guidelines
• Percent of applications covered by a disaster recovery and business continuity strategy
• IT operational inefficiencies identified

If assessed objectives were not met within four years the IT Auditor positions could be eliminated.