ISC Policy 2.00: Review of Confidential Information Technology (IT) Audit Findings

The Information Systems Council will review the Office of the Comptroller, Division of State Audit’s IT audit findings for all agencies, departments, boards, and commissions of state government as part of the State’s continuing effort to improve its security posture.

REFERENCE: Tennessee Code Annotated, Section 4-3-5501, et seq.

OBJECTIVES:

1.      Provide an existing legislative forum, in the form of a closed meeting, for the discussion of information defined as confidential according to Tennessee Code Annotated, Section 10-7-504(i).

2.      As a result of audit findings, determine if additional technology or security policies and procedures are needed in order to improve the State’s security posture.

3.      Comply with the Open Meetings Act by ensuring that proper public notice is given for Information Systems Council meetings at which non-confidential and confidential information will be discussed and ensure that meetings are conducted in compliance with Tennessee Code Annotated, Section 4-3-5509(b).

SCOPE:

This policy applies to all branches, agencies, departments, boards, and commissions of state government.

IMPLEMENTATION:

Department of Finance & Administration, Strategic Technology Solutions

1.      Provide support to the Office of the Comptroller, Division of State Audit, upon request.

2.      Maintain the Enterprise Information Security Policies.

3.      Distribute and train agency, department, board, and commission staff on the Enterprise Information Security Policy and their responsibilities regarding the policy.

4.      Work with agency, department, board, and commission staff to implement recommendations from audit findings.

5.      Fulfill Open Meeting responsibilities.

Office of the Comptroller, Division of State Audit

1.      Request to present agency, department, board, and commission IT audit findings and other audit information defined as confidential by Tennessee Code Annotated, Section 10-7-504(i), at Information Systems Council meetings.

2.      Present agency, department, board, and commission IT audit findings and other audit information defined as confidential by Tennessee Code Annotated, Section 10-7-504(i), at Information Systems Council meetings.

Agency, Department, Board, and Commission Management

1.      Ensure that agency, department, board, and commission staff receives the security training appropriate for their job functions.

2.      Ensure that recommendations are considered and corrective action plans are developed and executed.

3.      As appropriate, consult with the Office of the State’s Chief Information Officer (CIO) on steps needed in order to improve the agency’s security posture.

4.      As appropriate, develop internal policies and procedures.

5.      Ensure internal policies and procedures are followed.

6.      Attend Information Systems Council meetings and present corrective action plans upon request.

12/01/2022 – Approved by the Information Systems Council