Policy # : 03-02
Effective: April 1, 2003
Section: Operations and Services
Subject: Computer Audits
To describe the procedure by which ISS conducts an audit of the computing equipment throughout the college.
POLICY APPLIES TO
All full-time and part-time ISS employees and all employees of the college.
An audit in ISS parlance is when an ISS technician visits an office or lab in a department, center, or school to inventory the computer equipment in that location. An audit is triggered when, through the normal course of business, an ISS technician discovers that there are discrepancies appearing in the ISS Computer Bank DataBase (CBDB). Audits can also be done routinely as needed. A unit in the college can request an audit if they feel that the CBDB does not accurately represent their inventory. Liaisons have access to the CBDB via a web browser.
When the errors in the CBDB reach a critical level, they impact the technician’s ability to efficiently process service requests. At that time, it is important not only to ISS but also to the units we service to correct these errors. Ultimately, these errors affect the costs of doing business which impacts all of us. The data in the CBDB has also been used by PSU Computer Security to investigate security incidents; thus, its accuracy is vital.
Errors can develop in the CBDB in a variety of ways. The movement of PCs and printers without ISS’s involvement, the installation of new PCs by someone other than an ISS technician without alerting us to this fact, and equipment sent to Salvage without ISS being notified will corrupt the CBDB data. We would prefer to prevent these errors from occurring by notifying us when changes are made but since that does not always happen, the best way to correct these errors and “clean up” the CBDB, is to conduct an audit.
The liaisons are the “eyes and ears” of ISS in the college. We rely on them to circulate information on ISS activities and other computer related items of interest that we bring to their attention. All audits are scheduled in advance in consultation with the liaison of the affected area. The liaison should then notify the employees in their area of the audit. Unless there is reason to schedule an audit during core hours (8 AM – 5 PM), audits are conducted off hours so as to minimize disruption to college employees.
If the audit was requested by a unit, they will be charged for the service. If ISS decides that an audit is needed, there will be no charge to the unit for the service.
ISS holds responsibility in part for the college’s adherence to PSU Computer Security Policies. ISS has the right to enter an office or lab “without prior notice to the user” if there is cause for concern. PSU Policy AD20 Computer and Network Security gives broad powers to college computer support groups like ISS. Policy AD20 is the prime motivator by which we decide if entry to an office or lab is warranted. If we suspect that there are violations of this policy, we must make unannounced visits. History shows that if we announce our intentions, the violators will remedy the situation prior to our visit. We value your privacy and carefully consider the effects of unannounced visits. These visits are discussed and planned in detail prior to their execution.
An ISS technician will knock on your door and introduce themselves. If there is no answer, the technician will enter the office using a master key. If there is an answer, the technician will identify him or herself and state the intentions of their visit. If you are using one of the computers in the area at that time, it will be necessary for you to take a short break while the technician gathers data from the PC. This should be a short interruption in your day - a few minutes at most. They are either looking for a match with what the CBDB is listing or they are noting specifics of the PC if it is not in the CBDB. This data will then be analyzed and changes will be incorporated in the CBDB.
Anytime an ISS tagged device (computer or printer) is altered or moved, a service request should be filed by your liaison with ISS. Changes noted on the service request form will then be entered in the CBDB. Without this information, there is no mechanism for these changes to make their way back to ISS and to the CBDB. ISS highly discourages making changes to ISS tagged equipment without a service request being submitted. The potential for creating a computer security incident is heightened when this type of work is performed by unauthorized individuals. If an incident occurs, the responsible individual for that office or lab will be held accountable.