Things CISA has covered so far:

Security structure/personnel in an organization (CISO, incident response team, etc)

Security Policies and Standards

Data classification

Least Privilege/Separation of duties

NIST/PCI

IT Auditor Skills

Systems hardening

Experience: Enclaves, Data classification, EAD servers ATO, Priv Access Management cyberark project,
firewalls, subnets, Bitlocker, AppLocker, LAPS. Systems logging/splunk. Systems monitoring. Baseline
server hardening.

Account controls

Experience: EAD administration accounts, service accounts and security groups, Group Managed Service
Accounts, least privilege, permissions audit, ADUC Users/computers audit, GPO Audit, account
expirations, DUO, logging, implementing LAPS, CyberArk PAM. DHCP/MAC Filtering and IP reservations.
Account controls via group policy.

Documentation

Experience: Gradschool wiki, Gradschool Mura documentation, Gradschool Tech Newsletter, EAD wiki,
CyberArk wiki. Change Request process and documentation. Documentation for setting
up/upgrading/securing servers. Creating/maintaining asset records for all hardware and software.
Wrote canned responses for replying to high volumes of tickets. Expanded on existing EAD knowledge
base regarding migrating to EAD to make the process easier for IT Units – Created templates for
communicating migration and expectations to end users.

Policy Documentation

Experience: Gradschool onboarding/offboarding policy, infected computers policy, systems lifecycle

policy, etc. EAD Wiki updated/revised policies regarding service accounts, priv accounts, Service Now
forms. CyberArk Wiki. Security Standards committee Data Disposal and Sanitization

Unit consultations/training/consulting

Experience: Teaching background, consulting/training work done at Grad School. Software training at
Grad School (ms office, adobe, etc). User security training at gradschool/malicious emails.
Onboarding/New User Guide at Gradschool, Mura training at Gradschool, EAD Onboarding for IT Units,
CyberArk onboarding.

Communication skills:
Experience working with users face to face, via phone, Zoom, email, or chat. Experience planning and
organizing consultations for end users. Experience communicating security threats to staff, and
communicating large scale changes, planned outages, etc. Change requests communicated to entire
PSU IT Community via Yammer, NWOFP, etc.

Penn State Internal Audit is seeking to hire an IT Auditor Level 2 or 3 with internal or external auditing
experience. The Level 2 IT Auditor will participate in all aspects of the end-to-end audit and quality
control process to include engagement planning, coordination, and risk identification.

Engagement Planning/Coordination:

Planned unit consultations for onboarding departments/colleges into Enterprise Active Directory

 Developed a predetermined list of preliminary questions to help standardize this process, save
time, and streamline onboarding
 Developed a post consultation email with “next steps” for units in the EAD migration process
 Developed documentation for communication strategies regarding EAD migration
 Scheduled migration consultation times, and coordinated test and production migrations.

Planned and coordinated Mura trainings for Graduate School

 Formal group trainings with staff from various departments of Graduate School

Planned and coordinated IT Resources for major Graduate School events (Graduate Exhibition)

Planned and coordinated machine lifecycles, equipment replacements/upgrades, and major OS

upgrades with end users and department heads

Planned and coordinated switch to VM Hosting services

Planned and coordinated migration to Enterprise Active Directory for Graduate School

Planned and coordinated server upgrades, public website upgrades, ITS Alerts messages

Assisted in planning/coordinating EAD Tech Pro’s panel discussion

Risk Identification:

Implemented server monitoring at grad school

Worked with OIS regarding vulnerability scans grad school

Identified security requirements, implemented firewalls, AV, notification processes, networking

safeguards, and other solutions

Developed a PII scanning policy at The Graduate School

Systems patching at Graduate School. Implemented automatic security updates and notifications for
linux apache web servers.

Implemented best practices and standards in environment such as LAPS, and AppLocker. Audited
equipment and user accounts on a routine basis. Audited firewall rules, Audited group policies, file
permissions.

Determined risk to organization for a variety of exploits and vulnerabilities – KRACK, Apache Struts,
Coldfusion patches, WannaCry ransomeware

Systems hardening with EAD/CyberArk team per Microsoft, PSU, or vendor specifications

The Level 2 IT Auditor will use applicable systems and programs to support and perform the audits,
document audit issues, make recommendations and procedural comments for distribution of findings to
appropriate management and draft reports for assigned audits.

Reported to Leadership Committee at Graduate School regarding a variety of security incidents, exploits
and issues – KRACK, WannaCry, ApacheStruts, Firmware vulnerabilities, network vulnerabilities.
Provided timely updates regarding the resolution of outstanding issues. Provided monthly PII reports to
all department heads at The Graduate School.

The successful candidate will also monitor and perform follow-up procedures on the status of prior audit
findings and recommendations to ensure that report recommendations are being implemented on a
timely basis.

-Follow up correspondence to users regarding PII

The Level 3 IT Auditor may also develop audit plans and will be required to assess the level of risk in the
unit/work process under audit. The Level 3 IT Auditor will also identify and document internal controls
related to Information Technology including general infrastructure, application and security controls.
The Level 3 IT Auditor will also provide consultation and participate in projects to ensure that the
University is in compliance with regulations and security standards, such as NIST 800-53, PCI and HIPAA,
and to ensure that controls are in place prior to implementation of new systems. Experience in auditing,
information systems or information systems security in higher education is desirable. Experience in
programming and data analytics with tools such as ACL and CaseWare is also desirable. The Auditor
must have excellent verbal and written communication, analytical and organizational skills; the ability to
work in a collaborative environment; demonstrate strong professional judgment and an ability to work
with a variety of cultures and backgrounds. The successful candidate will be able to work independently
with minimal supervision. Penn State and the Office of Internal Audit are committed to fostering
diversity, inclusion, and equal opportunity. This job will be filled as a level 2, or level 3, depending upon
the successful candidate's competencies, education, and experience. Typically requires a Bachelor's
degree or higher plus two years of related experience, or an equivalent combination of education and
experience for a level 2. Additional experience and/or education and competencies are required for
higher level jobs. Bachelor’s degree in Accounting or Information Systems is preferred for a Level 2 IT
Auditor. A Bachelor’s degree in Accounting or Information Systems and certifications, such as CISA, CPA
or CIA, are preferred for the Level 3 IT Auditor.