Independent Auditors Report to the Commissioner for Law Enforcement Data Security -

Transcription

1 Commissioner for Law Enforcement Data Security Audit of Victoria Police Compliance with CLEDS standards on Access Control and Release June 2008 Reference: Version: FY07/08 Final Date of review: April - June, 2008 Date of final report: June 2008 Review Sponsor: Circulation: Laurie Bebbington - Commissioner for Law Enforcement Data Security Laurie Bebbington - Commissioner for Law Enforcement Data Security Andrew Dell - Commissioner for Law Enforcement Data Security Stephen Woolley - PricewaterhouseCoopers Puneet Kukreja - PricewaterhouseCoopers

2 Independent Auditors Report to the Commissioner for Law Enforcement Data Security - Report on Victoria Police compliance with CLEDS standards on Access Control and Release Objective and Scope of our work This audit has been undertaken to determine the extent to which Victoria Police is compliant with the Commissioner for Law Enforcement Data Security (CLEDS) Access Control Standards 8-10, and Release Standards (the Standards ) as at May As determined by the Office of CLEDS, the Law Enforcement Systems in scope for the audit in respect of Standards 8 & 10 are: Law Enforcement Assistance Program (LEAP) Interpose the Victoria Police Local Area Network. The focus of each of the Standards subject to this audit have been summarised below and a copy of the complete standards have been included in Appendix D. Std Summary of the standards objective Access Control standards. 8 Security screening, ensuring that personnel are deemed suitable prior to being granted access 9 Existence and maintenance of an effective access control policy 10 Procedures for monitoring access to law enforcement data Release standards 11 Policy and procedures for authorised release of law enforcement data 12 Electronic release of law enforcement data 13 Disposal of law enforcement data Responsibilities of the Commissioner for Law Enforcement Data Security and Victoria Police The Commissioner for Law Enforcement Data Security (CLEDS) published the Standards for Victoria Police Law Enforcement Data Security (CLEDS Standards) in July Victoria Police are required to comply with these standards and the associated protocols. It is the responsibility of CLEDS to monitor compliance with these standards by Victoria Police. Auditor s Responsibility Our responsibility is to conduct this audit in accordance ASAE 3000 Assurance Engagements other than Audits or Reviews of Historical Financial Information and other applicable Australian Auditing Standards and accordingly included such tests and procedures as we considered necessary in the circumstances. Use of this report Our report is prepared solely for your information for the purpose stated in the Request for Quotation dated 14 April 2008 and is not to be used for any other purpose. Our report may not be distributed to any third party unless (a) you obtain our prior written permission or (b) you undertake that the deliverables will be distributed to third parties under your name, without attribution to PwC

3 and that you will not use PricewaterhouseCoopers name, logo, trademark, service mark or branding in association with the deliverables, nor attribute the deliverables to PwC in any discussions with third parties. We disclaim any assumption of responsibility for any reliance on this report to any party other than CLEDS, or for any purpose other than that for which it was prepared. We do not accept any responsibility for losses occasioned to CLEDS or to any other party as a result of the circulation, reproduction or use of our final or draft report contrary to the provisions of this paragraph. Inherent limitations There are inherent limitations in any internal control structure, and fraud, error or non-compliance with laws and regulations may occur and not be detected. As the systems, procedures and controls to ensure compliance with the Standards are part of the operations of Victoria Police, it is possible that either the inherent limitations of the general internal control structure, or weaknesses in it, can impact on the effective operation of the specific control procedures in relation to the Standards. Furthermore, the projection to future periods of any conclusions based on our findings is subject to the risk that changes may alter the validity of such conclusions or that the degree of compliance with the control procedures may deteriorate. Qualification It was identified through this review that Victoria Police has demonstrated partial compliance with the CLEDS Access Controls Standards 8 10, and CLEDS Release Standards The following high level findings were noted: Standard 8 - Process for performing a full Security Check on potential employees requires improvement. Standard 9 - Application access control policies require improvement. Standard 10 - Auditing and monitoring of access to law enforcement data requires improvement. Standard 11 - Policies and communication procedures supporting the release of law enforcement data requires improvement. Standard 12 - Enterprise wide electronic messaging security solution is required Standard 13 - Law enforcement data disposal processes and associated communication procedures require improvement. Our detailed findings are set out in Appendix B, Findings and recommendations. Our opinion should not be viewed in isolation and must be read in conjunction with this report as a whole. Qualified Opinion Except for the matters set out under Appendix B, Findings and recommendations, based on the work performed, nothing has come to our attention that would cause us to believe that Victoria Police has not complied with the Commissioner for Law Enforcement Data Security Access Control Standards 8-10, and Release Standards Details of the work performed and our findings are set out in Appendix A E. PricewaterhouseCoopers M Haas Melbourne Partner 26 June 2008

4 Contents Appendix A Executive Summary 5 Appendix B Review findings and recommendation 16 Standard 8 Findings 16 Standard 9 Findings 20 Standard 10 Findings 26 Standard 11 Findings 29 Standard 12 Findings 33 Standard 13 Findings 35 Multi Standard Findings 38 Appendix C Management and staff interviewed 39 Appendix D Standards and Protocols Subject to Audit 41 Appendix E Documentation Reviewed 50

5 Appendix A Executive Summary Objective This audit has been undertaken to determine the extent to which Victoria Police is compliant with the Commissioner for Law Enforcement Data Security (CLEDS) Access Control Standards 8-10, and Release Standards (the Standards ). Scope Approach The scope of this review was to assist the Commissioner for Law Enforcement Data Security (CLEDS) to monitor the compliance of Victoria Police against the Standards for Victorian Police Law Enforcement Data Security (2007) - Access Control and Release. The standards defined in Chapter 3 of Standards for Victoria Police Law Enforcement Data Security (CLEDS Standards), Access Control have a major application to law enforcement data stored in Information technology (IT) systems. For the scope of this review, it was agreed with the Office of CLEDS that three major Law Enforcement Systems would be considered in scope for the Access Control Standards (8-10). These systems are: the Law Enforcement Assistance Program (LEAP) which stores the particulars of all crimes brought to the notice of police as well as family incidents and missing persons. Interpose which stores intelligence information for all major investigations and serious crimes. the Victoria Police Local Area Network which provides electronic shared storage for law enforcement data generated outside Law Enforcement Systems by Victoria Police employees in the course of their duties. The review of Standards concerning Release (11-13), focused on those areas of Victoria Police with significant corporate responsibility such as the Legal Services Department and Records Services Division, then examined operational end-user application at working Police Stations. This review was performed through: interviews and discussions with key Victoria Police staff review of Victoria Police Policy and process documentation, including the Enterprise Information Security Policy (EISP), Victoria Police Manual (VPM) and supporting documents where applicable (see Appendix E) analysis of relevant access control and release processes (see Appendix E). Executive Summary 5

6 Background The Commissioner for Law Enforcement Data Security (CLEDS) published the Standards for Victoria Police Law Enforcement Data Security (CLEDS Standards) in July Victoria Police are required to comply with these standards and the associated protocols. Part of CLEDS responsibilities is to monitor compliance with these CLEDS standards by Victoria Police. This review was undertaken to determine the extent to which Victoria Police is compliant with CLEDS Access Control Standards 8-10, and CLEDS Release Standards These specific standards were first issued to Victoria Police in the publication Standards and Protocols for Access to, and Release of law enforcement data by CLEDS in February These standards remained unaltered in the later released full Standards for Victoria Police law enforcement data security (CLEDS Standards). The focus of each of the standards subject to this audit have been summarised below and a copy of the complete standards have been included in Appendix B. Std Summary of the standards objective Access Control standards. 8 Security screening, ensuring that personnel are deemed suitable prior to being granted access 9 Existence and maintenance of an effective access control policy 10 Procedures for monitoring access to law enforcement data Release standards 11 Policy and procedures for authorised release of law enforcement data 12 Electronic release of law enforcement data 13 Disposal of law enforcement data Governing all Victoria Police operations is the Victoria Police Manual (VPM). The VPM outlines what Victoria Police considers to be good work practices, in the form of organisationally endorsed policies, procedures and guidelines. The VPM is supported by other documents which include standards, guidelines, process and procedures for access control and release of law enforcement data as illustrated in the following diagram: Executive Summary 6

7 Diagram 1: Victoria Police Access Control and Release Policy Structure Source: PricewaterhouseCoopers Findings It was identified through this review that Victoria Police has demonstrated partial compliance with the CLEDS Access Control Standards 8-10, and CLEDS Release Standards Standard 8 Partially Compliant. Process for performing a full Security Check on potential employees requires improvement. Whilst the Human Resources and Business Management departments performing full security checks are following operational practices, standardised formal process documentation was not identified. Once a check has been performed and an employee deemed suitable, this information is not available for reference by system sponsors, prior to their actioning of access requests. Review of internal monitoring procedures supporting full Security Checks identified that approximately 700 unsworn members and 4000 contractors employed at Victoria Police have not been subject to a full Security Check. In addition, the revocation of access to Interpose is not considered on the ESD checklist completed when an employee is placed under investigation. Standard 9 Partially Compliant. Application access control policies require improvement. The current Enterprise Information Security Policy (EISP) provides a foundation to support the overall IT security strategy at Victoria Police. However a supporting application access control policy has not been formalised for the Interpose system. Further review of the Interpose user administration procedures identified areas of improvement required to ensure an adequate audit trail over user administration activities performed. Executive Summary 7

8 It was further identified that: the level of understanding in regards to the responsibilities for review and revocation of user access rights varied between employees interview generic accounts exist on the LAN without a formally documented business requirement, approval and list of mitigating controls Victoria Police has not utilised the right to audit clause in contracts with its IT Service Providers to perform an audit over their operations the password for a new account was provided to two separate Victoria Police employees prior to the account owner being notified. Standard 10 Partially Compliant. Auditing and monitoring of access to law enforcement data requires improvement. Proactive audits on the LEAP and Interpose systems are undertaken by the respective management units and Corporate Management Review Division (CMRD). However no formal documentation was identified supporting the schedule of audit, associated audit procedures and benchmarks for these audits. In addition, further discussions with CMRD highlighted that they do not have access to Interpose and Victoria Police Local Area Network audit logs. Standard 11 Partially Compliant. Policies and communication procedures supporting the release of law enforcement data requires improvement. Existing policies and procedures supporting the release of law enforcement data do not provide adequate coverage for all protocols within Standard 11, including the requirement to record the release of law enforcement data. A discussion with Victoria Police members has highlighted an inconsistent level of understanding and knowledge regarding policies and procedures supporting release of law enforcement data. Standard 12 Partially Compliant. Enterprise wide electronic messaging security solution is required A discussion with Victoria Police members has highlighted that provision exists for individual members to obtain encryption software; however it is limited and expensive in nature. An enterprise wide encryption solution is currently under consideration by BITS. It has been noted that reactive measures for monitoring of s are in place but they lack real time scanning and filtering functionality. Standard 13 - Partially Compliant. Law enforcement data disposal processes and associated communication procedures require improvement. Executive Summary 8

9 The Victoria Police Manual (VPM) does not provide adequate coverage supporting the CLEDS standard for disposal of Law enforcement data. The current Enterprise Information Security Policy (EISP) provides guidance supporting elements of Standard 13 and provides a good foundation to enhance the management practices supporting disposal of Law enforcement data. A discussion with Victoria Police members has highlighted an inconsistent level of understanding and knowledge regarding policies and procedures supporting disposal of law enforcement data. Appendix B of this report includes detailed descriptions of the areas of partial or non compliance which were identified during this review. Executive Summary 9

10 Recommendations The following recommendations have resulted from our review: Std Recommendations Access Control Standards 8 Standard Operating Procedures should be formalised and communicated for the completion of full security checks. Where possible the procedures should be standardised across the departments responsible for the full security checks to ensure a consistent approach to aligning with the requirements of Protocol 8.1. A central repository should be established to record the results of full security checks for potential employees of all categories. This repository should allow for all information regarding security checks to be collated including the approval of the responsible hiring manager stating that they are suitable for employment. In addition, capability to record an ESD identifier to communicate that a current employee is subject to an internal investigation. This will allow application and data owners to determine the suitability of a user to access law enforcement data prior to any access request being approved. A central register, as per finding 2, should be established to flag employees as suitable for access to law enforcement data. This register should be consulted by staff responsible for granting physical and logical access prior to any rights being approved. It was noted that Victoria Police has commenced identifying staff currently employed as an Unsworn Member, Contractor or Consultant that have not been subject to a security check and subsequently determining their suitability for access to law enforcement data. Consideration should also be given to establishing a centralised vetting department / process responsible for ensuring all potential employees are subjected to a security check and determining their suitability for access to law enforcement data. This will provide for greater control over the security checking process and ensure that an appropriate decision tree is employed when reviewing security check results. Victoria Police should update the 'Disciplinary Transfer / Leave Direction / Suspension Checklist to ensure it includes provision for revoking access rights to all law enforcement data sources when an employee is subject to an investigation. Executive Summary 10

11 Std Recommendations 9 The updated LEAP Standard Operating Procedures, which include the LEAP Access Control Policy, should be submitted for approval and communicated to all relevant parties. The Interpose Business Support Unit should document an application specific Access Control Policy and publish it for system users to ensure they are aware of their rights and responsibilities. In addition, the current application management practices should be documented in Standard Operating Procedures to ensure all requirements of Standard 9 Protocols are integrated into operational practices and addressed consistently. Following this the applications login screen should be updated to display notice that by logging on to the system the user acknowledges the terms and conditions of the Access Control Policy. The Interpose Business Support Unit should review user administration practices and consider the following to improve controls: incorporating the use of VP Forms to govern access requests and provide additional control over the information captured in a request and an adequate audit trail supporting user administration procedures. when a user is removed from the system, in addition to revoking access rights, the user account should be disabled to ensure user deregistration is appropriately logged and recorded. CMRD should organise an independent audit to review the control frameworks, processes and procedures undertaken by IBM and Fujitsu to administer user access and manage the environment. An independent review will provide Victoria Police with comfort that outsourced operations are being managed in compliance with the requirements of the Standards for Victorian Police Law Enforcement Data Security (2007). Victoria Police should communicate the policies and procedures regarding the review and removal of access rights to all employees. In addition to regular communications, an education program should be rolled out state wide addressing the requirement for managers to proactively request the adjustment of user rights when circumstances and job responsibilities change. Victoria Police should perform periodic assessment of all Victoria Police Local Area Network accounts to identify all generic accounts. Where no defined business requirement or associated approval can be established the accounts should be immediately deleted. Where a valid business requirement might exist, it should be documented along with approved mitigating controls and submitted to the CIO and Security Executive for assessment and sign off. Victoria Police should review password allocation practices for all law enforcement data and consider the following to improve controls: Executive Summary 11

12 Std Recommendations Formally document the process for password management activities including allocations as well as resets, to ensure users and administrations are aware of the approved operational practices Implement a mechanism to ensure users sign a statement to acknowledge the receipt of a new password Procedures should be updated to ensure passwords are only provided directly to users after their identity has been confirmed. Executive Summary 12

13 Std Recommendations 10 The Corporate Management and Review Division should work with BITS, the LEAP Management Unit and Interpose Business Support Unit to define a formal program for the proactive review of Victoria Police Local Area Network, LEAP and Interpose audit logs. The agreed review program should provide: a review schedule which should acknowledge the need and make allowances for the performances of ad-hoc investigative reviews review scopes that define what tests are to be performed and their purpose detailed procedures for the performance of the scoped reviews to ensure they provide adequate coverage and can be performed by a person who is not intricately familiar with the systems CMRD with the required comfort that they are able to independently attest to the adequacy of the proactive audit log reviews. It was noted during our review that Business Information Technology Services are currently in the process of receiving expressions of interest for Security Event Monitoring software which is scheduled for completion in June The Security Event Monitoring software implemented should have the ability to: centrally collate all audit logs into a database retain audit logs for an indefinite period This solution or an equivalent should be implemented in a timely manner and configured in consultation with CMRD to ensure that the appropriate reports are generated and access rights are granted. In addition, the Interpose Business Support Unit should provide CMRD representatives with access to the application s audit logs, and a formal monitoring program should be developed and implemented by CMRD. It was noted during our review that CMRD are investigating implementing an automated issues tracking application. Symsure is currently being investigated for the automated detection and tracking of issues with automated processes. In addition to implementing an issues tracking process, either via manual register or via automated solution, we recommend CMRD formalise and communicate procedures and formats for the reporting, escalation and follow up of issues. Executive Summary 13

14 Std Recommendations Release Standards 11 Victoria Police should review policy governing release of information and enhance it to address all requirements of Protocol 11.2 & Policies and relevant operating procedures regarding information release should be communicated to all employees. In addition to regular communications, an education program addressing the processes for information release and required monitoring activities should be implemented across the organisation. Victoria Police should communicate the policies and procedures regarding the release of law enforcement data to all employees, contractors and consultants. In addition to regular communications, an education program describing scenarios and case studies which highlight appropriate actions regarding the release of information should be implemented across the organisation. In addition, Victoria Police employees should be provided with reference material such a checklists for inclusion in patrol folders that: remind members of their roles and responsibilities regarding the release of information provide a decision tree and additional contacts for determining the validity of an information release where appropriate. The Freedom of Information Office should enhance current operating procedures so that they reflect current practices including the use of the FOI Manager application. Victoria Police should consider formalising the mechanism for recording information released by officers to ensure an adequate audit trail is available to monitor instances of information release. The contents of Victoria Police s suite of Information Bulletins should be reviewed to ensure that they address the requirements of CLEDS standards in a clear and concise manner. In addition, Victoria Police should ensure that a clear centralised strategy and governance framework is established for the publication of Information Bulletins. The strategy should define: the roles and responsibilities of Victoria Police departments in relation to information bulletins methods for dissemination of the information bulletins to ensure coverage of all employees schedules for the rotation and update of information bulletins to ensure the relevancy and currency of the messages portrayed. Executive Summary 14

15 Std Recommendations 12 Decisions regarding the implementation of an enterprise wide encryption solution should be given priority as it would assist Victoria Police in addressing the requirements of CLEDS Standard 12. Furthermore, consideration should be given to implementing the Enterprise Vault Compliance Accelerator which can provide proactive audit capabilities, scanning s for compliance with a defined rule base. 13 Victoria Police should communicate the policies and procedures regarding the disposal of law enforcement data to all employees. In addition to regular communications, an education program addressing the correct methods for disposal of information should be rolled out state wide. All Victoria Police departments and stations should also appoint a current staff member to be a disposal co-ordinator, responsible for performing spot checks on all waste containers and storage areas to ensure that law enforcement data is disposed of in accordance with policy. Victoria Police should enhance the VPM policies and relevant Records Disposal Unit procedures to clearly communicate the requirements of protocol 13.1 within the Standards for Victoria Police law enforcement data security. Consideration should be given to including a Policy Reference in VPM Instruction to the Records Disposal Guide. Multi Standard Recommendations Victoria Police should draft a single standard Memorandum of Understanding for Approved Third Parties with access to law enforcement data that specifies a requirement for compliance with all relevant Standards for Victoria Police Law Enforcement Data Security. In addition, the MoU should carry a schedule documenting the systems/law enforcement data that the ATP has been granted access to. Victoria Police should ensure that the new MoU is executed with all Approved Third Parties as a matter of priority. Where ATPs are granted access to law enforcement data under an alternative authorisation, such as an act of parliament or other contractual agreements, the proposed CLEDS compliant MoU should be executed where provision for this is granted. Appendix B of this report includes detailed recommendations for remediation of findings and improvements proposed as a result of our review. Executive Summary 15

16 Appendix B Review findings and recommendation The key issues arising from this review and recommended management action plans are summarised below under the heading of the applicable standard. The issues that are applicable to multiple in scope CLEDS standards have been documented under the heading of Multi Standard Findings. Standard 8 Findings Standard 8: Victoria Police Employees, Contractors, Consultants and Approved Third Parties must be deemed suitable prior to being granted access to law enforcement data. Victoria Police must ensure that Agreements with Approved Third Parties who access law enforcement data require all users to undergo a security check. Overall Rating: Partially Compliant Standard 8 captures an essential and pre-requisite step for assignment of access rights to Victoria Police law enforcement data. Assessing the suitability of all Employees, Contractors, Consultants and Approved Third Parties to access physical and logical Victoria Police environments is a critical control in ensuring the continued confidentiality, integrity and availability of law enforcement data. Review of Victoria Police practices in relation to Standard 8 identified positive aspects. The full security checks reviewed as part of our testing were at a high level aligned with the requirements of Protocol 8.1. Operating procedures for the completion of full security checks have not been formally documented however staff interviewed were able to outline the steps involved in the process. Ref # Finding Standard/ Protocol Recommendation 1 Procedures for the completion of full security checks have not been documented or communicated Observation: Following review of the process for undertaking full security checks on all potential employees it was noted that there are multiple teams across the Human Resource and Business Management departments performing this activity. This is dependant on the employment category of the potential applicant. 8.1 Recommendation: Standard Operating Procedures should be formalised and communicated for the completion of full security checks. Where possible the procedures should be standardised across the departments responsible for the full security checks to ensure a consistent approach to aligning with the requirements of Protocol 8.1. The Recruiting Services Branch is responsible for performing a full security check on all potential sworn members. Within the Records Services Division there are three distinct teams responsible for performing full security checks on potential unsworn members, contractors and Standard 8 findings and recommendations 16

17 Ref # Finding Standard/ Protocol Recommendation consultants. The Records Services Division has documented procedures for performing Paid Checks which are applicable to contractors. It was noted however that they are out of date and do not fully reflect the current processes utilised by the division. Procedures for full security checks on sworn and unsworn member and consultants have not been documented by either the Human Resource or Business Management departments. Implication: The lack of formal current procedures for the performance of full security checks increases the risk of key components and controls activities not being performed. This could potentially allow a person with a criminal history to be deemed suitable for employment and gain access to law enforcement data. 2 The process for performing and recording the results of full Security Checks on potential employees requires improvement Observation: Review of the current practise for documenting security checks identified that: only the personal details of the subject and the date a check was performed is recorded a record of the check being performed is stored in one of three separate databases dependant on the employment category of the potential applicant 8.1 Recommendation: A central repository should be established to record the results of full security checks for potential employees of all categories. This repository should allow for all information regarding security checks to be collated including the approval of the responsible hiring manager stating that they are suitable for employment. In addition, capability to record an ESD identifier to communicate that a current employee is subject to an internal investigation. This will allow application and data owners to determine the suitability of a user to access law enforcement data prior to any access request being approved. the databases are not linked to enable a master record of checks performed the results of the check and an applicant s suitability for access to law enforcement data is not recorded In addition, it was noted that current practices do not: include a mechanism to determine if a potential contractor or consultant has been the subject of an Ethical Standards Department (ESD) investigation that is incomplete or resulted in only internal, not criminal, disciplinary measures. For example, currently if a sworn member resigns from Victoria Police, any current (non criminal) investigation underway by ESD ceases. If the member then applies to work for Standard 8 findings and recommendations 17

18 Ref # Finding Standard/ Protocol Recommendation Victoria Police as a contractor or consultant, ESD are not part of the security check and this aspect of their past history may not be considered. include a mechanism to record the results of a full security check and the subsequent approval of the responsible hiring manager that an applicant is suitable for access to law enforcement data allow personnel responsible for controlling access to law enforcement data to determine if a user requesting access has undergone a full security check and been deemed suitable for access to law enforcement data. Implication: The identified design weaknesses in the security checking practices increases the risk that access to law enforcement data could be granted to individuals deemed unsuitable from a security perspective. 3 Full security checks have not been performed on all Victoria Police Employees, Contractors and Consultants Observation: Testing of security checks performed for a sample of Victoria Police Employees, Contractors and Consultants identified 1 instance out of 20 where a contractor has been granted access to the Victoria Police Centre without evidence of a security check having been performed. Whilst no evidence could be identified that the individual has been granted access to law enforcement data, this could be a result of any user accounts, established for the individual, having since been deleted from the system. Deleting any associated account would have resulted in the removal of all auditable records related to the individual. In addition, findings from our review of Standard 13 indicate that once physical access has been gained, law enforcement data could be obtained from insecure waste bins or other sources. 8.1 Recommendation: A central register, as per finding 2, should be established to flag employees as suitable for access to law enforcement data. This register should be consulted by staff responsible for granting physical and logical access prior to any rights being approved. It was noted that Victoria Police has commenced identifying staff currently employed as an Unsworn Member, Contractor or Consultant that have not been subject to a security check and subsequently determining their suitability for access to law enforcement data. Consideration should also be given to establishing a centralised vetting department / process responsible for ensuring all potential employees are subjected to a security check and determining their suitability for access to law enforcement data. This will provide for greater control over the security checking process and ensure that an appropriate decision tree is employed when reviewing security check results. It was noted via discussion with the Workplace Relations Assistant Director, Human Resource Department that approximately 700 unsworn members and 4000 contractors have been employed at Victoria Police without having been subject to a security check. Information regard the commencement dates for the employees identified was unavailable at the time of reporting. Review of responsibilities for the vetting of security checks results noted Standard 8 findings and recommendations 18

19 Ref # Finding Standard/ Protocol Recommendation that it is performed in a decentralised manner by: the hiring manager for unsworn members, contractors and consultants a Sergeant in the Recruitment department for all sworn members. In addition, confirmation that the results have been vetted is not recorded. This finding is also indicates of a lack of periodic reviews required in Protocol 8.1. Implication: The test exception had not been identified by Victoria Police prior to this examination, thus identifying a gap in internal monitoring procedures. The existence of employees not captured by the intent of this standard indicates a design weakness in the control framework and the performance of security clearances for all employees. This increases the risk that contractors and consultants could be granted access to law enforcement data without an assessment of their suitability having been performed. This could potentially result in unauthorised use, release or modification which compromises the data's confidentially, integrity and availability. 4 The 'Disciplinary Transfer / Leave Direction / Suspension Checklist does not include access to Interpose. Observation: When an investigation into an employee action is commenced by the Ethical Standards Department they complete a 'Disciplinary Transfer / Leave Direction / Suspension Checklist to consider what privileges should be removed from the user until the investigation is concluded. 8.1 Recommendation: Victoria Police should update the 'Disciplinary Transfer / Leave Direction / Suspension Checklist to ensure it includes provision for revoking access rights to all law enforcement data sources when an employee is subject to an investigation. Review of the checklist identified that it provides the ability for an investigator to alter access rights of the user to the Victoria Police Local Area Network and LEAP. No provision is available to action the same for Interpose. Implication: Lack of provision for altering access rights to Interpose during an internal investigation increases the risk a user facing disciplinary action potentially using existing rights to compromise the confidentiality, integrity and availability of intelligence data on the Interpose system. Standard 8 findings and recommendations 19

20 Standard 9 Findings Standard 9: An access control policy must be established, documented and reviewed based on business and security requirements for access to law enforcement data. Victoria Police must ensure that Agreements with Approved Third Parties include the requirements to maintain an access control policy. Overall Rating: Partially Compliant The requirements of Standard 9 provide a foundation on which the Access Control Policies of Victoria Police should be based. Access control polices assist in preventing unauthorised user access and misuse of law enforcement data. Access Control Policies are a key mechanism for ensuring that users are aware of their responsibilities for maintaining effective access controls and should be communicated accordingly. Review of the Victoria Police Access Control Policies and system administration practices supporting the Victoria Police Local Area Network, LEAP and Interpose systems were at a high level aligned with the requirements of Standard 9 Protocols. In addition, Victoria Police currently undertakes a proactive approach to identifying and addressing weaknesses in their security administration control framework. Ref # Finding Standard/ Protocol Recommendation 5 LEAP and Interpose Standard Operating Procedures which incorporate Application Access Control Polices should be documented in compliance with CLEDS standards Observation: Review of the Access Control Policy Framework implemented at Victoria Police identified that the Enterprise Information Security Policy (EISP) is the foundation of the organisations information security strategy providing overall guidance on access control. At a high level for the purposes of access control to the Victoria Police Local Area Network, the EISP is considered appropriate (see recommendation 7 for operational implementation). Whilst the EISP supports the operations of the Victoria Police Local Area Network, it explicitly mandates that the System Sponsor for each application system is responsible for: 9.1 Recommendation: The updated LEAP Standard Operating Procedures, which include the LEAP Access Control Policy, should be submitted for approval and communicated to all relevant parties. The Interpose Business Support Unit should document an application specific Access Control Policy and publish it for system users to ensure they are aware of their rights and responsibilities. In addition, the current application management practices should be documented in Standard Operating Procedures to ensure all requirements of Standard 9 Protocols are integrated into operational practices and addressed consistently. Following this the applications login screen should be updated to display notice that by logging on to the system the user acknowledges the terms and conditions of the Access Control Policy. the documentation and publication of access control policy and procedures; and the implementation of the policy and procedures in relation to the control of access to that application system, and any Standard 9 findings and recommendations 20

21 Ref # Finding Standard/ Protocol Recommendation information managed by that application system." Assessment of the LEAP and Interpose systems in reference to this requirement noted that: The LEAP Management Unit has documented SOPs in place which have recently been redrafted in response to the requirements of the CLEDS Standards. Whilst only minor updates were made to align them with the requirements of in scope standards, it was noted that the new SOP s have not been approved or communicated The Interpose Business Support Unit has not documented an Access Control Policy or Standard Operating Procedures (SOPs) to govern user access administration for the application. Implication: Lack of formally approved and documented Access Control Policies and Standard Operating Procedures increases the risk that user access administration activities will not be performed in a controlled, repeatable and auditable manner, potentially compromising the integrity and availability of the LEAP and Interpose systems. 6 Interpose user administration procedures require improvement. Observation: Testing of Interpose user administration procedures identified that: evidence of approval for the access rights of 14 out of 20 user accounts tested was not available access requests are performed via which does not provide an adequate audit trail when an Interpose user deregistration request is actioned, the users access rights are revoked however the account remains active preventing appropriate logging and monitoring of these activities. By not setting the disabled flag on user accounts, associated audit reports of disabled users will not be complete increasing the time required for systems administrators and auditors to periodically review user rights. 9.1 & 9.2 Recommendation: The Interpose Business Support Unit should review user administration practices and consider the following to improve controls: incorporating the use of VP Forms to govern access requests and provide additional control over the information captured in a request and an adequate audit trail supporting user administration procedures. when a user is removed from the system, in addition to revoking access rights, the user account should be disabled to ensure user deregistration is appropriately logged and recorded. Review of Interpose user administration procedures identified that user administration request forms have been developed using Microsoft Word rather than by utilising the standard VP Forms infrastructure. Standard 9 findings and recommendations 21

22 Ref # Finding Standard/ Protocol Recommendation VP Forms provides additional controls, not included in the Microsoft Word prototypes, including data entry validation and automated workflow linked to the Victoria Police Global Address list. In addition, approvals noted in VP Forms are inserted automatically and can not be edited or applied by other users without knowledge of their authentication tokens increasing the control framework over the integrity of the audit trail supporting user administration procedures. It was further noted that the requirement to use these forms has not been formalised. We recognise that the Interpose Business Support Unit have recently initiated regular reviews of access rights by responsible security group owners. Implication: The above findings indicate a design weakness in the Interpose user access administration control framework. This increases the risk that: the ability to monitor and audit authorisation for user administration activities might be compromised users may be granted access rights to law enforcement data that are not commensurate with job responsibilities. This could potentially result in unauthorised use, release or modification of data compromising its confidentiality, integrity and availability. 7 Victoria Police should exercise the right to audit clause in their contracts with IT Service providers Observation: Review of Victoria Police Local Area Network management practices has identified that responsibility for administration has been outsourced to IBM and Fujitsu. It was noted via discussion that service level agreements have been established and regular reporting to Victoria Police takes place. However, there is currently no mechanism in place to obtain independent comfort over the design and effectiveness of control frameworks governing the Victoria Police Local Area Network administration processes and procedures currently in place. 9.2 Recommendation: CMRD should organise an independent audit to review the control frameworks, processes and procedures undertaken by IBM and Fujitsu to administer user access and manage the environment. An independent review will provide Victoria Police with comfort that outsourced operations are being managed in compliance with the requirements of the Standards for Victorian Police Law Enforcement Data Security (2007). Implication: The lack of audit comfort over the operations of outsourced IT Standard 9 findings and recommendations 22

23 Ref # Finding Standard/ Protocol Recommendation providers increases the risk that whilst they may be meeting service levels, the processes and procedures utilised to manage the environment are not in compliance with Victoria Police Policies and Standards. 8 Education regarding the review and revocation of user rights requires improvement Observation: Through discussion with managers, both at the Victoria Police Centre (VPC) and at the two police station visits organised by CLEDS, it was noted that the level of understanding in regards to the requirements for review and revocation of user access rights varied. 9.2 Recommendation: Victoria Police should communicate the policies and procedures regarding the review and removal of access rights to all employees. In addition to regular communications, an education program should be rolled out state wide addressing the requirement for managers to proactively request the adjustment of user rights when circumstances and job responsibilities change. Further inquiry identified that the data owner of a sensitive shared drive on the Victoria Police Local Area Network has been provided with a utility to facilitate regular access reviews. However, other members indicated that they were not aware of any processes currently in place to facilitate the review of access rights on share drives. Testing for the time taken to disable Victoria Police Local Area Network and LEAP user accounts for terminated members noted that: for eight (out of 20) users tested, the date when the Victoria Police Local Area Network accounts were disabled could not be identified for seven (out of 20) users tested, Victoria Police Local Area Network user accounts were disabled a week or more after they ceased employment, with the largest variance identified at 164 days. LEAP user accounts for nine (out of 20) users tested were disabled a week or more after they ceased employment, with the largest variance identified at 154 days. Implication: Lack of review and subsequently delayed revocation of access rights increases the risk that accounts of terminated users can be used for malicious activities. This could potentially result in the loss of law enforcement data integrity. 9 Generic accounts exist on the Victoria Police Local Area Network Observation: A high level review of Victoria Police Local Area Network accounts identified that potentially 282 generic accounts exist. These 282 accounts were identified through the analysis of: 9.4 Recommendation: Victoria Police should perform periodic assessment of all Victoria Police Local Area Network accounts to identify all generic accounts. Where no defined business requirement or associated approval can be established the accounts should be immediately deleted. Standard 9 findings and recommendations 23

24 Ref # Finding Standard/ Protocol Recommendation user IDs, e.g. user names commencing with VG (VG00001) account descriptions, e.g. Dandenong Generic ID or McTest, Testy. As generic accounts are not permitted under Protocol 9.4, a sample of 5 was investigated to identify the purpose, approval for creation and mitigating controls. This review noted: two accounts had a defined business purpose and were approved by the Business Information Technology Services Department (BITS) however mitigating controls were only documented for one of the two reviewed Where a valid business requirement might exist, it should be documented along with approved mitigating controls and submitted to the CIO and Security Executive for assessment and sign off. approval for two accounts was not available from BITS or IBM and a request for the removal of these accounts was lodged following the audit inquiry approval was not available for one account, testing Leap Management, with access to the IMD$ share and the Information Services Division folder, No further testing was performed over the other accounts as: the purpose, approval for creation and mitigating controls had not been documented for all investigated accounts all accounts sampled were generic, despite this being non-compliant with Protocol 9.4. Implication: Existence of generic user accounts increases the risk that these accounts could potentially be utilised to perform malicious activities. As usage of generic accounts can not be traced and mapped to an individuals user, the risk to their being exploited is increased which could result in the availability, integrity and confidentiality of law enforcement data being compromised. 10 Password controls and allocation procedures require improvement Observation: Review of password controls allocation procedures for the Victoria Police Local Area Network, LEAP and Interpose identified that: whilst the process for password resets has been documented, no formal process for the allocation of passwords for new user accounts has been established. Current operational practice is for the Help Desk to provide 9.5 Recommendation: Victoria Police should review password allocation practices for all law enforcement data and consider the following to improve controls: formally document the process for password management activities including allocations as well as resets, to ensure users and administrations are aware of the approved operational practices Standard 9 findings and recommendations 24