Review of Controls over Remote Access (IA /F) Steve Allen, Managing Director, Finance. Audit Conclusion: Audit closed

Transcription

1 FINAL INTERNAL AUDIT REPORT Review of Controls over Remote Access (IA /F) Steve Allen, Managing Director, Finance Audit Conclusion: Audit closed 16 June Issue categories Agreed actions Satisfactorily addressed Partially addressed No longer applicable Not addressed Priority Priority Priority

2 Contents EXECUTIVE SUMMARY... 3 STATUS OF AGREED ACTIONS... 4 APPENDIX 1 DISTRIBUTION LIST... 9 Audit information Version A Draft versions issued 1 Fieldwork commenced 09 May Fieldwork completed 10 June Draft report issued 12 June Page 2

3 EXECUTIVE SUMMARY Objective This audit objective was to provide assurance that external direct access to TfL through the Internet Access Gateway (IAG) and full network services via the RAS is restricted to authorised users and that the TfL data accessed is appropriately secured. Scope The audit focused on the control environment in relation to the risk of unauthorised access covering the following key sub- areas: Definition of remote access policy procedures, and key controls; Role of third party support providers in remote access management; Management of user accounts and associated RSA tokens; Granting of network access rights through the RAS server; Logical protection of authentication servers (including placement, configuration, and patch management); and Robustness of authentication methods in use. Summary of findings Our Interim Audit Report dated 19 July 2013 entitled Review of Controls over Remote Access identified two Priority 1 issues concerning the leavers process and security of the Webmail service. Nine other issues were raised. Five were rated Priority 2 and the remaining four were rated Priority 3. We have now carried out a follow up review of the management actions and found that all have been satisfactorily addressed, except one related to the Webmail service. A gap analysis was carried out by IM at the end of 2013 which also identified the risk of data loss through webmail as one of the top ten findings. A Data Loss Prevention (DLP) solution will be developed as part of the Information Security Framework and we will be auditing this framework in the coming year, when we will ensure that the issue has been satisfactorily addressed. This audit is therefore closed. Page 3

4 STATUS OF AGREED ACTIONS Priority 1 actions 1. Leavers Process Improve the leavers process by adding the IM Operation Manager and staff to the leavers report distribution list so that the RSA accounts of staff leaving service will be disabled. Align the RSA user accounts review process with network account deactivation, i.e. 90 days. 2. Webmail Security Create an implementation plan for addressing webmail security as part of the riskbased information security gap analysis performed by IM. Steve Hampson 31 July 2013 Michele Hanson 31 March Satisfactorily addressed Relevant personnel in the IM Operation team have been added to the distribution list for the starters and leavers report. The RSA user account de-provisioning process has also been aligned with the network account deactivation Partially addressed A Data Loss Prevention (DLP) solution was identified to address webmail security risks through a gap analysis performed by IM. An upcoming security proposal will address DLP as one of the top ten Page 4

5 Priority 2 actions 3. RSA Administrator Roles findings in the gap analysis. We will ensure that this action is satisfactorily addressed as part of our audit of the Information Security Framework. Remove defunct RSA administrator roles and document a process for ongoing review of RSA administrator roles and user accounts across IM. Mohammed Ali 10 June RSA administrator roles belonging to leavers have been removed and all RSA administrator and user accounts have been reviewed and unnecessary accounts were removed. A process for the ongoing review of RSA administrator roles and user accounts across IM has been documented and communicated. 4. Use of Generic and Duplicate Administrator Accounts Remove non essential generic and duplicate RSA administrator accounts Steve Hampson 09 August Non essential generic and duplicate RSA administrator accounts have Page 5

6 2013 been removed. 5. RSA Administrator Account Management Re-communicate Service Request process to IS Operations team. Steve Hampson 09 August 2013 The service request process for RSA account creation has been documented and communicated. 6. RSA Accounts with Static Passwords Connect RSA accounts to Active Directory to remove static passwords from RSA. Mohammed Ali 10 June The Service Improvement Plan (SIP) to upgrade the RSA Authentication Manager has been completed that connects the RSA to the Active Directory. The static password for the Business Accountant has also been removed. 7. RSA Authentication Manager Patch Management Include the evaluation of application patches and documentation of its implementation in the existing patch management process. Sujeet Wadke 31 March Application patch management process has been documented. Page 6

7 Priority 3 actions 8. Technical Remote Access Policy Define and document IM policy for remote access. 9. Test Accounts Remove unnecessary test accounts and document process for ongoing removal 10. Multiple Assignment of Tokens Improve the process for controlling multiple assignments of tokens. Michele Hanson 28 February Mohammed Ali 10 June Michele Hanson 28 February The policy for remote access has been defined and documented. The unnecessary test accounts have been removed and the related process to manage test accounts have been developed and communicated to the IS Operations team. The IM policy for remote access services specifies that only one token will be permitted per employee. To ensure compliance Page 7

8 11. Proactive Review of Security Logs with this policy, work instructions for auditing RSA token allocation were implemented. IM Security will investigate the option for collecting administrative logs from the RSA, UAG, and AGEE into the Symantec SIEM solution, and raising alerts against certain actions. Michele Hanson 31 March IM Security has investigated the action and a decision was reached to include this as part of the new processes that will emanate from the Information Security Framework. Page 8

9 APPENDIX 1 Distribution list This report was sent to Steve Allen, Managing Director, Finance by Clive Walker, Director of Internal Audit, and copied to: Trevor Jordan Steven Townsend Mohammed Ali Michele Hanson Matthew Mills Matt Griffin Kevin Thurlwell Wayne Fitzgerald Jacques Bouwer Nigel Blore Andrea Clarke David Goldstone Howard Carter Robert Brent IM Head of IM Projects Delivery / interim Head of IM Infrastructure Services Chief Information Officer IM Infrastructure Manager IM Chief Information Security Officer IM Security Manager IM Head of Business Relationship Management IM Service Management Team Lead IM Senior Quality, Assurance & Risk Analyst as Key Risk Representative Head of Group Insurance Director of TfL Legal Chief Finance Officer General Counsel KPMG Page 9