FINAL INTERNAL AUDIT REPORT

Transcription

1 FINAL INTERNAL AUDIT REPORT Organisation and Management of Firewalls (IA /F) Steve Allen, Managing Director, Finance Audit Conclusion: Audit Closed 25 February 2015 Issue categories Agreed actions Satisfactorily addressed Partially addressed No longer applicable Not addressed Priority Priority Priority

2 CONTENTS EXECUTIVE SUMMARY... 3 STATUS OF AGREED ACTIONS... 5 APPENDIX 1 DISTRIBUTION LIST... 9 Audit information Version 1 Draft versions issued 1 Draft report issued 18 February 2015 Audit Manager Emilija Antevska Director of Internal Audit Clive Walker Page 2

3 EXECUTIVE SUMMARY Objective The objective of this audit was to provide assurance that the firewall strategies and policies, and related governance arrangements that have been implemented to manage and control TfL firewall architectures, are cost effective, efficient and fit for purpose. Scope The audit focused on the control environment in relation to the following key risk areas: Firewall strategy and associated firewall governance structures; Design of current firewall architectures; Approach and key processes involved in establishing and managing the firewall policies and procedures; Approach in the development, deployment and management of firewall products and services; Approach in defining and managing firewall resilience, capacity and performance management; and Approach in securing defined firewall configurations. Summary of findings Our Interim Internal Audit Report dated 17 June 2014 entitled Organisation and Management of Firewalls outlined that all firewall related service requests for changes to be implemented by Fujitsu should be accompanied by an assessment performed by the IM service delivery and IM security teams to confirm their validity. Fujitsu s service technicians and solution architect then implement the firewall changes within defined business hours following the IM change management process. We identified eight priority 1 issues as follows: The cost-effectiveness of the enhanced firewall service had been undermined by the lack of a defined process to identify, manage and monitor the firewall changes that increase the annual charge paid by TfL to Fujitsu; The roles and responsibilities for IM in-house activities that support the delivery of the enhanced firewall services by Fujitsu had not been defined, assigned and enforced; Page 3

4 Formal IM guidance to cover critical aspects of managing firewalls was not available, including firewall strategy and roadmap, IT architecture and technology standards, firewall security and configuration standards, firewall monitoring, and firewall patch management policy; A complete and accurate record of firewall assets owned by TfL had not been maintained; A structured process to monitor firewall performance and proactively manage network capacity had not been implemented; End-of-life firewalls used for securing critical services had remained in use without plans for their decommissioning and replacement, potentially due to a lack of an agreed standardised end-of-life approach with Fujitsu; Forty percent of Fujitsu users with sensitive access to TfL firewall management consoles had not been security cleared as required by the Agreement; and There were no formal TfL disaster recovery plans that cover the testing of TfL firewalls or their backups to ensure a successful recovery in the event of a disaster. We have completed a follow up and confirmed that management has implemented all the actions agreed in respect of these findings. This audit is now closed. Page 4

5 STATUS OF AGREED ACTIONS Ref Agreed action Owner and due date Status Priority 1 actions 1. Review the firewall change process to ensure it is fit for purpose and implement changes to address the risk noted above. 2. Define a responsibility assignment matrix (RACI) for key stakeholders within IM relating to the management of IM controlled firewalls on the TfL network that includes, amongst others, activities relating to the end-of-life of firewalls. The RACI can then be used by the decision tree outlined in action Produce a firewall policy to include the discussion of lifecycle and firewall decision tree and approve for IM use. 29 August August 2014 Michele Hanson 28 November 2014 The IM Enhanced Firewall Service - Fujitsu work instruction has been reviewed to clearly specify a requirement that Fujitsu informs IM when the threshold for firewall changes is reached and obtains approval from TfL for any additional changes. All firewall changes are reported in Fujitsu s periodic service report. A matrix defining the responsibilities of key IM stakeholders relating to the management of IM controlled firewalls on the TfL network has been defined. A high level policy defining the implementation, operation and management of devices providing network based firewall Page 5

6 Ref Agreed action Owner and due date Status functionality for TfL has been drafted and approved for use by IM management. 4. Under instruction from IM Service Management Fujitsu are to create an inventory of firewall assets and work with Infrastructure Services to populate the CMDB with key configuration information. 5. IM to ensure that a documented process is in place for regular reconciliation of firewall changes within the CMDB. 6. IM to produce firewall specific guidance to dovetail into the Capacity Management process currently being developed by Service Management. 7. Develop a process for proactive management of firewalls to encapsulate: Service provider reporting on the age of firewalls; and Using the firewall decision tree 28 November August November November 2014 An inventory of firewall assets is maintained by Fujitsu and submitted every period to TfL IM Infrastructure Services to populate the CMDB. The process and responsibilities involved in reconciling the changes to TfL firewalls has been documented in a work instruction. The TfL IM Component Capacity Management guidance note specifies the requirement for capacity management of hardware infrastructure components, including firewalls. A TfL Security Review meeting is held between Fujitsu, TfL IM Information Security and TfL IM Service Management every period that covers, among other topics, proactive management of firewalls. Page 6

7 Ref Agreed action Owner and due date Status produced in action 3 to determine the need to replace the firewalls at end-oflife. 8. IM will produce a list of internal and external IM roles they recommend to be security screened or vetted and submit these requirements to HR. 9. The Information Security Gap Analysis proposal will make provision for people specific controls that include the screening of staff, contractors and third parties. This proposal will address a recommended single approach that speaks to the criteria for security clearances across TfL. Recommendations will comply with legal and regulatory requirements, and in accordance with best practice, will be provided to HR in relation to the perceived risks in due course. 10. Review the current IM Services Disaster Recovery arrangements. Complete Michele Hanson 30 September 2014 Rebecca Bissell Complete The Information Security Gap Analysis proposal makes provision for people specific controls that include the screening of staff, contractors and third parties. As above under action 8. The TfL IM Disaster Recovery Strategy was reviewed in April Page 7

8 Ref Agreed action Owner and due date Status 11. Produce a Disaster Recovery Plan Template in line with the DR Strategy, proposed documentation requirements, test & audit plans Neville Hinchliffe Complete A Disaster Recovery Plan Template has been produced in line with the above strategy. Page 8

9 APPENDIX 1 Distribution list This report was sent to Steve Allen, Managing Director, Finance, by Clive Walker, Director of Internal Audit, and copied to: Steve Townsend Trevor Jordan Matthew Griffin Rebecca Bissell Michele Hanson Paul Boulton Neville Hinchliffe Larry Botheras Loretta Donoghue Wayne Fitzgerald Philip Hewson Andrea Fourie Nigel Blore Andrea Clarke Andrew Pollins Howard Carter Robert Brent Chief Information Officer IM Head of IM Projects Delivery IMSS Lead Development Manager IM Head of Business Relationship Management IM Chief Information Security Officer IMSS Lead Development Manager Interim IM Head of Service Management IM Resilience and Business Continuity IM Infrastructure Manager IM Service Design and Assurance Manager IM Senior Quality, Assurance and Risk Analyst Head of Commercial ICT as Key Risk Representative Head of Group Insurance Director of TfL Legal Interim Chief Finance Officer General Counsel KPMG Page 9