Specific observations and recommendations that were discussed with campus management are presented in detail below.

Transcription

1

2 CSU The California State University Office of Audit and Advisory Services INFORMATION SECURITY California State University, San Bernardino Audit Report March 18, 2015

3 EXECUTIVE SUMMARY OBJECTIVE The objectives of the audit were to ascertain the effectiveness of existing policies and procedures related to the administration of information security and to determine the adequacy of controls over the related processes; to evaluate adherence to the Integrated California State University Administrative Manual (ICSUAM) information security policy, or where appropriate to an industry-accepted standard; and to ensure compliance with relevant governmental regulations, Trustee policy, Office of the Chancellor directives, and campus procedures. CONCLUSION Based upon the results of the work performed within the scope of the audit, the operational and administrative controls for information security activities as of December 5, 2014, taken as a whole, were not sufficient to meet the objectives of this audit. In general, the audit revealed that the campus information security function did not have adequate oversight of and participation from the various decentralized information technology support units on campus. Some issues were identified with security of the centrally administered campus network. Other issues identified in this audit were related to the decentralized computing environments, which were not consistently following the same information security standards as the campus information technology services department. In addition, we found that some observations identified in our 2013 Sensitive Data audit were still in the process of being remediated. Specifically, we found that some information security projects, such as the periodic inventory and assessment of sensitive data and the periodic review of all systems and applications with protected data, had been initiated but not completely implemented as of the time of our review. The issues identified suggest that attention is needed in the decentralized operations to ensure that the campus information security program operates in conformance with existing policy and to a level necessary to meet management expectations. Although many issues listed below represent opportunities to improve the process and methodologies used to administer the information security program at California State University, San Bernardino (CSUSB), effective implementation will require a campuswide commitment. Specific observations and recommendations that were discussed with campus management are presented in detail below. Audit Office of Audit and Advisory Services Page 1

4 S, S, AND RESPONSES 1. INFORMATION SECURITY OVERSIGHT The campus information security office did not have a process to track and report decentralized computing departments compliance with campus information security policies and procedures. This is a repeat finding from the 2013 Sensitive Data audit. We noted that the campus is in the process of implementing an annual risk assessment for all departments on campus, which will require each department to identify sensitive data maintained in paper and electronic format, submit details on controls in place to protect the data, and certify that the department is in compliance with CSU and CSUSB information security policies and procedures, such as performing an annual review over user access privileges for all systems and applications with protected data. The information will be reviewed by the information security office to ensure all sensitive data is accounted for and appropriately secured. Inadequate monitoring and enforcement of campuswide policies and standards limits the campus ability to direct a comprehensive information security program and increases the campus exposure to security breaches and inappropriate use of computing resources. We recommend that the campus complete the implementation process to track and report decentralized computing departments compliance with campus information security policies and procedures. We concur. Our action plan is to complete the implementation process to track and report decentralized computing departments compliance with campus information security policies and procedures. The anticipated completion date is September 11, INFORMATION SECURITY GOVERNANCE The information security office did not have administrative access to the systems in the decentralized segments of the network and could not provide campuswide network vulnerability analysis. Audit Office of Audit and Advisory Services Page 2

5 Our technical analysis of the network traffic and devices revealed that: Many of the decentralized systems on campus, to which the information security office did not have administrative access, contained numerous vulnerabilities that had not been detected. Baseline security standards for the administration of decentralized servers and desktops had not been formally developed and implemented, and the information security office s recommended practices for implementing secure servers were not being implemented. The inability to identify and monitor all campus IT resources and the lack of baseline server security standards increases the risk of misconfigured systems and may leave the campus vulnerable to both internal and external attacks that could slow or bring down the network. We recommend that the campus: a. Reconfigure all computer devices into a single network directory hierarchy to provide effective equipment management, oversight, compliance, and monitoring of campus computing equipment. b. Develop baseline security standards for security of servers and desktop systems and ensure automated adherence to the baseline standard through domain group policies. We concur. Our action plan is to: a. Reconfigure all computer devices into a single network directory hierarchy to provide effective equipment management, oversight, compliance, and monitoring of campus computing equipment. b. Develop baseline security standards for security of servers and desktop systems and ensure automated adherence to the baseline standard through domain group policies. The anticipated completion date is September 11, INVENTORY OF PROTECTED DATA The campus had not conducted a security assessment to locate and assess security of all protected data maintained in paper format. This is a repeat finding from the 2013 Sensitive Data audit. Audit Office of Audit and Advisory Services Page 3

6 We found that the campus had performed an inventory and assessment of sensitive data maintained electronically, but the assessment did not include paper documents or data maintained by faculty, staff, and auxiliary employees. Inadequate accountability and protection of sensitive information increases the risk of loss and increases campus exposure to inadvertent disclosure of personal data. We recommend that the campus conduct a campuswide inventory of all protected data maintained in paper and electronic format and conduct a security assessment to ensure the data is adequately protected. We concur. Our action plan is to conduct a campuswide inventory of all protected data maintained in paper and electronic format and conduct a security assessment to ensure the data is adequately protected. The anticipated completion date is September 11, VULNERABILITY MANAGEMENT The campus did not perform periodic credentialed vulnerability scans of all high-risk servers, applications, and desktops connected to the campus network. We found that the campus performed credentialed vulnerability scans of new servers and applications before they are placed in production; however, those scans were only performed for Internet-facing devices. Additionally, there was no process in place to perform periodic vulnerability scans of desktop computers. Our technical analysis identified numerous vulnerabilities on servers, applications, and workstations, and some servers were running obsolete versions of operating systems for which the vendor no longer provided security updates. Inadequate identification and correction of vulnerabilities in a timely manner may lead to a breach of network security and a loss of confidential information. We recommend that the campus: a. Perform periodic credentialed vulnerability scans of all high-risk servers, applications, and desktops connected to the campus network and address identified vulnerabilities in a timely manner. b. Remove or update the servers running obsolete and unsupported operating systems from the network. Audit Office of Audit and Advisory Services Page 4

7 We concur. Our action plan is to: a. Perform periodic credentialed vulnerability scans of all high-risk servers, applications, and desktops connected to the campus network and address identified vulnerabilities in a timely manner. b. Remove or update the servers running obsolete and unsupported operating systems from the network. The anticipated completion date is September 11, DESKTOP SOFTWARE MANAGEMENT The campus did not always remove obsolete versions of software and unauthorized software that did not support university business from desktop computers and did not always update browser software. Inadequate updating of browser software and removal of vulnerable software products and unauthorized software may lead to compromise and potential loss of protected confidential information or inappropriate access to systems. We recommend that the campus implement measures to remove unnecessary software and ensure software used on all computers is authorized. We concur. Our action plan is to implement measures to remove unnecessary software and ensure software used on all computers is authorized. The anticipated completion date is September 11, WEB APPLICATION DEVELOPMENT Application development and change management was not adequate to ensure accountability for authorized deployment of web development projects. Specifically, we found that application development and change management processes were generally informal. We reviewed central information technology and a sample of other divisions on the campus that performed web application development and found that: Audit Office of Audit and Advisory Services Page 5

8 The campus did not have a formal policy to govern system development practices. Management approval was not required before projects were placed into production. Security criteria and testing procedures were not always documented. User acceptance testing was not always documented. Developers had the capability to make changes to production versions without authorization. The campus had a development standard in place; however, the standard did not specifically address security requirements unique to web development. The campus information security office recommended that developers follow security standards set by the Open Web Application Security Project and the Web Application Security Consortium, but these standards had not been incorporated into the web development lifecycle to ensure security standards were built into the web systems. The lack of proper software change management and testing procedures increases the risk of unauthorized changes to software, software failure, and security vulnerabilities that could inappropriately expose sensitive data. We recommend that the campus: a. Develop a formal policy to govern system development practices that details security requirements. b. Require management approval for all web application development before placing projects into production. c. Document security criteria and testing procedures. d. Document user acceptance testing. e. Restrict developers ability to modify production web applications without prior management approval. We concur. Our action plan is to: a. Develop a formal policy to govern system development practices that details security requirements. b. Require management approval for all web application development before placing projects into production. Audit Office of Audit and Advisory Services Page 6

9 c. Document security criteria and testing procedures. d. Document user acceptance testing. e. Restrict developers ability to modify production web applications without prior management approval. The anticipated completion date is September 11, DESKTOP SECURITY MANAGEMENT The campus allowed users to have administrative access to their workstations, which allows disabling of some security controls and installation of unauthorized software. Administrative level privileges that allow users to disable security controls and install unauthorized applications may violate California State University (CSU) policy and/or expose the campus network to other vulnerabilities. We recommend that the campus eliminate administrative access to workstations unless it is specifically approved. We concur. Our action plan is to eliminate administrative access to workstations unless it is specifically approved. The anticipated completion date is September 11, INCIDENT REPORTING The process for reporting lost or stolen computers to the information security office needed improvement. Specifically, we found that the users did not notify the information security office when a computer was lost or stolen, as required by campus procedures, so it could investigate whether sensitive information was present on the computers and whether further action was required. We selected a sample of 15 computers reported as lost or stolen from 2012 to 2014 and found that none of them had been reported to the information security office for investigation. The lack of investigation of potential sensitive data on lost or stolen computers increases the risk that information security breaches could go unreported, resulting in significant financial penalty and damage to the campus reputation. Audit Office of Audit and Advisory Services Page 7

10 We recommend that the campus enforce existing procedures to ensure the information security office is notified when computers are lost or stolen. We concur. Our action plan is to enforce existing procedures to ensure the information security office is notified when computers are lost or stolen. This objective is complete. 9. REVIEW OF SECURITY EVENT LOGS The campus did not have formal procedures for reviewing security event logs of operating systems, servers, and applications. We noted that the analysis of audit and security event logs were generally informal, undocumented, and performed on an ad-hoc basis, unless formal periodic reviews were required by outside regulation such as the Health Insurance Portability and Accountability Act. Inadequate review of security logs increases the risk that malicious activity could go undetected or viruses or other malicious code could be embedded within the campus network and its resources, which could lead to confidential information being breached and not reported. We recommend that the campus develop formal procedures for reviewing security event logs of operating systems, servers and applications. We concur. Our action plan is to develop formal procedures for reviewing security event logs of operating systems, servers, and applications. The anticipated completion date is September 11, USER ACCESS PRIVILEGES The process for requesting access to PeopleSoft required improvement. We found that the desired security roles were not consistently documented on the online information access request form. Additionally, requests for access often requested mirroring another individual s access, rather than detailing the specific roles required by that individual. Audit Office of Audit and Advisory Services Page 8

11 The ISO stated that the campus is in the process of remediating this issue with the implementation of an Enterprise Workflow Management system that will streamline the process for people needing access to PeopleSoft modules. Inadequate administration of user accounts increases the risk of inappropriate access. We recommend that the campus ensure that desired security roles are consistently documented on the online information access request forms. We concur. Our action plan is to ensure that desired security roles are consistently documented on the online information access request forms. The anticipated completion date is September 11, Audit Office of Audit and Advisory Services Page 9

12 GENERAL INFORMATION BACKGROUND The CSU Information Security Policy, dated April 19, 2010, states that the Board of Trustees of the CSU is responsible for protecting the confidentiality, integrity, and availability of CSU information assets. Unauthorized modification, deletion, or disclosure of information assets can compromise the mission of the CSU, violate individual privacy rights, and possibly constitute a criminal act. It is the collective responsibility of all users to ensure confidentiality of information that the CSU must protect from unauthorized access; integrity and availability of information stored on or processed by CSU information systems; and compliance with applicable laws, regulations, and CSU/campus policies governing information security and privacy protection. It further states that the CSU Information Security Policy shall apply to the following: All campuses. Central and departmentally managed campus information assets. All users employed by campuses or any other person with access to campus information assets. All categories of information, regardless of the medium in which the information asset is held or transmitted (e.g., physical or electronic). Information technology facilities, applications, hardware systems, and network resources owned or managed by the CSU. Auxiliaries, external businesses, and organizations that use campus information assets must also operate those assets in conformity with the CSU Information Security Policy. The CSU Information Security Policy directs the campus president to appoint an information security officer (ISO) and assign responsibility and authority for administering the information security function. Information security at CSU campuses covers a broad range of sensitive data that requires protection to be in compliance with numerous state and federal regulations. Campuses collect social security numbers for employee personnel and for student financial aid tax reporting, which is regulated by federal and state law. Other forms of data include student grades and academic records that must be protected under federal privacy laws. In addition, CSU campuses that have student health centers, psychological counseling centers, and pharmacies may also have medical and prescription records that must be protected under federal health privacy laws. Campus retail operations for bookstores, convenience stores, restaurants and dining, and student activities involve collection and processing of credit card information that is regulated by the banking industry. Audit Office of Audit and Advisory Services Page 10

13 SCOPE At the CSUSB campus, information security is administered by the ISO, who reports to the chief information officer/vice president of information technology services. CSUSB also has an information technology governance committee and information security and emerging technologies committee in place that provide oversight and guidance to the campus on information security issues. Additionally, there are several decentralized IT groups that do not report directly to the campus IT department. As a result, the campus has created IT working groups with other campus departments to help guide compliance with established CSU and CSUSB information security policies, standards, and procedures. Our audit and evaluation included the audit tests we considered necessary in determining whether operational, and administrative controls are in place and operative. The audit focused on procedures in effect from August 11, 2014, through September 12, Specifically, we reviewed and tested: The activities and measures undertaken to protect the confidentiality, integrity, and access and availability of information. Processes for identifying confidential, private, or sensitive information; authorizing access; securing information; detecting security breaches; and evaluating security incident reporting and response. Measures to limit collection of information, control access to data and assure that individuals with access to data do not utilize the data for unauthorized purposes. Encryption of data in storage and transmission. Physical and logical security measures for all data repositories. We also retained outside contractors to perform a technical security assessment that included running diagnostic software designed to identify improper configuration of selected systems, servers, and network devices. The purpose of the technical security assessment was to determine the effectiveness of technology and security controls governing the confidentiality, integrity, and availability of selected campus assets. Specifically, this configuration testing included assessment of the following technologies: selected operating systems, border firewall settings, network traffic analysis, vulnerability scanning, and website vulnerability assessment. As a result of changing conditions and the degree of compliance with procedures, the effectiveness of controls changes over time. Specific limitations that may hinder the effectiveness of an otherwise adequate system of controls include, but are not limited to, resource constraints, faulty judgments, unintentional errors, circumvention by collusion, and management overrides. Establishing controls that would prevent all these limitations would not be cost-effective; moreover, an audit may not always detect these limitations. Our testing and methodology was designed to provide a managerial level review of key information security practices, which included detailed testing of a limited number of network and computing devices. Our review did not examine all aspects of information security, and our Audit Office of Audit and Advisory Services Page 11

14 CRITERIA AUDIT TEAM testing approach was designed to provide a view of the security technologies used to protect only key computing resources. In addition, selected emerging technologies were not included in the scope of this review. Our audit was based upon standards as set forth in CSU Board of Trustee policies; Office of the Chancellor policies, letters, and directives; campus procedures; and other sound administrative practices. This audit was conducted in conformance with the Institute of Internal Auditors International Standards for the Professional Practice of Internal Auditing. This review emphasized, but was not limited to, compliance with: ICSUAM 8000, Information Security ICSUAM 7000, Identity Management Government Code International Standards Organization 27001, Information Security Management System Standard Senior Director: Mike Caldera Audit Manager: Greg Dove Senior Auditor: Kim Pham Audit Office of Audit and Advisory Services Page 12