COMPUTER NETWORK SECURITY

Transcription

1 COMPUTER NETWORK SECURITY Final Distribution IT Service Delivery Manager (Mouchel) Corporate Director Strategy, Governance & Performance Partnership Delivery Manager (Mouchel) Lynda Baker Audit Manager Rick Allen IT Auditor JULY 2009

2 MKC INTERNAL AUDIT SERVICE COMPUTER NETWORK SECURITY EXECUTIVE SUMMARY 1 INTRODUCTION 1.1 Background As part of the Internal ICT Audit programme for the financial year 2008/09, an audit review has been performed on Computer Network Security. The review has focussed upon the key controls in place to ensure the secure provision of computer network services to the business. The network comprises primarily of computer hardware and software in the form of cabling and network communications equipment, as well as the Microsoft Windows network operating system software. Computer networked services provide the platform on which to install and use IT systems such as the revenues and benefits system, and to access the Internet for and web browsing. The network is an essential part of the fabric of the communications strategy and the absence of the network would severely hinder the ability to provide essential services to the local population. The security of the network is therefore essential to the effective day-to-day operation of the Council. 1.2 Objectives and Scope The objectives of the audit were to ensure that: a) Controls have been established in relation to the provision of computer network services, including firewall software/hardware. b) Security controls are in place for the system, including content filtering. c) Security controls are in place for anti-virus protection covering laptops, PCs, and servers. Key: 1=Poor, 3=Good 2 AUDIT OPINION Satisfactory - Controls are considered adequate with some areas of weakness that are not major risk areas. AUDIT REPORT E561/09/HW 1 JULY 2009

3 MKC INTERNAL AUDIT SERVICE COMPUTER NETWORK SECURITY 3 CONCLUSIONS 3.1 Anti virus software has been installed and is maintained on Authority IT equipment in accordance with standards and accords with good practice, as reflected by the findings within the management action plan of this report. 3.2 Five areas of weakness within existing controls have been identified where audit recommendations could further reduce risks to the organisation. A summary of the two areas of weakness that carry an important risk weighting are as follows: weaknesses in the computer network access control process have been identified relating to starters, leavers and access roles/profiles risk of unauthorised access; and policy, processes and procedures governing the secure transfer of data beyond the physical boundaries of Council premises and the computer network have not been formally defined and implemented risk of breach of legislation and regulations. 4 WAY FORWARD 4.1 All recommendations are in the Management Action Plan (Page 4). 4.2 Two recommendations made in this report carry an Important weighting indicating that implementation is required within a short period of time to address weaknesses that seriously undermine the control of the network. Three other recommendations carry a standard weighting indicating that management need to take recommended action within a reasonable period to address the issues identified for control improvements. AUDIT REPORT E561/09/HW 2 JULY 2009

4 MKC INTERNAL AUDIT SERVICE COMPUTER NETWORK SECURITY 5 GOOD INTERNAL CONTROLS FINDINGS SUMMARY The following areas were tested and confirmed as having good internal controls with no problems to report: Content Filtering against Security Policy The GFI Mail Essentials v12 and GFI Mail Secure v8.1 software solutions have been implemented to filter and block inappropriate content and a legal disclaimer is automatically appended to all s sent from the Council. 5.2 Protection against Malicious Software Anti-virus computer software has been installed and is maintained on all Authority IT equipment and all users are advised when a significant virus risk is identified. 5.3 Control over Installation of Computer Software Desktop PC computers have been restricted to ensure users of the equipment cannot install software onto the systems without prior authorisation from management. Any additional software to be installed is actioned through the ICT Change Management process that includes the submission of a formal change request with the business justification and must gain management approval before an engineer will complete the installation. AUDIT REPORT E561/09/HW 3 JULY 2009

5 MKC INTERNAL AUDIT SERVICE COMPUTER NETWORK SECURITY MANAGEMENT ACTION PLAN The recommendations are categorised on the following basis: Essential - Implementation is required with immediate effect to address a weakness that fundamentally undermines the control of that system. Important - Implementation is required within a short period of time to address weaknesses that seriously undermine the control of that system. Standard - Management need to take recommended action within a reasonable period to address weaknesses that may undermine system control. Ref Findings Risk/ Implication Recommendation Management Comments Manager Responsible & Target Date 1. Network Access Control The following issues have been identified that present a risk of unauthorised access to the computer network: a) The officer authorising a Network Access Authorisation Form is not checked and verified against a list of approved officers. b) Managers do not always inform the IT department if an officer leaves the Council and this could result in such access being un-restricted for several months. c) Network access roles of officers transferring jobs within Council are not updated on a timely basis. Note: when a new starter begins they are allocated similar access to someone else in their team (who may not have an accurate profile). Unauthorised access to the computer network could be used to gain access to systems that store and process sensitive/critical data that could result in malicious damage and unplanned costs being incurred as a result of a breach in security. Important A review of computer network access controls should be performed. The review should feed into the production of an identity management strategy that could include the possibility of joint working between HR and IT for the addition/update/removal user access to the network and key systems. A review of computer network access controls has been performed and a project is current underway to implement a new system to increase the overall level of control. The system is due to be trialled during July 2009 and will be rolled out thereafter if successful. 31/8/09 2. Security of Data in Transit The IT User Security Policy does not make provision for the transmission of confidential data. No policy on the encryption for the transmission of confidential data exists. Breach of legislation and regulations governing security of data that could result in Important Council policy should be updated to address the security of data transferred beyond the physical boundaries of the The IT & Telecommunications User Security Policy has been updated to include section Implemented AUDIT REPORT E561/09/HW 4 JULY 2009

6 MKC INTERNAL AUDIT SERVICE COMPUTER NETWORK SECURITY Ref Findings Risk/ Implication Recommendation Management Comments Manager Responsible & Target Date damage to the reputation of the Council and significant costs incurred as a result of fines and remedial action to address any breaches in data security. Council and the computer network specifically detailing Special Care with Council Data and use of memory sticks and other portable/ exchangeable media. 3. Network Security Incident Management No evidence could be provided of a formal process for reporting, investigating and resolution of network security incidents. Uncoordinated and inconsistent approach to security incident management resulting in poor use of resources and failure to take appropriate action. Standard A network security incident management process and procedures should be established and formally approved by management. A formal security incident management process has been established as part of the requirements for ensuring compliance with the GCSx code of connection. Implemented 4. Network Infrastructure Technical Security The following issues have been identified in relation to the technical security configurations of network devices and the firewall that present a risk of unauthorised access to the computer network: a) No explicit rules govern the connection of computer equipment to the network (e.g. the use of MAC address filtering). b) Network communications switches allow the connection of any IT hardware devices. No routine checks are performed to detect if there are any unauthorised attachments to the network. c) Access to the device configuration menus Weaknesses in technical security configuration and control increase the risk of unauthorised access to the network and abuse of services. Standard A review of technical security configurations and controls should be performed to address the following areas: a) Firewall excessive network traffic detection. b) Switches - rules to govern the connection of equipment to the network. c) Routers - investigate audit trails in relation to generic logon access. d) Documentation implement a formal process A review of technical security configurations and controls has been performed as part of the requirements for GCSx Code of Connection. The Authority is now protected by two firewall devices. ICT now have three quotes from third party organisations to perform a network security penetration test and will be selecting a preferred Implemented. AUDIT REPORT E561/09/HW 5 JULY 2009

7 MKC INTERNAL AUDIT SERVICE COMPUTER NETWORK SECURITY Ref Findings Risk/ Implication Recommendation Management Comments Manager Responsible & Target Date for network routers is gained via a generic logon which all administrators use. d) The firewall has not been configured to detect excessive network traffic from any one particular source (DoS Attack). e) A formal process for documenting the topology of the computer network has not been established. f) An external security test of computer network security, also known as a penetration test, has not been performed since the previous network security audit (August 2004). for documenting the network topology. e) Penetration Test obtain costs and schedule an external security test of network security. supplier during July Telecomms Security Policy The Telecomms Security Policy states that it will be updated every 12 months. The last review and update was performed in February 2007 and is therefore overdue. It is acknowledged that the Policy was under review at the time of the audit however an up to date version has not yet been issued. Misinterpretation or confusion over the correct meaning of instructions and failure to comply with Council policy. Standard The review of the Telecomms Security Policy should be concluded and the revised Policy issued as soon as practicable. The IT and Telecommunications User Security Policy has now been updated and is published on the Intranet for users to view. Implemented NB Any cost implications arising from implementation of the recommendations by Mouchel must be agreed in advance with the appropriate Client Officer and the Partnership Delivery Manager AUDIT REPORT E561/09/HW 6 JULY 2009