Council/ Community Board/ Council Subcommittee/ Board Committee. Medium

Transcription

1 COVER SHEET Subject IT SECURITY Author Deidre Butler Typed by Harma Freese Submitted to Council/ Community Board/ Council Subcommittee/ Board Committee Name of Board/ Committee/ Subcommittee Audit & Risk Subcommittee Date of Meeting 5 December 2005 Date Required by Secretariat 30 November 2005 Community Board Consultation Matter Previously Considered by Council Not Required No If Yes, date Public Excluded Yes If Yes, Section of Act Significance Medium CONFIRMATION OF COMPLIANCE The attached reports: 1. Contain sufficient information about the options and their benefit and costs, bearing in mind the significance of the decision; and 2. Are based on adequate knowledge about, and consideration of, the views and preferences of affected and interested parties bearing in mind the significance of the decision. 3. Are accompanied by completed checklists that have been sighted and are on file. NAME POSITION SIGNATURE Prepared by Deidre Butler Approved by Chris Kerr Approved by Roy Baker Chief Information Officer Corporate Support Unit Manager General Manager of Corporate Services

2 - 2 - IT SECURITY General Manager responsible: Officer responsible: General Manager Corporate Services Chief Information Officer (Deidre Butler) Author: Deidre Butler, DDI PURPOSE OF REPORT 1. The purpose of this report is to update the Audit Subcommittee of the progress which has been made in upgrading IT security; specifically against a comprehensive IT security audit carried out by Ernst and Young three years ago. STAFF RECOMMENDATION That the report be received

3 - 3 - BACKGROUND 2. The comprehensive IT Security Audit undertaken by Ernst and Young identified 21 primary security vulnerabilities in Christchurch City Council systems. To date, of these identified concerns; some have been attended to some are no longer applicable some require policy decisions from the business some still require attention and some were considered to be overstated for the Council Context 3. The predominant risk to the security of our IT systems is from virus attacks, primarily from our connection to the global network - the internet. On a daily basis CCC are subject to over 200 attacks, this can climb to thousands of attacks daily when there is heightened virus activity. 4. Regardless, over the past five years CCC has had only 3 significant breaches. These have all been contained quickly and effectively (albeit by significant input from IT staff). Over the past year there have been no infiltrations. 5. CCC have in place multiple levels of protection for virus activity. The anti-virus filter at the internet gateway is automatically updated with new anti-virus definitions every hour. These are then pushed out to all PC s to prevent infection via other sources (i.e. floppy or from connections made when laptops at home). 6. In general the CCC systems are well managed and therefore relatively secure. However this needs to be continually maintained as new technologies evolve and new threats emerge on a daily basis. Future 7. The ITS Group has been realigned in context with the changing CCC organisation. Now called Information Management & Communications Technology, and with a broader mandate and across Council role and responsibilities, additional resources and skill sets have been brought on board in support. This includes the new role of a Security Co-ordinator who is dedicated to, and responsible for, security processes and procedures across the IM&CT systems. With this new resource, a number of items identified in the Ernst & Young report can now be picked up with focus by the Security Co-ordinator. The incumbent will work closely with the Audit \ Risk function of the Council across the area of Security alongside Disaster Recovery, Access Control and Authorisation. This will bring a significant focus on ensuring good practice and processes are in place across the breadth of Council IM&CT systems. Detail 8. Below is an overview of the 21 primary security vulnerabilities identified by Ernst and Young and an update on their status.

4 - 4 - WINDOWS SERVERS ISSUES Deletion of Old Accounts 9. Regular review and removal of old accounts CCC IM&CT Comment: 10. Many old accounts are due to correct HR processes not being followed and therefore no request from the business to remove these. 11. Processes now being followed for SAP and GEMS accounts. Security Co-ordinator to review processes for others. LACK OF STRONG PASSWORDS 12. Use strong passwords 13. Strong passwords are random strings of numbers and letters. In the past, customers have complained about the difficulty of remembering these 14. CCC management need to determine whether the policy for passwords needs changing to reflect a need for strong passwords. The Security Co-ordinator has now picked this up. VIRUS PROTECTION (WINDOWS 2000) 15. Further levels of virus protection 16. Two levels of virus protection now in place. The anti-virus filter at the internet gateway is automatically updated with new anti-virus definitions hourly. These are then pushed out to all PC s to prevent infection from other sources, such as diskettes or from connections made when laptops have been at home. 17. The high availability of CCC systems and lack of virus infection despite large numbers circulating in the marketplace, suggest CCC has an appropriate level of virus protection currently. VIRUS PROTECTION (WINDOWS NT) 18. Further levels of virus protection 19. We no longer use Windows NT.

5 - 5 - ATTACK MANAGEMENT 20. Invest in systems to analyze and report on external attacks and possible intrusion. 21. CCC maintain logs of the huge numbers of attempts to break into CCC systems, but currently do not analyse these. This is due to no software being in place to do so, nor the resources available to undertake this activity. 22. The Security Co-ordinator will consider this requirement when they are on board. ANONYMOUS ACCESS 23. Anonymous access be disabled. 24. Anonymous access is required for the GEMS product. 25. This will be further investigated by the Security Co-ordinator. INSUFFICIENT SECURITY PATCHING (WINDOWS 2000) 26. Maintain systems with latest service and security patches. 27. This activity has been tightened up with fortnightly Microsoft security patches being applied. 28. Significant resource commitment and good systems have been put in place by CCC ensuring patches are up to date on servers and PC s. INSUFFICIENT SECURITY PATCHING (WINDOWS NT) 29. Maintain systems with latest service and security patches. 30. We no longer use Windows NT. TELNET 31 Telnet access be disabled if not required.

6 This access has been disabled with users being moved onto connection via the internet. 33. Access has been disabled. NETWORK EQUIPMENT ISSUES - DOCUMENTATION 34 Document network equipment admin procedures 35 To be actioned by the Security Co-ordinator 36 To be undertaken CORE SWITCH PASSWORD 37 Use stronger level encryption on the Core Switch password 38 This wasn t possible with the Operating System version we had previously Since upgraded and actioned. 39 Actioned SNMP ACCESS 40 Create access controls for SNMP admin access to network equipment 41 To be actioned by the Security Co-ordinator 42 To be undertaken FIREWALL INCIDENT PLAN 43 Formal plans for handling firewall incidents (such as finding attackers, containing and deleting an intruder). 44. To be actioned by the Security Co-ordinator.

7 To be undertaken FIREWALL SNMP ACCESS 47. Needs to be secured by a unique community string 48. Actioned. MAIL - OUTLOOK WEB ACCESS 49. The server should be in the DMZ zone without a LAN connection 50. Currently connected to both the DMZ and LAN 51. To be actioned as part of a planned upgrade to be undertaken in the next few months. INTERNET SECURITY SERVICE (ISA) SERVICE PACKS 52. Be updated with latest service packs 53. Done 54. Actioned TUNNELS THROUGH FIREWALL 55. Locate in DMZ 56. This has been addressed through upgrades. 57. Higher security than EYs recommendation will be provided by ISA2004 upgrade currently being planned to progress in the next few months.

8 PUBLIC TERMINALS - PHYSICAL SECURITY Padlocked, possibly hidden from view, possibly diskette & CD drives removed 59. These terminals are the responsibility of the Libraries who at time of report, managed their own equipment. 60. Issue has been raised with Libraries and PC cases have been locked and the cables have been secured. CD AUTORUN 61. Should be disabled 63. These terminals are the responsibility of the Libraries who at time of report, managed their own equipment. 64. Done CITRIX - SERVICE PACKS 65. Should be up to date 66. Citrix capability is used for working from home and some GEMS terminals. Validating with GEMS created complications. 67. Working through the issues staff shortage has delayed this being completed. REMOTE ACCESS - RAS LOGIN ATTEMPTS 68. An unlimited number of login attempts permitted. This should be restricted 69. We no longer use RAS (Remote Access Server).