COMPLIANCE AND CONTROL AUDIT REPORT
|
|
- Penelope Elliott
- 8 years ago
- Views:
Transcription
1 COMPLIANCE AND CONTROL AUDIT REPORT State Agency Information Systems: Reviewing Selected Systems Operation Controls in State Agencies A Report to the Legislative Post Audit Committee By the Legislative Division of Post Audit State of Kansas December 2011 R
2 Legislative Post Audit Committee Legislative Division of Post Audit THE LEGISLATIVE POST Audit Committee and its audit agency, the Legislative Division of Post Audit, are the audit arm of Kansas government. The programs and activities of State government now cost about $14 billion a year. As legislators and administrators try increasingly to allocate tax dollars effectively and make government work more efficiently, they need information to evaluate the work of governmental agencies. The audit work performed by Legislative Post Audit helps provide that information. We conduct our audit work in accordance with applicable government auditing standards set forth by the U.S. Government Accountability Office. These standards pertain to the auditor s professional qualifications, the quality of the audit work, and the characteristics of professional and meaningful reports. The standards also have been endorsed by the American Institute of Certified Public Accountants and adopted by the Legislative Post Audit Committee. The Legislative Post Audit Committee is a bipartisan committee comprising five senators and five representatives. Of the Senate members, three are appointed by the President of the Senate and two are appointed by the Senate Minority Leader. Of the Representatives, three are appointed by the Speaker of the House and two are appointed by the Minority Leader. Audits are performed at the direction of the Legislative Post Audit Committee. Legislators or committees should make their requests for performance audits through the Chairman or any other member of the Committee. Copies of all completed performance audits are available from the Division s office. LEGISLATIVE POST AUDIT COMMITTEE Representative John Grange, Chair Representative Tom Burroughs Representative Ann Mah Representative Peggy Mast Representative Virgil Peck Jr. Senator Mary Pilcher-Cook, Vice-Chair Senator Terry Bruce Senator Anthony Hensley Senator Laura Kelly Senator Dwayne Umbarger LEGISLATIVE DIVISION OF POST AUDIT 800 SW Jackson Suite 1200 Topeka, Kansas Telephone (785) FAX (785) LPA@lpa.ks.gov Website: Scott Frank, Legislative Post Auditor HOW DO I GET AN AUDIT APPROVED? By law, individual legislators, legislative committees, or the Governor may request an audit, but any audit work conducted by the Division must be directed by the Legislative Post Audit Committee, the 10-member joint committee that oversees the Division s work. Any legislator who would like to request an audit should contact the Division directly at (785) The Legislative Division of Post Audit supports full access to the services of State government for all citizens. Upon request, Legislative Post Audit can provide its audit reports in large print, audio, or other appropriate alternative format to accommodate persons with visual impairments. Persons with hearing or speech disabilities may reach us through the Kansas Relay Center at Our office hours are 8:00 a.m. to 5:00 p.m., Monday through Friday.
3 LEGISLATURE OF KANSAS LEGISLATIVE DIVISION OF POST AUDIT 800 SOUTHWEST JACKSON STREET, SUITE 1200 TOPEKA, KANSAS TELEPHONE (785) FAX (785) December 8, 2011 To: Members, Legislative Post Audit Committee Representative John Grange, Chair Representative Tom Burroughs Representative Ann Mah Representative Peggy Mast Representative Virgil Peck Jr. Senator Mary Pilcher-Cook, Vice-Chair Senator Terry Bruce, Senator Anthony Hensley Senator Laura Kelly Senator Dwayne Umbarger This report contains the findings, conclusions, and recommendations from our completed compliance and control audit, State Agency Information Systems: Reviewing Selected Systems Operation Controls in State Agencies. We include several recommendations for each of the agencies in their individual confidential report. We would be happy to discuss the findings presented in this report with any legislative committees, individual legislators, or other State officials. Scott Frank Legislative Post Auditor
4 This audit was conducted by Nathan Ensz and Stan Wiechert. Justin Stowe was the audit manager. If you need any additional information about the audit s findings, please contact Nathan Ensz at the Division s offices. Legislative Division of Post Audit 800 SW Jackson Street, Suite 1200 Topeka, Kansas (785) Website:
5 Table of Contents Do Selected State Agencies Adequately Manage Software Installed On Staff Laptops And Desktops? We Looked For Unpatched Or Unauthorized Software At Five Agencies... page 6 Three Of Five Agencies Had Significant Vulnerabilities Because Of Inadequate Workstation Patching Processes... page 7 Agencies Had Few Problems With Unauthorized Software, But Two Still Need To Improve Their Process... page 9 Conclusion... page 11 Recommendations... page 11 List of Figures Figure OV-1: Layered Approach to Network Security... page 5 Figure 1-1: Vulnerability Scan Results and Patching Practice By Agency... page 7 Figure 1-2: Software Scan Results and Preventing Unauthorized Software Policy and Practice By Agency... page 10 List of Appendices Appendix A: Scope Statement... page 12 Appendix B: Agency Response... page 13
6 State Agency Information Systems: Reviewing Selected Systems Operation Controls In State Agencies Each year, many State agencies collect and process sensitive and confidential data in their computer systems. One major responsibility for these agencies is to safeguard that data through the implementation of adequate security controls. Those controls include keeping agency computer networks up to date with security patches and controlling the software staff can install on their computers. Missing security patches and use of unauthorized software increase the risk that sensitive agency information could be comprised by allowing outsiders access to agency systems and networks. Currently, there is limited oversight of agencies security controls to monitor whether these security risks are adequately managed. This information system audit answers the following question: Do selected State agencies adequately manage software installed on staff laptops and desktops? A copy of the scope statement for this audit approved by the Legislative Post Audit Committee is included in Appendix A. To answer the question, we selected five State agencies and reviewed these agencies policies and practice regarding patching software and preventing unauthorized software. We compared those agencies efforts to best practices, reviewed documentation, and conducted vulnerability scans to determine how well agency staff followed policies in actual practice. The Enterprise Security Office within the Department of Administration conducted the vulnerability scans for us and helped us interpret the results. We conducted this information system audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. This audit report provides a summary of our findings across all five agencies, but does not describe the findings for the individual agencies. Because those specific findings contain information that PERFORMANCE AUDIT REPORT 1 Legislative Divison of Post Audit
7 could jeopardize the agencies security, we are keeping those findings confidential under K.S.A (12). Instead, we provided each agency with a separate, confidential report to address any agency specific problems we identified through our work. Our findings being on page 6, following a brief overview. PERFORMANCE AUDIT REPORT 2 Legislative Divison of Post Audit
8 PERFORMANCE AUDIT REPORT 3 Legislative Divison of Post Audit
9 Overview of Agency Software Management Multiple Layers of Protection Help Ensure Strong Network Security Often, multiple network security layers are used to protect agency data and computers from cyber or physical attack. As Figure OV-1 on the next page shows, multiple layers of security are available to agencies to help protect agency information technology systems. It s important that each layer is independently secure to minimize security risks. Some of the layers of security available include physical security, perimeter security, and host security. Because no one layer can protect an agency against all threats, it is important to have multiple layers that complement each other. Weak or missing layers could create cracks in the agency s overall security which create opportunities for hackers. As such, it is important that each layer of security be strong. Agency officials make choices regarding how much risk they are willing to assume, given their business needs. In an ideal network environment, each security layer would be as strong as possible. However, it s not always feasible to implement all of the possible security measures that are available. Sometimes imposing strict security standards inhibits employees from doing agency business. For example, laptops used by staff who travel in the field typically are going to have administrative rights to install software because there are no IT staff readily available to take care of software installations and updates. Furthermore, agency officials may think certain layers of security cost too much or are unnecessary given their needs. As such, officials must decide how much risk they are willing to assume, given the agency s business needs. Appropriate Software Management Is an Important Layer Of Network Security As Figure OV-1 shows, although agencies rely on multiple layers of security, this audit focuses specifically on software and patch management on agency workstations. Keeping patches updated helps prevent someone from compromising an agency s network. Over time, vulnerabilities in computer software are discovered that could allow someone to break into or otherwise harm an agency s network. Software manufacturers are constantly developing fixes, or patches, for vulnerabilities as they are discovered. Vendors often can create a single patch that is able to fix multiple vulnerabilities. It is up to each agency s information technology staff to install the patches in order to keep their systems up to date and secure. PERFORMANCE AUDIT REPORT 4 Legislative Divison of Post Audit
10 Figure OV-1 Layered Approach to Network Security Policies & Procedures (security awareness training, backup and restore plans) Physical Security (guards, safes, locks, visitor logs) Perimeter Security (firewalls, virtual private networks) Host Security (software & patch management, anti-virus protection, intrusion prevention) Source: LPA network security layers adapted from Cisco. Preventing unauthorized software helps mitigate the risk of vulnerabilities. Because agency workstations are for agency business, agencies should control what is installed on them. Allowing staff to add software creates some problems: Some software drains resources or creates cracks in the security which can be exploited. For instance, peer-to-peer applications used to download music or videos may monopolize agency bandwidth, and chat programs like Skype can easily cross firewalls allowing users to talk with and transmit files from others without scanning the files for viruses. IT staff must maintain more software. Even if the software is generally safe, it is on the workstation and must be patched. Having all of this additional software can make it hard for IT staff to manage. In general, agencies should limit software to what they conclude is necessary and acceptable for their business needs. PERFORMANCE AUDIT REPORT 5 Legislative Divison of Post Audit
11 Question: Do Selected State Agencies Adequately Manage Software Installed on Staff Laptops and Desktops? Answer in Brief: We looked for unpatched or unauthorized software at five agencies. Three of the five agencies had significant vulnerabilities because of inadequate workstation patching processes, and all five could make some minor improvements to their patching process. Agencies had few problems with unauthorized software, but two still need to improve their software management process. These and related findings are discussed in the sections that follow. We Looked For Unpatched or Unauthorized Software At Five Agencies To answer the question we looked for vulnerabilities caused by unpatched software and unauthorized software installed on workstations in five agencies. The five agencies we looked at and the number of workstations we scanned at each agency are listed below. Department of Health and Environment (219 workstations) Department of Commerce (139 workstations) Kansas Secretary of State (91 workstations) Kansas Insurance Department (74 workstations) Kansas Board of Emergency Medical Services (12 workstations) The primary tool we used to examine agency workstations was a vulnerability scan. This type of scan identifies vulnerabilities and categories them as low, medium, or high. In addition to identifying vulnerabilities, this scan also lists the software installed on the workstations. We tried to scan all workstations at each agency, except for the Department of Health and Environment and Department of Commerce because they had so many. For these two agencies we scanned a selection of the workstations, but because of technical limitations, the results aren t projectable. We have provided each agency a confidential report with their specific findings. Because of security concerns, those findings are not publicly available. What follows is a summary of the findings across the five agencies. The identities of the agencies are not disclosed in this report so that the agencies security is not jeopardized. PERFORMANCE AUDIT REPORT 6 Legislative Divison of Post Audit
12 Three of Five Agencies Had Significant Vulnerabilities Because of Inadequate Workstation Patching Processes As discussed in the Overview, patching workstations is important to help prevent someone from breaking into, or otherwise harming, an agency s network. It is good practice to protect workstations by patching workstations frequently, and to run a vulnerability scan which identifies any needed patches. We evaluated how well agency officials kept their software up to date by running a vulnerability scan on all, or a selection of their workstations. All of the scans were done with the full knowledge and cooperation of the agencies. The vulnerability scans produced volumes of information about potential vulnerabilities and categorized them as low, medium, and high. We provided the detailed results with all the vulnerabilities to each agency, but limited our analyses to high vulnerabilities. We categorized the results of our vulnerability scan into two general categories of software: Microsoft and non-microsoft. The results for each agency are summarized in Figure 1-1 below. Agency Install Patches? Figure 1-1 Vulnerability Scan Results and Patching Practice By Agency Microsoft Software Non-Microsoft Software Did the agency Did the agency Scan for Vulnerabilities? Avg # of Vulnerabilities per Workstation Install Patches? Scan for Vulnerabilities? Avg # of Vulnerabilities per Workstation Avg # of Vulnerabilities per Workstation All Software % of All Workstations with Vulnerabilities 1 (a) % 2 (a) % % % % (a): These agencies were installing Microsoft patches, but as discussed in the report, had configuration problems. Source: LPA analysis of vulnerability scans and agency practice. All five agencies proactively patched Microsoft software, but two agencies had configuration problems that resulted in some vulnerabilities being missed. Microsoft vulnerabilities include unpatched software applications (such as Excel or Word) and operating systems (such as Windows 7 and XP). In general, Microsoft software is easier to keep up to date because Microsoft pushes out new patches on a regular basis and it provides free software to manage these patches automatically. Although Microsoft software is relatively easy to patch, we did find problems in two agencies: Agency 1 did not have its patching system setup correctly to identify all available Microsoft patches. Officials told us they have since reconfigured their patching system to identify additional Microsoft patches. PERFORMANCE AUDIT REPORT 7 Legislative Divison of Post Audit
13 Agency 2 did not have all of its workstations identified in its patching system in order to send out the patches. Officials told us they have already identified five workstations that were not originally included in their patching system, and are taking steps to determine if other workstations are missing. As a result of these configuration problems, and as is shown in Figure 1-1, Agency 1 and Agency 2 had far more unpatched Microsoft vulnerabilities (4.0 and 4.2 per workstation) than the other three agencies (all less than 0.2 per workstation). Three of five agencies did not adequately patch non-microsoft software. Non-Microsoft software applications include products from companies such as Adobe (Reader, Flash Player, Shockwave), Sun Microsystems (Java, OpenOffice), and Apple (itunes, QuickTime). These software products are far more difficult to patch than Microsoft products because the companies are less proactive in pushing out patches, and few agencies have software to automatically manage the patches. Our review of the five agencies found that: Two agencies have not attempted to systematically install non- Microsoft patches. Officials from Agency 1 told us they do not install non-microsoft patches because it would be too costly to do so. Officials from Agency 2 told us their patching software does not identify non-microsoft software patches. As a result of not patching non-microsoft vulnerabilities, Agency 1 and Agency 2 had far more unpatched non-microsoft vulnerabilities (35.3 and 26.3 per workstation) than the other three agencies (see Figure 1-1). These two agencies were also the same two that had configuration problems with Microsoft patches. Agency 3 patched non-microsoft software, but did not scan its workstations to ensure that vulnerabilities were not missed. Clearly, making an effort to patch non-microsoft software improved this agency s results. Still, the lack of a scan allowed several vulnerabilities to get past the patching process. Patching non-microsoft software is difficult, especially for large organizations. However, it is important to patch all software, to prevent hackers from potentially exploiting those vulnerabilities. In the profile box on the next page we discuss the instance when RSA, an IT security company, had a non-microsoft vulnerability exploited that cost them $66 million to remediate. PERFORMANCE AUDIT REPORT 8 Legislative Divison of Post Audit
14 An Unpatched Vulnerability Allowed a Security Breach at RSA, Costing the IT Security Company $66 Million to Remediate RSA is an IT security company that sells several data security-related products to other companies to protect their data. One of its big products is the SecurID authentication product a small piece of hardware which provides users with a code that changes every 30 to 60 seconds. This code, tied with the user s personal identification number, creates a unique one-timeuse passcode that is used to positively identify the user and allow them access to the data. In March 2011, attackers gained access to RSA s network by sending infected attachments that exploited an unpatched vulnerability in Adobe Flash. Using this vulnerability, the attackers stole confidential information from RSA, including its SecurID authentication product code, compromising the product for all the clients. To replace the compromised security products sold to customers, RSA reported that it spent $66 million as a result of this breach. The three agencies that did not scan their workstations had the highest proportion of vulnerabilities. Based on agency results summarized in Figure 1-1, scanning appears to be an effective way to help ensure that workstation software is patched. Moreover, it is a relatively inexpensive option. For example, Agency 5 scans its workstations and servers on a quarterly basis for about $400 a year and had the lowest number of vulnerabilities per workstation. All five agencies could make some minor improvements to their patching process. All agencies were taking steps to patch their workstations, but none of the agencies had a comprehensive patching policy covering all of their current patching practices. In addition to lacking policy, two of the five agencies did not test the patches they installed to ensure they ran correctly, and one agency did not keep a log of all patches they installed on their workstations. Agencies Had Few Problems with Unauthorized Software, But Two Still Need To Improve Their Process As discussed in the Overview, controlling unauthorized software is important to make it easier to identify and minimize vulnerabilities. We looked for two general approaches that agencies could use to prevent unauthorized software: Deny users administrative rights and have a policy that prohibits installing unauthorized software. This is the strongest approach because without administrative rights, there is very little a user can install on their workstation. Allow users administrative rights, but adopt appropriate safeguards. These safeguards include having a policy that prohibits installing PERFORMANCE AUDIT REPORT 9 Legislative Divison of Post Audit
15 unauthorized software, adopting a formal approval process for new software installations, and periodically scanning workstations to monitor for potential abuse by employees. To evaluate how well agency officials controlled unauthorized software, we looked at the software installed on workstations using the same scan that identified vulnerabilities. We identified software that we thought may not have a reason to be installed on workstations, but had agency officials determine if it was allowable or not. None of the agencies had significant numbers of unauthorized software relative to the total number of software applications installed. Through our scans, we found that the five agencies workstations had only a handful of software applications that were unauthorized. Examples of unauthorized software included Coupon Printer for Windows, My Photo Adventure, Amazon Kindle, Yahoo Messenger, and Turbo Tax. Figure 1-2 below shows the instances of unauthorized software per workstation for each agency. Agency officials told us that they have since uninstalled, or intend to uninstall, almost all of these software applications. Agency Figure 1-2 Software Scan Results and Preventing Unauthorized Software Policy and Practice By Agency Have a Policy Preventing Unauthorized Software? Did the agency Restrict Administrative Rights? Have a Software Approval Process? Scan for Software? Instances of Unauthorized Software Per Workstation A 0.25 B 0.14 C N/A 0.02 D N/A 0.00 E N/A 0.00 Source: LPA analysis of software scans and agency practice. The two agencies with the most software problems allowed users to have administrative rights on their workstations without appropriate safeguards. As Figure 1-2 shows, both Agency A and Agency B allow most of their users to have administrative rights on their workstations. As we noted earlier, this is an acceptable practice, provided the agency adopts the appropriate safeguards (strong policies, a formal process for adding software, and periodic scans). However, neither agency scans workstations, and as a result had the most unauthorized PERFORMANCE AUDIT REPORT 10 Legislative Divison of Post Audit
16 software (0.25 instances per workstation for Agency A; 0.14 instances per workstation for Agency B). The other three agencies (C, D, and E) restricted administrative rights for most users and had a policy prohibiting unauthorized software. Agency C did have some pieces of unauthorized software. According to agency officials, these were add-ons that were accidently included during authorized software installations. For example, Apple itunes was inadvertently installed when they installed another Apple product, QuickTime. All five agencies could make minor improvements in how they standardize and track software. Standardizing and consistently tracking software would not necessarily prevent users from installing unauthorized software, but it should make it easier for IT staff to identify and remove any unauthorized software. We found that none of the agencies had a comprehensive software policy covering all of their current software practices and only two were using a standardized system image and inventorying all of their software. Conclusion State agencies make enticing targets for hackers because of the wide range of sensitive information they maintain. Typically, agencies focus on network perimeters such as firewalls, anti-virus programs, and spam filtering to protect their networks. But unintentional or malicious acts from inside state government are potentially just as dangerous as external breaches. A significant threat to securing agency data is failure to comply with basic security procedures such as installing software patches and controlling the software on computers. The agencies we reviewed had taken steps to patch software on their workstations and to prevent unauthorized software. However, several agencies still had a significant number of vulnerabilities because of missing software patches vulnerabilities that potentially could be exploited to gain access to sensitive data. Periodic network scans are a low-cost, highly effective tool for identifying these vulnerabilities. For the agencies we looked at, those that scanned their networks had very few vulnerabilities, while those that did not scan had a lot. Recommendations for Executive Action To ensure all software on workstations is patched and authorized, the five agencies we reviewed should implement all recommendations provided to them in their respective confidential reports. PERFORMANCE AUDIT REPORT 11 Legislative Divison of Post Audit
17 APPENDIX A Scope Statement This appendix contains the scope statement for this audit of selected information technology security controls. This audit was conducted as part of the ongoing information system security audit work authorized by the Legislative Post Audit Committee. State Agency Information Systems: Reviewing Selected Systems Operation Controls in State Agencies Each year, many State agencies collect and process sensitive and confidential data in their computer systems. One major responsibility for these agencies is to safeguard that data through the implementation of adequate security controls. Those controls include keeping agency computer networks up to date with security patches and controlling the software staff can install on their computers. Missing security patches and use of unauthorized software increase the risk that sensitive agency information could be comprised by allowing outsiders access to agency systems and networks. Currently, there is limited oversight of agencies security controls to monitor whether these security risks are adequately managed. The Legislative Post Audit Committee approved information system audits as an adjunct to the Division s compliance and control audits. This information system audit provides an overview of agencies policies and procedures related directly to protecting agency computers from known vulnerabilities and unauthorized software. An information security audit in this area would answer the following question: 1. Do selected State agencies adequately manage software installed on staff laptops and desktops? For a sample of agencies, we would review policies and procedures related to downloading and installing software, and installing security patches on agency operating systems and applications. Specifically, we would determine the extent to which agency staff are given administrative rights to install software on their computers, and whether agencies have an automated process for patching computers. We would also determine how well agency policies and procedures are being followed in practice by performing a vulnerability scan on staff laptops and desktops to identify missing security patches and unauthorized software applications. For any problems or deficiencies we found, we would attempt to determine the cause by conducting interviews with agency officials and staff, and by reviewing agency documents. We would perform additional work in this area as needed. Estimated resources: 3 staff for 12 weeks (plus review) PERFORMANCE AUDIT REPORT: 12 Legislative Division of Post Audit
18 APPENDIX B Agency Responses On October 26 we provided draft copies of the public and agency-specific confidential audit report to the Kansas Department of Health Environment, the Department of Commerce, the Kansas Secretary of State, the Kansas Insurance Department, and the Kansas Board of Emergency Medical Services. Because the response from the audited agencies contained confidential information, we have summarized them below. The agencies generally concurred with the report s findings, conclusions, and recommendations and many have already started addressing the recommendations. PERFORMANCE AUDIT REPORT: 13 Legislative Division of Post Audit
Office of Inspector General
DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Improved Security Required for DHS Networks (Redacted) Notice: The Department of Homeland Security, Office of Inspector General, has redacted
More informationOffice of Inspector General
DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Security Weaknesses Increase Risks to Critical United States Secret Service Database (Redacted) Notice: The Department of Homeland Security,
More informationDepartment of Education. Network Security Controls. Information Technology Audit
O L A OFFICE OF THE LEGISLATIVE AUDITOR STATE OF MINNESOTA FINANCIAL AUDIT DIVISION REPORT Department of Education Network Security Controls Information Technology Audit May 5, 2010 Report 10-17 FINANCIAL
More informationHow To Audit The Minnesota Department Of Agriculture Network Security Controls Audit
O L A OFFICE OF THE LEGISLATIVE AUDITOR STATE OF MINNESOTA FINANCIAL AUDIT DIVISION REPORT Department of Agriculture Network Security Controls Information Technology Audit July 1, 2010 Report 10-23 FINANCIAL
More informationBetter secure IT equipment and systems
Chapter 5 Central Services Data Centre Security 1.0 MAIN POINTS The Ministry of Central Services, through its Information Technology Division (ITD), provides information technology (IT) services to government
More informationU.S. Department of Energy Office of Inspector General Office of Audits & Inspections
U.S. Department of Energy Office of Inspector General Office of Audits & Inspections Audit Report Management of Western Area Power Administration's Cyber Security Program DOE/IG-0873 October 2012 Department
More informationInternet threats: steps to security for your small business
Internet threats: 7 steps to security for your small business Proactive solutions for small businesses A restaurant offers free WiFi to its patrons. The controller of an accounting firm receives a confidential
More informationTSA audit - How Well Does It Measure Network Security?
DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Improved Security Required For Transportation Security Administration Networks (Redacted) Notice: The Department of Homeland Security, Office
More informationSMITHSONIAN INSTITUTION
SMITHSONIAN INSTITUTION FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2012 INDEPENDENT EVALUATION REPORT TABLE OF CONTENTS PURPOSE 1 BACKGROUND 1 OBJECTIVES, SCOPE, AND METHODOLOGY 2 SUMMARY OF RESULTS
More informationLAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES
LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable
More informationEnterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006
Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,
More informationAudit Report. Management and Security of Office of Budget and Program Analysis Information Technology Resources. U.S. Department of Agriculture
U.S. Department of Agriculture Office of Inspector General Southeast Region Audit Report Management and Security of Office of Budget and Program Analysis Information Technology Resources Report No. 39099-1-AT
More informationTASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices
Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security
More informationProtecting Your Organisation from Targeted Cyber Intrusion
Protecting Your Organisation from Targeted Cyber Intrusion How the 35 mitigations against targeted cyber intrusion published by Defence Signals Directorate can be implemented on the Microsoft technology
More informationReferences NYS Office of Cyber Security and Critical Infrastructure Coordination Best Practices and Assessment Tools for the Household
This appendix is a supplement to the Cyber Security: Getting Started Guide, a non-technical reference essential for business managers, office managers, and operations managers. This appendix is one of
More informationReport to the Public Accounts Committee on mitigation of cyber attacks. October 2013
Report to the Public Accounts Committee on mitigation of cyber attacks October 2013 REPORT ON MITIGATION OF CYBER ATTACKS Table of contents I. Introduction and conclusion... 1 II. How government bodies
More informationCyber Security Beginners Guide to Firewalls A Non-Technical Guide
Cyber Security Beginners Guide to Firewalls A Non-Technical Guide Essential for Business Managers Office Managers Operations Managers Multi-State Information Sharing and Analysis Center (MS-ISAC) U.S.
More informationPatch Management Policy
Patch Management Policy L2-POL-12 Version No :1.0 Revision History REVISION DATE PREPARED BY APPROVED BY DESCRIPTION Original 1.0 2-Apr-2015 Process Owner Management Representative Initial Version No.:
More informationEvaluation Report. Office of Inspector General
Evaluation Report OIG-08-035 INFORMATION TECHNOLOGY: Network Security at the Office of the Comptroller of the Currency Needs Improvement June 03, 2008 Office of Inspector General Department of the Treasury
More informationU.S. Department of Energy Office of Inspector General Office of Audits and Inspections
U.S. Department of Energy Office of Inspector General Office of Audits and Inspections Audit Report The Department's Configuration Management of Non-Financial Systems OAS-M-12-02 February 2012 Department
More informationAppalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation... 1. Areas for Improvement... 2
Report No. 13-35 September 27, 2013 Appalachian Regional Commission Table of Contents Results of Evaluation... 1 Areas for Improvement... 2 Area for Improvement 1: The agency should implement ongoing scanning
More informationU.S. Department of Energy Office of Inspector General Office of Audits & Inspections. Evaluation Report
U.S. Department of Energy Office of Inspector General Office of Audits & Inspections Evaluation Report The Department's Unclassified Cyber Security Program - 2012 DOE/IG-0877 November 2012 MEMORANDUM FOR
More informationVulnerability Management. Information Technology Audit. For the Period July 2010 to July 2011
O L A OFFICE OF THE LEGISLATIVE AUDITOR STATE OF MINNESOTA FINANCIAL AUDIT DIVISION REPORT Vulnerability Management Information Technology Audit For the Period July 2010 to July 2011 May 22, 2012 Report
More informationHoneywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014
Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Process Solutions (HPS) June 4, Industrial Cyber Security Industrial Cyber Security is the leading provider of cyber security
More informationU.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL
U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL FINAL REPORT: U.S. Election Assistance Commission Compliance with the Requirements of the Federal Information Security Management Act Fiscal
More informationSecurity survey in the United States
Security survey in the United States This document contains the results of a survey on network security in 455 small and medium sized businesses, conducted in the United States in October/November 2007.
More informationSpecific observations and recommendations that were discussed with campus management are presented in detail below.
CSU The California State University Office of Audit and Advisory Services INFORMATION SECURITY California State University, San Bernardino Audit Report 14-55 March 18, 2015 EXECUTIVE SUMMARY OBJECTIVE
More informationCyber Security: Beginners Guide to Firewalls
Cyber Security: Beginners Guide to Firewalls A Non-Technical Guide Essential for Business Managers Office Managers Operations Managers This appendix is a supplement to the Cyber Security: Getting Started
More informationHow To Protect Research Data From Being Compromised
University of Northern Colorado Data Security Policy for Research Projects Contents 1.0 Overview... 1 2.0 Purpose... 1 3.0 Scope... 1 4.0 Definitions, Roles, and Requirements... 1 5.0 Sources of Data...
More informationSRA International Managed Information Systems Internal Audit Report
SRA International Managed Information Systems Internal Audit Report Report #2014-03 June 18, 2014 Table of Contents Executive Summary... 3 Background Information... 4 Background... 4 Audit Objectives...
More informationOffice of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget
Office of the Auditor General Performance Audit Report Statewide UNIX Security Controls Department of Technology, Management, and Budget December 2015 State of Michigan Auditor General Doug A. Ringler,
More informationIT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225
More informationData Management Policies. Sage ERP Online
Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...
More informationU.S. Department of Energy Office of Inspector General Office of Audits and Inspections. Evaluation Report
U.S. Department of Energy Office of Inspector General Office of Audits and Inspections Evaluation Report The Department's Unclassified Cyber Security Program 2011 DOE/IG-0856 October 2011 Department of
More informationGuide to Vulnerability Management for Small Companies
University of Illinois at Urbana-Champaign BADM 557 Enterprise IT Governance Guide to Vulnerability Management for Small Companies Andrew Tan Table of Contents Table of Contents... 1 Abstract... 2 1. Introduction...
More informationNETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS
NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities
More informationINFORMATION SECURITY California Maritime Academy
CSU The California State University Office of Audit and Advisory Services INFORMATION SECURITY California Maritime Academy Audit Report 14-54 April 8, 2015 Senior Director: Mike Caldera IT Audit Manager:
More informationAudit Report. Management of Naval Reactors' Cyber Security Program
U.S. Department of Energy Office of Inspector General Office of Audits and Inspections Audit Report Management of Naval Reactors' Cyber Security Program DOE/IG-0884 April 2013 Department of Energy Washington,
More informationHIPAA Security COMPLIANCE Checklist For Employers
Compliance HIPAA Security COMPLIANCE Checklist For Employers All of the following steps must be completed by April 20, 2006 (April 14, 2005 for Large Health Plans) Broadly speaking, there are three major
More informationSECURITY PATCH MANAGEMENT INSTALLATION POLICY AND PROCEDURES
REQUIREMENT 6.1 TO 6.2 SECURITY PATCH MANAGEMENT INSTALLATION POLICY AND PROCEDURES 6.1 TO 6.2 OVERVIEW In accordance with Payment Card Industry Data Security Standards (PCI DSS) requirements, [company
More informationCommon Cyber Threats. Common cyber threats include:
Common Cyber Threats: and Common Cyber Threats... 2 Phishing and Spear Phishing... 3... 3... 4 Malicious Code... 5... 5... 5 Weak and Default Passwords... 6... 6... 6 Unpatched or Outdated Software Vulnerabilities...
More informationOffice of Inspector General Audit Report
Office of Inspector General Audit Report USMMA SECURITY CONTROLS WERE NOT SUFFICIENT TO PROTECT SENSITIVE DATA FROM UNAUTHORIZED ACCESS Maritime Administration Report Number: FI-2012-138 Date Issued: May
More informationCourse: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems
Course: Information Security Management in e-governance Day 1 Session 5: Securing Data and Operating systems Agenda Introduction to information, data and database systems Information security risks surrounding
More informationPresentation Objectives
Gerry Cochran, IT Specialist Jennifer Van Tassel, Associate Examiner Office of the State Comptroller Thomas P. DiNapoli State & Local Government Accountability Andrew A. SanFilippo Executive Deputy Comptroller
More informationFINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information
FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1
More informationAchieving Compliance with the PCI Data Security Standard
Achieving Compliance with the PCI Data Security Standard June 2006 By Alex Woda, MBA, CISA, QDSP, QPASP This article describes the history of the Payment Card Industry (PCI) data security standards (DSS),
More informationINTERNATIONAL TRADE ADMINISTRATION Improvements Are Needed to Strengthen ITA s Information Technology Security Program
INTERNATIONAL TRADE ADMINISTRATION Improvements Are Needed to Strengthen ITA s Information Technology Security Program FINAL REPORT NO. OIG-12-037-A SEPTEMBER 27, 2012 U.S. Department of Commerce Office
More informationLifecycle Solutions & Services. Managed Industrial Cyber Security Services
Lifecycle Solutions & Services Managed Industrial Cyber Security Services Around the world, industrial firms and critical infrastructure operators partner with Honeywell to address the unique requirements
More informationNetwork and Security Controls
Network and Security Controls State Of Arizona Office Of The Auditor General Phil Hanus IT Controls Webinar Series Part I Overview of IT Controls and Best Practices Part II Identifying Users and Limiting
More informationCapital District Vulnerability Assessment
Capital District Vulnerability Assessment Audit Report Report Number IT-AR-15-1 December 12, 214 These vulnerabilities expose the infrastructure to unauthorized remote access by potential attackers who
More informationNational Endowment for the Arts Evaluation Report. Table of Contents. Results of Evaluation... 1. Areas for Improvement... 2. Exit Conference...
NEA OIG Report No. R-13-03 Table of Contents Results of Evaluation... 1 Areas for Improvement... 2 Area for Improvement 1: The agency should implement ongoing scanning to detect vulnerabilities... 2 Area
More informationAUDIT REPORT. Cybersecurity Controls Over a Major National Nuclear Security Administration Information System
U.S. Department of Energy Office of Inspector General Office of Audits and Inspections AUDIT REPORT Cybersecurity Controls Over a Major National Nuclear Security Administration Information System DOE/IG-0938
More informationCybersecurity Health Check At A Glance
This cybersecurity health check provides a quick view of compliance gaps and is not intended to replace a professional HIPAA Security Risk Analysis. Failing to have more than five security measures not
More informationInformation Technology Security Review April 16, 2012
Information Technology Security Review April 16, 2012 The Office of the City Auditor conducted this project in accordance with the International Standards for the Professional Practice of Internal Auditing
More informationPierce County Policy on Computer Use and Information Systems
Pierce County Policy on Computer Use and Information Systems Pierce County provides a variety of information technology resources such as computers, software, printers, scanners, copiers, electronic mail
More informationHIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS
Department of Health and Human Services OFFICE OF INSPECTOR GENERAL HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS AT STATE MEDICAID AGENCIES Inquiries
More informationWellesley College Written Information Security Program
Wellesley College Written Information Security Program Introduction and Purpose Wellesley College developed this Written Information Security Program (the Program ) to protect Personal Information, as
More informationOffice of Inspector General
DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Enhanced Configuration Controls and Management Policies Can Improve USCG Network Security (Redacted) Notice: The Department of Homeland Security,
More informationIT Security Procedure
IT Security Procedure 1. Purpose This Procedure outlines the process for appropriate security measures throughout the West Coast District Health Board (WCDHB) Information Systems. 2. Application This Procedure
More informationCorporate Account Takeover (CATO) Risk Assessment
Corporate Account Takeover (CATO) Risk Assessment As a business, you want to be sure you have a strong process in place for monitoring and managing who has access to your ECorp services and how the information
More informationOn-Site Computer Solutions values these technologies as part of an overall security plan:
Network Security Best Practices On-Site Computer Solutions Brian McMurtry Version 1.2 Revised June 23, 2008 In a business world where data privacy, integrity, and security are paramount, the small and
More informationSupplier Information Security Addendum for GE Restricted Data
Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,
More informationEPA Could Improve Processes for Managing Contractor Systems and Reporting Incidents
OFFICE OF INSPECTOR GENERAL Audit Report Catalyst for Improving the Environment EPA Could Improve Processes for Managing Contractor Systems and Reporting Incidents Report No. 2007-P-00007 January 11, 2007
More informationIntroduction. PCI DSS Overview
Introduction Manage Engine Desktop Central is part of ManageEngine family that represents entire IT infrastructure with products such as Network monitoring, Helpdesk management, Application management,
More informationTop five strategies for combating modern threats Is anti-virus dead?
Top five strategies for combating modern threats Is anti-virus dead? Today s fast, targeted, silent threats take advantage of the open network and new technologies that support an increasingly mobile workforce.
More informationUF IT Risk Assessment Standard
UF IT Risk Assessment Standard Authority This standard was enacted by the UF Senior Vice President for Administration and the UF Interim Chief Information Officer on July 10, 2008 [7]. It was approved
More informationNetwork Detective. HIPAA Compliance Module. 2015 RapidFire Tools, Inc. All rights reserved V20150201
Network Detective 2015 RapidFire Tools, Inc. All rights reserved V20150201 Contents Purpose of this Guide... 3 About Network Detective... 3 Overview... 4 Creating a Site... 5 Starting a HIPAA Assessment...
More informationOffice of Inspector General
DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Improved Security Required for U.S. Coast Guard Networks (Redacted) Notice: The Department of Homeland Security, Office of Inspector General,
More informationAIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE
AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE THE CHALLENGE: SECURE THE OPEN AIR Wirelesss communication lets you take your business wherever your customers,
More informationJuly 6, 2015. Mr. Michael L. Joseph Chairman of the Board Roswell Park Cancer Institute Elm & Carlton Streets Buffalo, NY 14263
July 6, 2015 Mr. Michael L. Joseph Chairman of the Board Roswell Park Cancer Institute Elm & Carlton Streets Buffalo, NY 14263 Re: Security Over Electronic Protected Health Information Report 2014-S-67
More informationSECURING YOUR SMALL BUSINESS. Principles of information security and risk management
SECURING YOUR SMALL BUSINESS Principles of information security and risk management The challenge Information is one of the most valuable assets of any organization public or private, large or small and
More informationA Decision Maker s Guide to Securing an IT Infrastructure
A Decision Maker s Guide to Securing an IT Infrastructure A Rackspace White Paper Spring 2010 Summary With so many malicious attacks taking place now, securing an IT infrastructure is vital. The purpose
More informationRemote Deposit Terms of Use and Procedures
Remote Deposit Terms of Use and Procedures Use of American National Bank Fox Cities (Bank) Remote Deposit service is subject to the following Terms of Use and Procedures. Bank reserves the right to update
More informationU.S. Department of Energy Office of Inspector General Office of Audits and Inspections
U.S. Department of Energy Office of Inspector General Office of Audits and Inspections Audit Report Management of Los Alamos National Laboratory's Cyber Security Program DOE/IG-0880 February 2013 Department
More informationCommissioners Irving A. Williamson, Chairman Daniel R. Pearson Shara L. Aranoff Dean A. Pinkert David S. Johanson Meredith M.
The U.S. International Trade Commission is an independent, nonpartisan, quasi-judicial federal agency that provides trade expertise to both the legislative and executive branches of government, determines
More informationTEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL
TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL Title: Computer and Network Security Policy Policy Number: 04.72.12 Effective Date: November 4, 2003 Issuing Authority: Office of the Vice President for
More informationCritical Security Controls
Critical Security Controls Session 2: The Critical Controls v1.0 Chris Beal Chief Security Architect MCNC chris.beal@mcnc.org @mcncsecurity on Twitter The Critical Security Controls The Critical Security
More informationVulnerability Scanning and Patch Management
Vulnerability Scanning and Patch Management Vulnerability Scanning and Patch Management Security vulnerabilities remain amongst the most disruptive and damaging types of problem experienced in real-world
More informationUniversity System of Maryland University of Maryland, College Park Division of Information Technology
Audit Report University System of Maryland University of Maryland, College Park Division of Information Technology December 2014 OFFICE OF LEGISLATIVE AUDITS DEPARTMENT OF LEGISLATIVE SERVICES MARYLAND
More informationSupplier IT Security Guide
Revision Date: 28 November 2012 TABLE OF CONTENT 1. INTRODUCTION... 3 2. PURPOSE... 3 3. GENERAL ACCESS REQUIREMENTS... 3 4. SECURITY RULES FOR SUPPLIER WORKPLACES AT AN INFINEON LOCATION... 3 5. DATA
More informationABB s approach concerning IS Security for Automation Systems
ABB s approach concerning IS Security for Automation Systems Copyright 2006 ABB. All rights reserved. Stefan Kubik stefan.kubik@de.abb.com The problem Most manufacturing facilities are more connected (and
More informationManaging Business Risk
Managing Business Risk With Assurance Report Cards April 7, 2015 Table of Contents Introduction... 3 Cybersecurity is a Business Issue... 3 Standards, Control Objectives and Controls... 5 Standards and
More informationServer Management-Scans & Patches
THE UNIVERSITY OF TEXAS-PAN AMERICAN OFFICE OF AUDITS & CONSULTING SERVICES Server Management-Scans & Patches Report No. 14-11 OFFICE OF INTERNAL AUDITS THE UNIVERSITY OF TEXAS - PAN AMERICAN 1201 West
More informationNetwork and Workstation Acceptable Use Policy
CONTENT: Introduction Purpose Policy / Procedure References INTRODUCTION Information Technology services including, staff, workstations, peripherals and network infrastructures are an integral part of
More informationCyber Security, Fraud and Corporate Account Takeovers LBA Bank Counsel Conference December 2014
Cyber Security, Fraud and Corporate Account Takeovers LBA Bank Counsel Conference December 2014 Lisa D. Traina, CPA, CITP, CGMA Lisa Traina utilizes her 30+ years of experience as a CPA, CITP and CGMA
More informationIn-House Vs. Hosted Email Security. 10 Reasons Why Your Email is More Secure in a Hosted Environment
In-House Vs. Hosted Email Security 10 Reasons Why Your Email is More Secure in a Hosted Environment Introduction Software as a Service (SaaS) has quickly become the standard delivery model for critical
More informationCyber Self Assessment
Cyber Self Assessment According to Protecting Personal Information A Guide for Business 1 a sound data security plan is built on five key principles: 1. Take stock. Know what personal information you have
More informationRunning A Fully Controlled Windows Desktop Environment with Application Whitelisting
Running A Fully Controlled Windows Desktop Environment with Application Whitelisting By: Brien M. Posey, Microsoft MVP Published: June 2008 About the Author: Brien M. Posey, MCSE, is a Microsoft Most Valuable
More informationLegislative Audit Division State of Montana
Legislative Audit Division State of Montana June 2006 Report to the Legislature Information System Audit Montana State University Electronic Research Data Security Montana State University This report
More informationWhite Paper. Information Security -- Network Assessment
Network Assessment White Paper Information Security -- Network Assessment Disclaimer This is one of a series of articles detailing information security procedures as followed by the INFOSEC group of Computer
More informationINADEQUATE SECURITY PRACTICES EXPOSE KEY NASA NETWORK TO CYBER ATTACK
MARCH 28, 2011 AUDIT REPORT OFFICE OF AUDITS INADEQUATE SECURITY PRACTICES EXPOSE KEY NASA NETWORK TO CYBER ATTACK OFFICE OF INSPECTOR GENERAL National Aeronautics and Space Administration REPORT NO. IG-11-017
More informationSECURITY CONSIDERATIONS FOR LAW FIRMS
SECURITY CONSIDERATIONS FOR LAW FIRMS Enterprise Risk Management Professional consulting firm that specializes in cyber security Founded in 1998 in Miami, Florida Serves more than 150 clients, locally,
More informationPolicy Title: HIPAA Security Awareness and Training
Policy Title: HIPAA Security Awareness and Training Number: TD-QMP-7011 Subject: HIPAA Security Awareness and Training Primary Department: TennDent/Quality Monitoring/Improvement Effective Date of Policy:
More informationINFORMATION SECURITY PROGRAM
Approved 1/30/15 by Dr. MaryLou Apple, President MSCC Policy No. 1:08:00:02 MSCC Gramm-Leach-Bliley INFORMATION SECURITY PROGRAM January, 2015 Version 1 Table of Contents A. Introduction Page 1 B. Security
More informationMIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)
MIT s Information Security Program for Protecting Personal Information Requiring Notification (Revision date: 2/26/10) Table of Contents 1. Program Summary... 3 2. Definitions... 4 2.1 Identity Theft...
More informationHIPAA Compliance Evaluation Report
Jun29,2016 HIPAA Compliance Evaluation Report Custom HIPAA Risk Evaluation provided for: OF Date of Report 10/13/2014 Findings Each section of the pie chart represents the HIPAA compliance risk determinations
More informationInformation Security Policy
Information Security Policy Touro College/University ( Touro ) is committed to information security. Information security is defined as protection of data, applications, networks, and computer systems
More informationHUMAN RESOURCES MANAGEMENT NETWORK (HRMN) SELF-SERVICE
PERFORMANCE AUDIT OF HUMAN RESOURCES MANAGEMENT NETWORK (HRMN) SELF-SERVICE DEPARTMENT OF CIVIL SERVICE July 2004 ...The auditor general shall conduct post audits of financial transactions and accounts
More information