Network Security Management Phase 2 Performance Audit

Save this PDF as:

Size: px
Start display at page:

Download "Network Security Management Phase 2 Performance Audit"

Transcription

1 Network Security Management Phase 2 Performance Audit July 2012 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor

2 The Auditor of the City and County of Denver is independently elected by the citizens of Denver. He is responsible for examining and evaluating the operations of City agencies for the purpose of ensuring the proper and efficient use of City resources and providing other audit services and information to City Council, the Mayor and the public to improve all aspects of Denver s government. He also chairs the City s Audit Committee. The Audit Committee is chaired by the Auditor and consists of seven members. The Audit Committee assists the Auditor in his oversight responsibilities of the integrity of the City s finances and operations, including the integrity of the City s financial statements. The Audit Committee is structured in a manner that ensures the independent oversight of City operations, thereby enhancing citizen confidence and avoiding any appearance of a conflict of interest. Audit Committee Dennis Gallagher, Chair Maurice Goodgaine Leslie Mitchell Rudolfo Payan Robert Bishop Jeffrey Hart Timothy O Brien, Co-Chair Audit Staff Audrey Donovan, Deputy Director, CIA, CRMA Stephen E. Coury, IT Audit Supervisor, CISA Roman Bukhtiyar, Senior IT Auditor, CISA Ketki Dhamanwala, Senior IT Auditor, CIA, CISA You can obtain copies of this report by contacting us at: Office of the Auditor 201 West Colfax Avenue, Department 705 Denver CO, (720) Fax (720) Or download and view an electronic copy by visiting our website at:

3 City and County of Denver 201 West Colfax Avenue, Department 705 Denver, Colorado FAX Dennis J. Gallagher Auditor July 19, 2012 Mr. Chuck Fredrick, Chief Information Officer Technology Services City and County of Denver Dear Mr. Fredrick: Attached is the Auditor s Office Audit Services Division s report of their audit of Network Security Management Phase 2. This report summarizes the second and final phase of our audit of the City s data network that is managed by the Technology Services Department. The purpose of the audit was to determine whether the City s data network is protected from unauthorized access and whether controls are effective in protecting network confidentiality, integrity, and availability. I am concerned that portions of our data network are vulnerable to attack or abuse that are neither prevented nor detected. I know that you share my concerns as I understand that you have already taken corrective actions to eliminate some of the risks we identified, and that you have plans to address those that require more time to resolve. A common theme in both phases of our audit is that periodic user security awareness training is key to helping all our employees know the role they have in protecting the City s data. Your challenge to establish an information security governance program will be to ensure that the controls you have in place continue to operate as intended. So many times we can have the best of intentions, yet to find that a control we thought was working has become obsolete or has evaporated into the ether. We must remain diligent in ensuring we are always protecting the City s information. On a final note, as you consider the benefits of cloud computing for the City, please see our short treatise on Cloud Computing Considerations in this report. I think you will find it supports a careful and thoughtful approach to this new era of computing. If you have any questions, please call Kip Memmott, Director of Audit Services, at Sincerely, Dennis J. Gallagher Auditor DJG/sec To promote open, accountable, efficient and effective government by performing impartial reviews and other audit services that provide objective and useful information to improve decision making by management and the people. We will monitor and report on recommendations and progress towards their implementation.

4 cc: Honorable Michael Hancock, Mayor Honorable Members of City Council Members of Audit Committee Ms. Janice Sinden, Chief of Staff Ms. Stephanie O Malley, Deputy Chief of Staff Ms. Cary Kennedy, Deputy Mayor, Chief Financial Officer Ms. Beth Machann, Controller Mr. Doug Friednash, City Attorney Ms. Janna Bergquist, City Council Executive Staff Director Mr. L. Michael Henry, Staff Director, Board of Ethics Mr. Ethan Wain, Deputy Chief Information Officer To promote open, accountable, efficient and effective government by performing impartial reviews and other audit services that provide objective and useful information to improve decision making by management and the people. We will monitor and report on recommendations and progress towards their implementation.

5 City and County of Denver Dennis J. Gallagher Auditor 201 West Colfax Avenue, Department 705 Denver, Colorado FAX AUDITOR S REPORT We have completed an audit of Network Security Management Phase 2. This report summarizes the second and final phase of our audit of the City s data network that is managed by the Technology Services Department. The purpose of the audit was to determine whether the City s data network is protected from unauthorized access and whether controls are effective in protecting network confidentiality, integrity, and availability. This performance audit is authorized pursuant to the City and County of Denver Charter, Article V, Part 2, Section 1, General Powers and Duties of Auditor, and was conducted in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. The findings from the second phase not only reinforce the information security governance issues identified in the first phase, but further highlight a disturbing concern that key information security controls are not operating as a result of gaps in Information Technology (IT) Governance. Specifically, the Technology Services Department is insufficiently staffed, which places an over reliance on key personnel; key policies and procedures have not been developed; and there is a low process maturity environment where critical processes are ad hoc and disorganized. This condition results in a security environment where portions of the City network are vulnerable to attack or abuse that are neither prevented nor detected. The Chief Information Officer has recognized the gravity of the issues identified in both our Phase 1 and Phase 2 audit reports and has already taken actions to eliminate or mitigate some of the risks identified. Where risk mitigation requires a more strategic solution, the Chief Information Officer has responded that he will develop appropriate plans to reduce the identified risks. We extend our appreciation to the Chief Information Officer and his staff who assisted and cooperated with us during the audit. Audit Services Division Kip Memmott, MA, CGAP, CRMA Director of Audit Services To promote open, accountable, efficient and effective government by performing impartial reviews and other audit services that provide objective and useful information to improve decision making by management and the people. We will monitor and report on recommendations and progress towards their implementation.

6 TABLE OF CONTENTS EXECUTIVE SUMMARY 1 INTRODUCTION & BACKGROUND 2 Information Technology Governance 2 Process Maturity Model 3 Defense in Depth and Basic Controls 3 SCOPE 5 OBJECTIVE 5 METHODOLOGY 5 FINDING 8 City Network Vulnerable to Attack or Abuse Due to Gaps in IT Governance and Low Process Maturity 8 RECOMMENDATIONS 13 OTHER PERTINENT INFORMATION 15 Cloud Computing Considerations 15 APPENDICES 17 Appendix A Network Security Management Phase 1 Performance Audit 17 Appendix B News Story of Virus Impacting a Federal Agency 50 AGENCY RESPONSE 52

7 EXECUTIVE SUMMARY This report summarizes the second and final phase of our audit of the City and County of Denver s network security. 1 The findings from the second phase not only reinforce the information security governance issues identified in the first phase, but further highlight a disturbing concern that key information security controls are not operating as a result of gaps in Information Technology (IT) Governance. Specifically, the Technology Services Department is insufficiently staffed, which places an over reliance on key personnel; key policies and procedures have not been developed; and there is a low process maturity environment where critical processes are ad hoc and disorganized. 2 This condition results in a security environment where portions of the City network are vulnerable to attack or abuse that are neither prevented nor detected. This indicates that information technology (IT) governance needs to be strengthened not only in the risk management domain, but also in the resource management domain. 3 Examples of specific weaknesses include the following: Six of ten essential information security duties are not being performed Antivirus controls are not always effective in preventing malware from entering the system or from being saved and backed up on network storage Key information security policies are missing or outdated Network admission controls do not detect unauthorized devices Portions of the City network are vulnerable to attack or abuse The general public has inappropriate access to portions of the City s internal data network On a positive note, the audit identified areas where controls have been implemented and are especially strong. Specifically, change control over firewalls and routers are automated and at a high process maturity. Additionally, authentication controls over administrative access to both firewalls and routers are strong. Lastly, the Technology Services strategy to take advantage of cloud computing still needs to significantly develop and increase the maturity of its information security posture in preparation for the implementation of a cloud computing delivery strategy. Our thoughts on the City s preparedness for cloud computing can be found in Other Pertinent Information Cloud Computing Considerations. 1 The audit scope is limited to the portions of the network specifically managed by the Technology Services Department. Refer to the Introduction & Background of the Phase 1 report contained in Appendix A Network Security Management Phase 1 Performance Audit for additional details. 2 Please see the Introduction & Background section of this report for more information on the Process Maturity Model. 3 Please see the Introduction & Background section of this report for more information on IT governance domains. P a g e 1 Office of the Auditor

8 INTRODUCTION & BACKGROUND Information Technology Governance The overall governance of the City includes several disciplines of which Information Technology (IT) is a significant part. Accordingly the governance of IT is not the sole responsibility of one agency, but rather a collaborative effort between the City s top leadership, i.e., the Mayor and City Council, working closely with the leadership of the IT organization. The Technology Services Department is responsible for managing IT risks and determining which resources are necessary to mitigate those risks. However the City s top leadership has ultimate authority over IT resources. Accordingly, when City leadership is faced with financial challenges, budget decisions should include consideration of the IT risk impact that may result from those choices. A role of the Chief Information Officer (CIO) as the IT leader is to advise the Mayor and City Council on the IT risks threatening the City s network so that management may make informed decisions regarding risks and the resources to mitigate those risks. When presented with IT risks, City leadership has the option to either mitigate those risks by implementing controls, transferring risks, such as through insurance, or accepting risks through formal acknowledgement. If there are significant IT risks that the City cannot mitigate or transfer, the acceptance of that risk must come from an appropriate level of authority the City s top leadership and be disclosed to stakeholders and citizens. IT Governance Domains IT governance consists of the five major domains of strategic alignment, value delivery, risk management, resource management, and performance measurement. 4 Two areas of concern in this audit are risk management and resource management. Risk Management The risk management domain addresses the safeguarding of IT assets and disaster recovery. Risk management also includes regular self-testing to ensure established controls are operating as intended and continuous assessment of emerging risks in light of an ever changing threat landscape. 4 Board Briefing on IT Governance, 2 nd Edition, IT Governance Institute, City and County of Denver P a g e 2

9 Risk management concerns are raised in both phases of this audit. The phase one report is included in Appendix A. Resource Management The resource management domain addresses optimizing IT knowledge and infrastructure, in particular people, technology tools, and the management of outsourced services. It is the resource management domain that promotes workforce planning for adequate staffing and training in order to retain skilled IT staff. Resource management also includes aligning the IT budget to support business operations. Resource management concerns are raised in this second phase of the audit. Process Maturity Model The degree to which an organization can effectively manage its IT risk depends largely on the maturity of its IT governance system. The maturity level can be determined by evaluating the organization s key information security policies, standards, and procedures against an industry standard IT governance maturity model, or process maturity model. As illustrated below the model establishes a method to rank a process along a six-point scale ranging from 0 Nonexistent to 5 Optimized. 0-Nonexistent Management processes are not applied at all 1-Initial Processes are ad hoc and disorganized 2-Repeatable Processes follow a regular pattern 3-Defined Processes are documented and communicated 4-Managed Processes are monitored and measured 5-Optimized Best practices are followed and automated Information security controls need to be repeatedly verified over time to ensure they are continuing to operate as intended. Constantly monitoring the effectiveness of controls, such as through a manual or automated compliance program, is considered to be at maturity level 4. Processes that are automated and include an aspect of continuous improvement are at maturity level 5. Defense in Depth and Basic Controls Best practices promote the concept of defense in depth or security in layers. Specifically, IT security programs should protect information through the use of multiple layers including physical, policy, and technical controls. Physical controls primarily protect access to computing equipment. Policy controls include all aspects of security, such as review of logs, compliance programs, and employee security awareness training. Technical controls are mostly automated and include firewalls, intrusion prevention appliances, and antivirus software. The technical controls should not be overly reliant on P a g e 3 Office of the Auditor

10 limited defenses or overly dependent on a single person to review security alerts. Physical Controls Physical controls include the protection of physical access to facilities, the protection of network equipment within those facilities, and environmental (temperature and humidity) controls. As with all controls, physical controls must be regularly tested to insure they are operating as intended. Policy Controls Information security policies are the basis for defining management s commitment and the organization s approach to managing information security. Information security policies must be reviewed periodically as the rapid change in technology could render a policy inadequate to control the risk it was intended to prevent. Consider password length and complexity as a policy that has evolved over the years. Ten years ago, a fourdigit password would have been considered adequate, but by today s standards a fourdigit password would be considered weak and one that could be easily compromised. It is common today to see password requirements of eight characters with the inclusion of capital letters, numbers, special characters, expiring every ninety days or so, and users reminded not to use easily guessed mnemonics, family or pet names, dates, or the names of sports teams or their mascots. Technical Controls Technical controls include some of the basic controls that most users are familiar with, such as antivirus software or system patching. Often these controls are automated and are assumed to be working properly. An important study of system intrusions and data breaches, the 2012 Data Breach Investigations Report, highlights that 97 percent of data breaches were avoidable through simple or intermediate controls. 5 The report also points out that the largest threat actions came from hacking and malware. 6 Hackers strive to get the most reward or benefit from the least amount of work or investment. The data show that an attacker will try the simplest techniques to break into a system before engaging more sophisticated techniques. This emphasizes the need for organizations to remain vigilant in providing basic controls, such as end user information security awareness training, antivirus software, network segmentation, and password protocols and to engage in continuous monitoring to ensure that basic controls are operating as intended. 5 The 2012 Data Breach Investigations Report was prepared by the Verizon RISK team with cooperation from the United States Secret Service, the Dutch National High Tech Crime Unit, the Australian Federal Police, the Irish Reporting & Information Security Service, and the Police Central e-crime Unit of the London Metropolitan Police. The report spans eight years and the breach database includes well over 2,000 breaches and information on greater than one billion compromised records. 6 In this report we will use the term malware to refer to computer software that is designed with malicious intent, such as computer viruses, Trojans, and spyware, which are intended to cause harm, disruption, or provide surreptitious access to computer resources and data. City and County of Denver P a g e 4

11 Antivirus controls are especially important, since malware is one of the main attack vectors or ways that systems are compromised. Earlier this year, the Washington Post (and other print and online sources) featured a story about a federal agency that was the victim of a computer virus outbreak that arrived via . The malware posed a high enough threat that the agency disconnected its computers from the network to prevent the malware from spreading to other agencies. 7 We contacted the affected agency directly to vet the accuracy of the news story. Although the agency has not issued publicly its own account of the incident, they did confirm occurrence and that it was still under investigation. SCOPE This report summarizes the second and final phase of our audit of the segments of the City and County of Denver s Metropolitan Area Network that are managed by Technology Services, which excludes the portions of the network that are managed by other agencies, such as the Denver International Airport, Denver District Attorney s Office, and Denver County Courts. In accordance with Generally Accepted Government Auditing Standards (GAGAS) the reader should be aware that some details about information security weaknesses are considered sensitive security information and are not disclosed within this report. The details of all findings, however, have been presented to the City s Chief Information Officer. As part of our regular follow-up for audit issues, we will return at a future date to ensure that all findings have been addressed. OBJECTIVE The purpose of the audit was to determine whether the City s data network is protected from unauthorized access and whether controls are effective in protecting network confidentiality, integrity, and availability. METHODOLOGY We utilized several methodologies to achieve the audit objective. Our evidence gathering techniques included, but were not limited to, the following: Examining existing information security policies, procedures, and standards 7 Please see Appendix B, News Story of Virus Impacting a Federal Agency, to view the article. P a g e 5 Office of the Auditor

12 Consulting best practices standards for information security policies and procedures from sources such as the International Organization for Standardization publication Information technology Security techniques Code of practice for information security management (ISO 27002:2005), the National Institute of Standards and Technology special publication Recommended Security Controls for Federal Information Systems and Organizations (NIST SP800-53), the Payment Card Industry Data Security Standard, Requirements and Security Assessment Procedures Version 2.0 (PCI DSS), and as a point of local reference, the security policies of the State of Colorado Governor s Office of Information Technology (OIT) Consulting best practices for routing device configurations from organizations such as the Center for Internet Security (CIS), NIST, the National Security Agency (NSA), and an equipment manufacturer (Cisco) Consulting authoritative reports on data breaches such as Verizon s 2012 Data Breach Investigations Report Conducting interviews with Technology Services personnel to clarify our understanding of its network security processes Reviewing Technology Services organization charts and job descriptions to determine whether an information security management structure has been established Examining vulnerabilities associated with opportunistic cyber attacks, as well as those for advanced persistent threats (APT) Performing testing of the antivirus controls to determine whether the antivirus tool is effective in protecting the network against malware Examining the vulnerabilities associated with generic user IDs having accounts and the use of web-based Verifying the status of issues noted in the City s PCI self-assessment questionnaire and attestation of compliance to determine remediation progress Examining vulnerability scans to determine whether non-pci portions of the network are susceptible to cyber threats Performing tests to determine whether technical controls are in place to enforce the City s remote access policy Reviewing the effectiveness of incident management policies and procedures Evaluating the effectiveness of the use of security information and event management (SIEM) software, particularly the Cisco Security Monitoring, Analysis and Response System (MARS) product Determining whether a strategy exists to replace MARS as the City s SIEM in light of the product s end-of-life announcement by the vendor City and County of Denver P a g e 6

13 Interviewing Technology Services management to verify whether essential information security duties are being performed Reviewing training records of key information security personnel to determine whether training is current Performing a physical security walkthrough of the data center to verify whether physical security, equipment protection, and environmental controls are adequate for critical firewalls and routers Reviewing network architecture diagrams to identify critical firewalls and routers Performing tests of critical firewall and router security settings with the Titania Nipper configuration analysis tool Testing change management and configuration backup controls for critical firewalls and routers using the Solarwinds Orion and Network Configuration Manager (Cirrus-NCM) tools Evaluating the password configuration settings for the City s Authentication, Authorization, and Accounting (AAA) protocol implemented through the Cisco Terminal Access Controller Access Control System Plus (TACACS+) server Verifying the list of users who have administrative access to firewalls and routers Evaluating staff competency to operate network software tools and explain network configuration settings Consulting best practices for cloud computing from organizations including the Cloud Security Alliance (CSA) and NIST P a g e 7 Office of the Auditor

14 FINDING City Network Vulnerable to Attack or Abuse Due to Gaps in IT Governance and Low Process Maturity The results of our work from the second and final phase of this audit not only reinforce the information security governance issues identified in the first phase, but further highlight a disturbing concern that key information security controls are not operating as a result of gaps in Information Technology (IT) Governance. Specifically, the Technology Services Department is insufficiently staffed, which places an over reliance on key personnel; key policies and procedures have not been developed; and there is a low process maturity environment where critical processes are ad hoc and disorganized. This condition results in a security environment where portions of the City network are vulnerable to attack or abuse that are neither prevented nor detected. This indicates that information technology (IT) governance needs to be strengthened not only in the risk management domain, but also in the resource management domain. Examples of specific weaknesses follow. Six of ten essential information security duties are not being performed We identified ten essential information security duties that were being performed by personnel in Technology Services in order to ensure the proper functioning of security controls. Although subject matter experts should develop and document key information duties, those duties should be performed by operations staff or automated. Contrary to best practice, six of the ten essential information security controls were being performed by subject matter experts and their procedures were not documented or otherwise operationalized. As a result, these six controls ceased operating and some have not been performed for over eight to twelve months when the personnel performing them left the city workforce or were reassigned to different projects. For security reasons we have not listed the essential duties that are no longer being performed. This condition illustrates the importance of resource management in the governance of information technology. The CIO should ensure that adequate qualified staffing exists to perform essential security tasks. Critical security tasks should be documented and transferred to network operations personnel to ensure that essential information security controls continue to operate in the event of staff turnover. In the event that employment market conditions significantly challenge the ability to maintain staffing, the CIO should consider outsourcing network security monitoring to ensure continuous monitoring of network security controls. City and County of Denver P a g e 8

15 Antivirus controls are not always effective in preventing malware from entering the system or from being saved and backed up on network storage To test the City s antivirus controls we attempted to introduce, after informing IT management about the test, a pseudo-malware file into the City network, both through and through a file transfer. The pseudo-malware file was not detected through either delivery method by the City s antivirus software, which should have triggered an alert if the file had been properly detected. 8 In the absence of proper detection controls or an alert, we were able to place the file on the City s network. Additionally, the file was successfully backed up and subsequently restored from network backups without prevention or detection of the pseudo-malware. The outcome of our test illustrates an initial and subsequent risk to the City s network. Not only can a potential attacker store malware undetected on the City s network, but the malware can be backed up and enabled for future use. If the malware were used in an attack on the City network and the initial attack was detected and stopped, the attacker may be able to subsequently restore the malware tools stored during backup and attempt the attack again. We concluded that we were able to upload the pseudo-malware file due to the way the antivirus software was configured. We also identified several control points where the pseudo-malware could have been stopped, had the antivirus strategy been properly integrated between various system services, including backup and restore. We attempted the same test using a common system available to the public (Gmail). However, we were unsuccessful since Gmail would not allow us to upload the pseudo-malware file. The City system, on the other hand, not only allowed the upload of the pseudo-malware file, but allowed us to it from one account to another account, save it on the network, have it backed up, and restore it on demand. We were also able to store the pseudo-malware file through a common type of file transfer used by City employees when working outside of the City network and connecting through a secure connection. This test not only demonstrated the same antivirus weakness as our City system test, but it also highlighted the fact that the City s IT security policy is antiquated and relies on employees to abide by rules that are not enforced through technical controls. Specifically, the policy requires employees to sign a statement when they are hired that they will keep their personal computers free from malware before remotely connecting to the City network. Employees are not reminded of this agreement after they are hired. In the event that employees neglect to keep their home systems protected or choose not to pay for antivirus software, connecting remotely to the City s network from these computers poses a risk to the City. 8 The pseudo-malware file we utilized was an industry standard file that is used to test antivirus software. This file is commonly referred to as an EICAR file and is published by the European Institute for Computer Antivirus Research (EICAR). The file contains a special string of characters that all antivirus software will identify and raise an alert when scanned. The file is safe, as it does not contain any malicious code. It is a file used to assure system owners that their antivirus software is active. If one is able to pass the file through systems, it is an indication that the antivirus software is not running or is configured incorrectly. P a g e 9 Office of the Auditor

16 Should these home systems become compromised, they can serve as a conduit for malware to be introduced to the network. Technology currently exists to interrogate remote systems to determine if they are safe before allowing them to connect to the network. This type of technical control may prove more effective at preventing the introduction of malware onto the network than relying on employees to abide by the agreement they signed at the time of employment. Technology Services should revise the antivirus configurations to prevent the introduction of malware into the City network. The overall deployment of antivirus should be reviewed to prevent and detect the introduction of malware through the City s system, and during storage, backup and restore of data files. Technology Services should also adopt technical controls to interrogate remote systems to determine if they are safe before allowing them to connect to the network. Key information security policies are missing or outdated As a means to evaluate the maturity of the City s information security policies, we identified twelve key information security policies that are considered best practices and are accepted standards in the IT industry. The sources of the policies include the International Organization for Standardization publication Information technology Security techniques Code of practice for information security management (ISO 27002:2005), the National Institute of Standards and Technology special publication Recommended Security Controls for Federal Information Systems and Organizations (NIST SP800-53), the Payment Card Industry Data Security Standard (PCI DSS), and the State of Colorado Governor s Office of Information Technology security policies, which we used as a point of local reference. Of the twelve critical information security policies reviewed, eight were not incorporated into the City s overall security policy strategy. Although the City has defined twenty-one information security policies, fourteen of those have not been updated for more than two years. Table 1, Information Security Policy Analysis, shows which of the twelve critical policies have been adopted by the City and which have not. Of those that have been adopted, the table shows when the policy was defined and how well it was reviewed or kept current over the past ten years. For security reasons, the names of the policies are not included in the chart. However, some of the polices included in the list of twelve address areas such as risk assessment, security training and awareness, disaster recovery, physical security, acceptable use, wireless access, mobile computing and teleworking, social media, and incident response. City and County of Denver P a g e 10

17 Priority Table 1 - Information Security Policy Analysis Legend Policy is defined or updated Policy has not been updated Policy is missing Policy not required The priority column noted in Table 1 indicates the relative importance of the policy according to best practices. For items 3 and 8 in the table, two rows are shown for each, indicating that there were two defined policies addressing a similar topic. The City does not have eight of twelve critical information security policies in place to protect the network from malicious attack. Of the four policies that are in place, three have not been regularly evaluated or updated. This analysis supports the conclusions reached in the first phase of this audit where we identified the need for an information security governance program that includes the development of information security policies. Network admission controls do not detect unauthorized devices The City does not have technical controls or policies in place to prevent the connection of unauthorized wireless routers to the City s internal network. We found a City agency that stores sensitive personal information as part of its daily operations. In order to better protect that information, the agency has a portion of its network segmented away from the City s internal network thus creating a private network that can only be accessed by computers located physically within the agency. However, to meet one of its business needs, the agency from time to time uses two consumer / home grade wireless routers and connects one to its private network and connects the other to the City s internal network. The agency has configured the routers similar to how a consumer / home wireless network would be set up with the router broadcasting its name making it conveniently detectable by anyone with a mobile device such as a smart phone. These P a g e 11 Office of the Auditor

18 consumer / home grade routers also grant a connection to any device where the user has correctly entered the password; no user ID is required. In contrast, wireless access points supported by Technology Services employ rigorous security configurations that limit access to pre-authorized users, use strong session encryption, and do not broadcast their network name to avoid advertising the wireless network s presence to the general public. Connecting consumer / home grade equipment to the City s network weakens the defense in depths controls as the wireless routers rebroadcast the contents of both the agency s private network and the City s internal network making both networks accessible outside of the intended physical access areas. Technology Services should adopt technical controls, such as network admission controls (NAC), which can detect and prevent the connection of unauthorized wireless routers and other devices to the network. Further, policies prohibiting the attachment of unauthorized devices should be developed and communicated through periodic user security awareness training to educate agencies and users regarding the risks of attaching devices such as wireless routers to the network. The general public has inappropriate access to portions of the City s internal data network During the first phase of this audit, we performed site visits to various City facilities and tested for both wireless networks and computer connections that the general public could use to access the City s internal network. The connections we found could be used by an outsider to launch a cyber attack against the City s network from inside the network without having to contend with the defenses the City has in place to protect the network from an attack originating from the outside. For security reasons, we communicated those locations confidentially to Technology Services management and did not list them in the audit report. In the second phase of this audit, we further examined whether there were any technical controls that Technology Services had available that could be used to mitigate the risk of inappropriate access by the general public through those previously identified connections. We found that Technology Services currently has the technical controls available to prevent those publicly accessible areas from accessing the City s internal data network. Access to the City s internal network should be limited to authorized persons in order to prevent a cyber attack from within the City network by outsiders. We recommended in the first phase of our audit that an information security governance program be put into place that would include the assessment of risks associated with various technology deployments, such as granting the public access to computers connected to the City network. Since this second phase of the audit further highlights the risk that these computers and connections could be used to launch an imminent cyber attack from within the City network, Technology Services should move expeditiously to segregate publicly accessible computers and connections from the City s internal network. City and County of Denver P a g e 12

19 Strong controls found for firewall and router change control and administrative access On a positive note, the audit identified areas where controls have been implemented and are especially strong. Specifically, change control over firewalls and routers are automated and at a high process maturity. Further, authentication controls over administrative access to both firewalls and routers are strong. RECOMMENDATIONS Throughout the course of this audit we were continually reminded of the underlying cause for the lack of effective information security controls that serve to prevent or detect an attack or abuse of system vulnerabilities. At the conclusion of the first phase of this audit we recommended that the City s Chief Information Officer (CIO) establish an information security governance program. This will also aid in addressing the concerns noted in this final phase of the audit over missing and outdated information security policies. Additionally, at the conclusion of the first phase of this audit we recommended that the CIO ensure the information security governance program has the full support for authority and funding from the Mayor and City Council. Both of these recommendations were agreed to with an expected implementation date of October 15, As part of our follow-up process we will be addressing the recommendations provided in the first phase of this audit along with the following recommendations offered by the Auditor s Office to improve IT governance and process maturity. 1.1 The Chief Information Officer should strengthen the resource management governance domain within the Technology Services Department to ensure that adequate qualified staffing exists to perform essential security tasks. Critical security tasks should be documented and transferred to network operations personnel to ensure that essential information security controls continue to operate in the event of staff turnover. In the event that employment market conditions significantly challenge the ability to maintain staffing, the CIO should consider outsourcing network security monitoring to ensure continuous monitoring of network security controls. 1.2 Technology Services should revise the antivirus configurations to prevent the introduction of malware into the City network. The overall deployment of antivirus should be reviewed to prevent and detect the introduction of malware through the City s system, and during storage, backup and restore of data files. 1.3 Technology Services should also adopt technical controls to interrogate remote systems to determine if they are safe before allowing them to connect to the network. P a g e 13 Office of the Auditor

20 1.4 The Technology Services Department should adopt network admission control technologies in order to detect and prevent the attachment of unauthorized wireless routers to the City s network. 1.5 The Technology Services Department should communicate necessary information regarding security policies to end users through periodic user security awareness training to educate agencies and users about their role in protecting the City s network, including the risks of attaching devices such as wireless routers to the network. 1.6 The Technology Services Department should move expeditiously to segregate publicly accessible computers and connections from the City s internal network. City and County of Denver P a g e 14

21 OTHER PERTINENT INFORMATION Cloud Computing Considerations One of the latest trends in modern computing is the adoption of vendor-provided service technologies collectively referred to as cloud computing. 9 The Technology Services Department has adopted a cloud first long term strategy and is in the early stages of evaluating cloud services for City technology needs. However, Technology Services needs to significantly enhance its cloud services selection criteria for information security as cloud services pose their own types of security concerns. The growing interest in cloud computing can be attributed to the potential for financial economies of scale making cloud-based solutions more affordable than traditional computing models. Other reasons for interests in cloud computing come from the capability to utilize new hardware or software functionality that would be too cumbersome or expensive to develop with existing personnel and equipment. Cloud computing essentially entails renting an outside vendor s software and computers. For example, in a software as a service model, a vendor provides access to its software over the Internet on a subscription-type fee schedule. With subscription to the service, the customer gains quick access to software that can provide enhanced capabilities without having to buy new servers, hire new staff, or install software. On the other hand the customer no longer has control of where the data and servers are located or how they are maintained. With these benefits, the customer is giving up storing data on premises and maintaining the servers on which the data is stored. Sometimes the loss of control over the computing environment can pose information security risks. For example, in the non-cloud environment, the customer may know that only authorized individuals have access to their data center. In a cloud environment, the customer may not have the right to know who has data center access, leaving the customer to trust that the service provider has strong security practices. By contrast, customers that currently have poor or weak information security practices may be able to significantly improve their security posture by utilizing a cloud service provider with strong security practices. As a result, customers must carefully evaluate their security requirements to ensure their security needs can be met by the cloud service provider. Customers should ensure their service agreements allow them the right to audit or otherwise verify that the service provider is indeed providing the security controls it claims to have in place. Cloud computing is at its early stages of development and is becoming more competitive as more service providers enter the market. It is possible the customer may 9 This discussion is intended as a high level summary of cloud computing. Please refer to Cloud Computing Synopsis and Recommendations (Special Publication ), published by the National Institute of Standards and Technology (NIST), for an explanation of cloud computing concepts, including security risks. P a g e 15 Office of the Auditor

22 wish to switch providers in the future as new capabilities become available or more affordable. An aspect that must be considered before entering into a cloud computing agreement, is how the customer s data will be backed up and returned to the customer should they terminate their service. Of similar importance, the agreement must specify that the provider will destroy and certify the destruction of the customer s data it previously stored before the services were terminated. Situations could arise where the customer loses all of its previously stored data because provisions for data handling at the termination of service were not considered in advance. City agencies use a request for proposal (RFP) process when seeking vendors to provide or bid on system solutions. The system requirements are specified in an RFP and vendors can competitively bid on providing their solutions. The bids are scored and the vendor best meeting all the criteria is selected. To help City agencies evaluate their security requirements, one of the first steps Technology Services took was to augment the RFP process to include criteria for evaluating cloud-based solutions. Our review of the initial cloud computing criteria for RFPs indicates that the information security criteria is rudimentary and does not sufficiently address basic information security concerns for cloud computing. The RFP criteria for cloud computing could be significantly enhanced by incorporating security considerations from the NIST guide Cloud Computing Synopsis and Recommendations and the Security Guidance for Critical Areas of Focus in Cloud Computing developed by the Cloud Security Alliance. 10,11 Responsibility and accountability for information security never transfers to a cloud service provider or to any third party, for that matter; it always remains with the City. As a result, decisions to adopt cloud computing solutions must carefully consider the information security impact alongside other business considerations. 10 Ibid. 11 The Cloud Security Alliance is a member-driven organization, chartered with promoting the use of best practices for providing security assurance within Cloud Computing and to provide education on the uses of Cloud Computing. City and County of Denver P a g e 16

23 APPENDICES Appendix A Network Security Management Phase 1 Performance Audit P a g e 17 Office of the Auditor

24 City and County of Denver P a g e 18

25 P a g e 19 Office of the Auditor

26 City and County of Denver P a g e 20

27 P a g e 21 Office of the Auditor

28 City and County of Denver P a g e 22

29 P a g e 23 Office of the Auditor

30 City and County of Denver P a g e 24

31 P a g e 25 Office of the Auditor

32 City and County of Denver P a g e 26

33 P a g e 27 Office of the Auditor

34 City and County of Denver P a g e 28

35 P a g e 29 Office of the Auditor

36 City and County of Denver P a g e 30

37 P a g e 31 Office of the Auditor

38 City and County of Denver P a g e 32

39 P a g e 33 Office of the Auditor

40 City and County of Denver P a g e 34

41 P a g e 35 Office of the Auditor

42 City and County of Denver P a g e 36

43 P a g e 37 Office of the Auditor

44 City and County of Denver P a g e 38

45 P a g e 39 Office of the Auditor

46 City and County of Denver P a g e 40

47 P a g e 41 Office of the Auditor

48 City and County of Denver P a g e 42

49 P a g e 43 Office of the Auditor

50 City and County of Denver P a g e 44

51 P a g e 45 Office of the Auditor

52 City and County of Denver P a g e 46

53 P a g e 47 Office of the Auditor

54 City and County of Denver P a g e 48

55 P a g e 49 Office of the Auditor

56 Appendix B News Story of Virus Impacting a Federal Agency City and County of Denver P a g e 50

57 Appendix B News Story of Virus Impacting a Federal Agency (continued) P a g e 51 Office of the Auditor

58 AGENCY RESPONSE City and County of Denver P a g e 52

59 P a g e 53 Office of the Auditor

60 City and County of Denver P a g e 54

61 P a g e 55 Office of the Auditor

Network Security Management Phases 1 and 2 Follow up Report

Network Security Management Phases 1 and 2 Follow up Report Network Security Management Phases 1 and 2 Follow up Report March 2015 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County

More information

DIA Network Device Security Management Performance Audit

DIA Network Device Security Management Performance Audit DIA Network Device Security Management Performance Audit June 2014 Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of Denver is independently

More information

911 Data Center Operations Performance Audit

911 Data Center Operations Performance Audit 911 Data Center Operations Performance Audit June 2010 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of Denver is

More information

Citywide Identity Management Follow up Report

Citywide Identity Management Follow up Report Citywide Identity Management Follow up Report July 2015 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of Denver

More information

DIA Network Security Management Follow up Report

DIA Network Security Management Follow up Report DIA Network Security Management Follow up Report March 2015 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of Denver

More information

Citywide Social Media Usage Follow-up Report

Citywide Social Media Usage Follow-up Report Citywide Social Media Usage Follow-up Report May 2015 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of Denver is

More information

Denver 311 Follow up Report

Denver 311 Follow up Report Denver 311 Follow up Report December 2014 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of Denver is independently

More information

PeopleSoft IT General Controls

PeopleSoft IT General Controls PeopleSoft IT General Controls Performance Audit December 2009 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of

More information

City Attorney s Office: Litigation and Claims Management Follow-up Report

City Attorney s Office: Litigation and Claims Management Follow-up Report City Attorney s Office: Litigation and Claims Management Follow-up Report April 2015 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the

More information

Network Security Management Phase 1 Performance Audit

Network Security Management Phase 1 Performance Audit Network Security Management Phase 1 Performance Audit March 2012 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of

More information

The Department of General Services Contract Administration Follow up Report

The Department of General Services Contract Administration Follow up Report The Department of General Services Contract Administration Follow up Report June 2015 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of

More information

Assessor s Office Performance Audit

Assessor s Office Performance Audit Assessor s Office Performance Audit June 2012 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of Denver is independently

More information

Police Records Management System IT General Controls Follow up Report

Police Records Management System IT General Controls Follow up Report Police Records Management System IT General Controls Follow up Report March 2015 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City

More information

FOLLOW-UP REPORT Change Management Practices

FOLLOW-UP REPORT Change Management Practices FOLLOW-UP REPORT Change Management Practices May 2016 Office of the Auditor Audit Services Division City and County of Denver Timothy M. O Brien, CPA The Auditor of the City and County of Denver is independently

More information

DIA Information Security Management Performance Audit

DIA Information Security Management Performance Audit DIA Information Security Management Performance Audit November 2010 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County

More information

Police Records Management System IT General Controls Performance Audit

Police Records Management System IT General Controls Performance Audit Police Records Management System IT General Controls Performance Audit December 2012 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the

More information

Department of Education. Network Security Controls. Information Technology Audit

Department of Education. Network Security Controls. Information Technology Audit O L A OFFICE OF THE LEGISLATIVE AUDITOR STATE OF MINNESOTA FINANCIAL AUDIT DIVISION REPORT Department of Education Network Security Controls Information Technology Audit May 5, 2010 Report 10-17 FINANCIAL

More information

Mobile Devices Performance Audit

Mobile Devices Performance Audit Mobile Devices Performance Audit August 2014 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of Denver is independently

More information

Office of Inspector General

Office of Inspector General Audit Report OIG-05-040 INFORMATION TECHNOLOGY: Mint s Computer Security Incident Response Capability Needs Improvement July 13, 2005 Office of Inspector General Department of the Treasury Contents Audit

More information

Office of Inspector General

Office of Inspector General DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Security Weaknesses Increase Risks to Critical United States Secret Service Database (Redacted) Notice: The Department of Homeland Security,

More information

Cybersecurity: What CFO s Need to Know

Cybersecurity: What CFO s Need to Know Cybersecurity: What CFO s Need to Know William J. Nowik, CISA, CISSP, QSA PCIP MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2014 Wolf & Company, P.C. Today s Agenda Introduction

More information

How to Secure Your Environment

How to Secure Your Environment End Point Security How to Secure Your Environment Learning Objectives Define Endpoint Security Describe most common endpoints of data leakage Identify most common security gaps Preview solutions to bridge

More information

Office of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget

Office of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget Office of the Auditor General Performance Audit Report Statewide UNIX Security Controls Department of Technology, Management, and Budget December 2015 State of Michigan Auditor General Doug A. Ringler,

More information

Defending Against Data Beaches: Internal Controls for Cybersecurity

Defending Against Data Beaches: Internal Controls for Cybersecurity Defending Against Data Beaches: Internal Controls for Cybersecurity Presented by: Michael Walter, Managing Director and Chris Manning, Associate Director Protiviti Atlanta Office Agenda Defining Cybersecurity

More information

Security Management. Keeping the IT Security Administrator Busy

Security Management. Keeping the IT Security Administrator Busy Security Management Keeping the IT Security Administrator Busy Dr. Jane LeClair Chief Operating Officer National Cybersecurity Institute, Excelsior College James L. Antonakos SUNY Distinguished Teaching

More information

Western Australian Auditor General s Report. Information Systems Audit Report

Western Australian Auditor General s Report. Information Systems Audit Report Western Australian Auditor General s Report Information Systems Audit Report Report 10 June 2012 Auditor General s Overview The Information Systems Audit Report is tabled each year by my Office. It summarises

More information

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,

More information

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS Department of Health and Human Services OFFICE OF INSPECTOR GENERAL HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS AT STATE MEDICAID AGENCIES Inquiries

More information

10 Smart Ideas for. Keeping Data Safe. From Hackers

10 Smart Ideas for. Keeping Data Safe. From Hackers 0100101001001010010001010010101001010101001000000100101001010101010010101010010100 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000

More information

Citywide Identity Management Performance Audit

Citywide Identity Management Performance Audit Citywide Identity Management Performance Audit March 2014 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of Denver

More information

Fixed Assets Management Performance Audit

Fixed Assets Management Performance Audit Fixed Assets Management Performance Audit May 2010 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of Denver is independently

More information

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections U.S. Department of Energy Office of Inspector General Office of Audits and Inspections Audit Report Management of Los Alamos National Laboratory's Cyber Security Program DOE/IG-0880 February 2013 Department

More information

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security

More information

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)

More information

External Supplier Control Requirements

External Supplier Control Requirements External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must

More information

Performance Audit Opportunities to Improve State IT Security

Performance Audit Opportunities to Improve State IT Security AUDITOR OF STATE WA S H I N G T O N NOV 11, 1889 Washington State Auditor s Office Troy Kelley Independence Respect Integrity Performance Audit Opportunities to Improve State IT Security December 15, 2014

More information

SECURITY. Risk & Compliance Services

SECURITY. Risk & Compliance Services SECURITY Risk & Compliance s V1 8/2010 Risk & Compliances s Risk & compliance services Summary Summary Trace3 offers a full and complete line of security assessment services designed to help you minimize

More information

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014 PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014 Agenda Introduction PCI DSS 3.0 Changes What Can I Do to Prepare? When Do I Need to be Compliant? Questions

More information

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015 Community Bank Auditors Group Cybersecurity What you need to do now June 9, 2015 By: Gerald Gagne MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company, P.C. Cybersecurity

More information

Better secure IT equipment and systems

Better secure IT equipment and systems Chapter 5 Central Services Data Centre Security 1.0 MAIN POINTS The Ministry of Central Services, through its Information Technology Division (ITD), provides information technology (IT) services to government

More information

John Essner, CISO Office of Information Technology State of New Jersey

John Essner, CISO Office of Information Technology State of New Jersey John Essner, CISO Office of Information Technology State of New Jersey http://csrc.nist.gov/publications/nistpubs/800-144/sp800-144.pdf Governance Compliance Trust Architecture Identity and Access Management

More information

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable

More information

OCIE CYBERSECURITY INITIATIVE

OCIE CYBERSECURITY INITIATIVE Topic: Cybersecurity Examinations Key Takeaways: OCIE will be conducting examinations of more than 50 registered brokerdealers and registered investment advisers, focusing on areas related to cybersecurity.

More information

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR AUTHOR: UDIT PATHAK SENIOR SECURITY ANALYST udit.pathak@niiconsulting.com Public Network Intelligence India 1 Contents 1. Background... 3 2. PCI Compliance

More information

PROPOSED INTERPRETIVE NOTICE

PROPOSED INTERPRETIVE NOTICE August 28, 2015 Via Federal Express Mr. Christopher J. Kirkpatrick Secretary Office of the Secretariat Commodity Futures Trading Commission Three Lafayette Centre 1155 21st Street, N.W. Washington, DC

More information

Information Technology Security Review April 16, 2012

Information Technology Security Review April 16, 2012 Information Technology Security Review April 16, 2012 The Office of the City Auditor conducted this project in accordance with the International Standards for the Professional Practice of Internal Auditing

More information

Department of Agriculture. Network Security Controls. Information Technology Audit

Department of Agriculture. Network Security Controls. Information Technology Audit O L A OFFICE OF THE LEGISLATIVE AUDITOR STATE OF MINNESOTA FINANCIAL AUDIT DIVISION REPORT Department of Agriculture Network Security Controls Information Technology Audit July 1, 2010 Report 10-23 FINANCIAL

More information

Domain 1 The Process of Auditing Information Systems

Domain 1 The Process of Auditing Information Systems Certified Information Systems Auditor (CISA ) Certification Course Description Our 5-day ISACA Certified Information Systems Auditor (CISA) training course equips information professionals with the knowledge

More information

Cisco Security Optimization Service

Cisco Security Optimization Service Cisco Security Optimization Service Proactively strengthen your network to better respond to evolving security threats and planned and unplanned events. Service Overview Optimize Your Network for Borderless

More information

Priority III: A National Cyberspace Security Awareness and Training Program

Priority III: A National Cyberspace Security Awareness and Training Program Priority III: A National Cyberspace Security Awareness and Training Program Everyone who relies on part of cyberspace is encouraged to help secure the part of cyberspace that they can influence or control.

More information

Office of Inspector General

Office of Inspector General DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Improved Security Required for U.S. Coast Guard Networks (Redacted) Notice: The Department of Homeland Security, Office of Inspector General,

More information

VENDOR MANAGEMENT. General Overview

VENDOR MANAGEMENT. General Overview VENDOR MANAGEMENT General Overview With many organizations outsourcing services to other third-party entities, the issue of vendor management has become a noted topic in today s business world. Vendor

More information

GFI White Paper PCI-DSS compliance and GFI Software products

GFI White Paper PCI-DSS compliance and GFI Software products White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption

More information

MEMORANDUM. Date: October 28, 2013. Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

MEMORANDUM. Date: October 28, 2013. Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance MEMORANDUM Date: October 28, 2013 To: Federally Regulated Financial Institutions Subject: Guidance The increasing frequency and sophistication of recent cyber-attacks has resulted in an elevated risk profile

More information

Cyber Security. An Executive Imperative for Business Owners. 77 Westport Plaza, St. Louis, MO 63416 p 314.439.4700 f 314.439.4799

Cyber Security. An Executive Imperative for Business Owners. 77 Westport Plaza, St. Louis, MO 63416 p 314.439.4700 f 314.439.4799 Cyber Security An Executive Imperative for Business Owners SSE Network Services www.ssenetwork.com 77 Westport Plaza, St. Louis, MO 63416 p 314.439.4700 f 314.439.4799 Pretecht SM by SSE predicts and remedies

More information

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things. What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things. AGENDA Current State of Information Security Data Breach Statics Data Breach Case Studies Why current

More information

STATE OF NORTH CAROLINA

STATE OF NORTH CAROLINA STATE OF NORTH CAROLINA INFORMATION SYSTEMS AUDIT OFFICE OF INFORMATION TECHNOLOGY SERVICES INFORMATION TECHNOLOGY GENERAL CONTROLS OCTOBER 2014 OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA STATE AUDITOR

More information

A Practical Approach to Network Vulnerability Assessment AN AUDITOR S PERSPECTIVE BRYAN MILLER, IT DIRECTOR JOHN KEILLOR, CPA, AUDIT PARTNER

A Practical Approach to Network Vulnerability Assessment AN AUDITOR S PERSPECTIVE BRYAN MILLER, IT DIRECTOR JOHN KEILLOR, CPA, AUDIT PARTNER A Practical Approach to Network Vulnerability Assessment AN AUDITOR S PERSPECTIVE BRYAN MILLER, IT DIRECTOR JOHN KEILLOR, CPA, AUDIT PARTNER 1 Agenda Audits Articles/Examples Classify Your Data IT Control

More information

Payment Card Industry Data Security Standard

Payment Card Industry Data Security Standard Symantec Managed Security Services support for IT compliance Solution Overview: Symantec Managed Services Overviewview The (PCI DSS) was developed to facilitate the broad adoption of consistent data security

More information

Cyber Security and Information Assurance Controls Prevention and Reaction NOVEMBER 2013

Cyber Security and Information Assurance Controls Prevention and Reaction NOVEMBER 2013 Cyber Security and Information Assurance Controls Prevention and Reaction 1 About Enterprise Risk Management Capabilities Cyber Security Risk Management Information Assurance Strategic Governance Regulatory

More information

Becoming PCI Compliant

Becoming PCI Compliant Becoming PCI Compliant Jason Brown - brownj52@michigan.gov Enterprise Security Architect Enterprise Architecture Department of Technology, Management and Budget State of Michigan @jasonbrown17 History

More information

Five keys to a more secure data environment

Five keys to a more secure data environment Five keys to a more secure data environment A holistic approach to data infrastructure security Compliance professionals know better than anyone how compromised data can lead to financial and reputational

More information

VA Office of Inspector General

VA Office of Inspector General VA Office of Inspector General OFFICE OF AUDITS & EVALUATIONS Department of Veterans Affairs Federal Information Security Management Act Audit for Fiscal Year 2013 May 29, 2014 13-01391-72 ACRONYMS AND

More information

Chapter 1 The Principles of Auditing 1

Chapter 1 The Principles of Auditing 1 Chapter 1 The Principles of Auditing 1 Security Fundamentals: The Five Pillars Assessment Prevention Detection Reaction Recovery Building a Security Program Policy Procedures Standards Security Controls

More information

SECURITY PATCH MANAGEMENT INSTALLATION POLICY AND PROCEDURES

SECURITY PATCH MANAGEMENT INSTALLATION POLICY AND PROCEDURES REQUIREMENT 6.1 TO 6.2 SECURITY PATCH MANAGEMENT INSTALLATION POLICY AND PROCEDURES 6.1 TO 6.2 OVERVIEW In accordance with Payment Card Industry Data Security Standards (PCI DSS) requirements, [company

More information

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst. 2010. Page 1 of 7 www.ecfirst.com

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst. 2010. Page 1 of 7 www.ecfirst.com Policy/Procedure Description PCI DSS Policies Install and Maintain a Firewall Configuration to Protect Cardholder Data Establish Firewall and Router Configuration Standards Build a Firewall Configuration

More information

Office of Inspector General

Office of Inspector General DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Improved Security Required For Transportation Security Administration Networks (Redacted) Notice: The Department of Homeland Security, Office

More information

DHHS Information Technology (IT) Access Control Standard

DHHS Information Technology (IT) Access Control Standard DHHS Information Technology (IT) Access Control Standard Issue Date: October 1, 2013 Effective Date: October 1,2013 Revised Date: Number: DHHS-2013-001-B 1.0 Purpose and Objectives With the diversity of

More information

Data Security Incident Response Plan. [Insert Organization Name]

Data Security Incident Response Plan. [Insert Organization Name] Data Security Incident Response Plan Dated: [Month] & [Year] [Insert Organization Name] 1 Introduction Purpose This data security incident response plan provides the framework to respond to a security

More information

SRA International Managed Information Systems Internal Audit Report

SRA International Managed Information Systems Internal Audit Report SRA International Managed Information Systems Internal Audit Report Report #2014-03 June 18, 2014 Table of Contents Executive Summary... 3 Background Information... 4 Background... 4 Audit Objectives...

More information

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management SECURING YOUR SMALL BUSINESS Principles of information security and risk management The challenge Information is one of the most valuable assets of any organization public or private, large or small and

More information

Small Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m.

Small Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m. Small Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m. Topics: Explain why it is important for firms of all sizes to address cybersecurity risk. Demonstrate awareness

More information

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections. Evaluation Report

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections. Evaluation Report U.S. Department of Energy Office of Inspector General Office of Audits and Inspections Evaluation Report The Department's Unclassified Cyber Security Program 2011 DOE/IG-0856 October 2011 Department of

More information

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security Technical Paper Plain talk about security When it comes to Cloud deployment, security is top of mind for all concerned. The Infor CloudSuite team uses best-practice protocols and a thorough, continuous

More information

The Protection Mission a constant endeavor

The Protection Mission a constant endeavor a constant endeavor The IT Protection Mission a constant endeavor As businesses become more and more dependent on IT, IT must face a higher bar for preparedness Cyber preparedness is the process of ensuring

More information

Network Detective. HIPAA Compliance Module. 2015 RapidFire Tools, Inc. All rights reserved V20150201

Network Detective. HIPAA Compliance Module. 2015 RapidFire Tools, Inc. All rights reserved V20150201 Network Detective 2015 RapidFire Tools, Inc. All rights reserved V20150201 Contents Purpose of this Guide... 3 About Network Detective... 3 Overview... 4 Creating a Site... 5 Starting a HIPAA Assessment...

More information

How are we keeping Hackers away from our UCD networks and computer systems?

How are we keeping Hackers away from our UCD networks and computer systems? How are we keeping Hackers away from our UCD networks and computer systems? Cybercrime Sony's Hacking Scandal Could Cost The Company $100 Million - http://www.businessinsider.com/sonys-hacking-scandal-could-cost-the-company-100-million-2014-12

More information

Supplier Security Assessment Questionnaire

Supplier Security Assessment Questionnaire HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.

More information

Is Your IT Environment Secure? November 18, 2015. Sarah Ackerman, Greg Bernard, Brian Matteson Clark Schaefer Consulting

Is Your IT Environment Secure? November 18, 2015. Sarah Ackerman, Greg Bernard, Brian Matteson Clark Schaefer Consulting Is Your IT Environment Secure? November 18, 2015 Sarah Ackerman, Greg Bernard, Brian Matteson Clark Schaefer Consulting Clark Schaefer Consulting Serving elite and emerging companies with practical solutions

More information

Cyber Risk Mitigation via Security Monitoring. Enhanced by Managed Services

Cyber Risk Mitigation via Security Monitoring. Enhanced by Managed Services Cyber Risk Mitigation via Security Monitoring Enhanced by Managed Services Focus: Up to But Not Including Corporate and 3 rd Party Networks Level 4 Corporate and 3 rd Party/Vendor/Contractor/Maintenance

More information

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011 Nationwide Review of CMS s HIPAA Oversight Brian C. Johnson, CPA, CISA Wednesday, January 19, 2011 1 WHAT I DO Manage Region IV IT Audit and Advance Audit Technique Staff (AATS) IT Audit consists of 8

More information

The Importance of Cybersecurity Monitoring for Utilities

The Importance of Cybersecurity Monitoring for Utilities The Importance of Cybersecurity Monitoring for Utilities www.n-dimension.com Cybersecurity threats against energy companies, including utilities, have been increasing at an alarming rate. A comprehensive

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

PCI Requirements Coverage Summary Table

PCI Requirements Coverage Summary Table StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table January 2013 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2

More information

PENETRATION TESTING GUIDE. www.tbgsecurity.com 1

PENETRATION TESTING GUIDE. www.tbgsecurity.com 1 PENETRATION TESTING GUIDE www.tbgsecurity.com 1 Table of Contents What is a... 3 What is the difference between Ethical Hacking and other types of hackers and testing I ve heard about?... 3 How does a

More information

Network and Security Controls

Network and Security Controls Network and Security Controls State Of Arizona Office Of The Auditor General Phil Hanus IT Controls Webinar Series Part I Overview of IT Controls and Best Practices Part II Identifying Users and Limiting

More information

SANS Top 20 Critical Controls for Effective Cyber Defense

SANS Top 20 Critical Controls for Effective Cyber Defense WHITEPAPER SANS Top 20 Critical Controls for Cyber Defense SANS Top 20 Critical Controls for Effective Cyber Defense JANUARY 2014 SANS Top 20 Critical Controls for Effective Cyber Defense Summary In a

More information

Smithsonian Enterprises

Smithsonian Enterprises Smithsonian Enterprises Audit of the Effectiveness of the Information Security Program Table of Contents I. Introduction... 1 II. Background... 2 III. Results of Audit... 3 Finding #1: Needed Improvement

More information

Enterprise Security Tactical Plan

Enterprise Security Tactical Plan Enterprise Security Tactical Plan Fiscal Years 2011 2012 (July 1, 2010 to June 30, 2012) Prepared By: State Chief Information Security Officer The Information Security Council State of Minnesota Enterprise

More information

Network Test Labs Inc Security Assessment Service Description Complementary Service Offering for New Clients

Network Test Labs Inc Security Assessment Service Description Complementary Service Offering for New Clients Network Test Labs Inc Security Assessment Service Description Complementary Service Offering for New Clients Network Test Labs Inc. Head Office 170 422 Richards Street, Vancouver BC, V6B 2Z4 E-mail: info@networktestlabs.com

More information

What IT Auditors Need to Know About Secure Shell. SSH Communications Security

What IT Auditors Need to Know About Secure Shell. SSH Communications Security What IT Auditors Need to Know About Secure Shell SSH Communications Security Agenda Secure Shell Basics Security Risks Compliance Requirements Methods, Tools, Resources What is Secure Shell? A cryptographic

More information

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections U.S. Department of Energy Office of Inspector General Office of Audits and Inspections Audit Report The Department's Configuration Management of Non-Financial Systems OAS-M-12-02 February 2012 Department

More information

Presentation Objectives

Presentation Objectives Gerry Cochran, IT Specialist Jennifer Van Tassel, Associate Examiner Office of the State Comptroller Thomas P. DiNapoli State & Local Government Accountability Andrew A. SanFilippo Executive Deputy Comptroller

More information

Are you prepared to be next? Invensys Cyber Security

Are you prepared to be next? Invensys Cyber Security Defense In Depth Are you prepared to be next? Invensys Cyber Security Sven Grone Critical Controls Solutions Consultant Presenting on behalf of Glen Bounds Global Modernization Consultant Agenda Cyber

More information

Cyber Self Assessment

Cyber Self Assessment Cyber Self Assessment According to Protecting Personal Information A Guide for Business 1 a sound data security plan is built on five key principles: 1. Take stock. Know what personal information you have

More information

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION Information security is a critical issue for institutions of higher education (IHE). IHE face issues of risk, liability, business continuity,

More information

FFIEC Cybersecurity Assessment Tool

FFIEC Cybersecurity Assessment Tool Overview In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed the Cybersecurity Tool (), on behalf of its members,

More information

Denver 311 Performance Audit

Denver 311 Performance Audit Denver 311 Performance Audit August 2012 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of Denver is independently

More information

Big Data, Big Risk, Big Rewards. Hussein Syed

Big Data, Big Risk, Big Rewards. Hussein Syed Big Data, Big Risk, Big Rewards Hussein Syed Discussion Topics Information Security in healthcare Cyber Security Big Data Security Security and Privacy concerns Security and Privacy Governance Big Data

More information

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness CISP BULLETIN Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness November 21, 2006 To support compliance with the Cardholder Information Security Program (CISP), Visa USA

More information