Security of Back-up Media and Offsite Storage (IA_12_005) Steve Allen, Managing Director, Finance. Audit Conclusion: Audit Closed

Transcription

1 FINAL INTERNAL AUDIT REPORT Security of Back-up Media and Offsite Storage (IA_12_005) Steve Allen, Managing Director, Finance Audit Conclusion: Audit Closed Issue categories Agreed actions Satisfactorily Partially No longer applicable Not Priority Priority Priority TfL RESTRICTED

2 Security of Back-Up Media and Offsite Storage (12_005/F) Contents EXECUTIVE SUMMARY... 3 STATUS OF AGREED ACTIONS... 4 APPENDIX 1 DISTRIBUTION LIST... 5 Version A Draft versions issued N/A Fieldwork commenced 22 November 2013 Fieldwork completed 30 November 2013 Draft report issued 06 December 2013 TfL RESTRICTED Page 2

3 Security of Back-Up Media and Offsite Storage (12_005/F) EXECUTIVE SUMMARY Objective The objective of this audit was to review the security arrangements (including the processes and procedures) supporting back-up media and offsite storage. This work also assisted in providing additional assurance for TfL s annual assessment of compliance with Payment Card Industry Data Security Standards (PCI DSS). Scope This review covered the following areas: a clearly defined strategy exists for the backup of TfL data, related policies, procedures and standards exist to support the strategy, and backups are retained in a secure environment. Summary of findings Our Interim Audit Report dated 28 March 2013 entitled Security of Back-Up Media and Offsite Storage identified: the policies and procedures for the backup process were not up to date, and there was no fully documented and published backup strategy We have now completed our follow up and can confirm that all back-up policies and procedures have been updated. A final draft back-up policy was circulated for management approval on 20 November 2012 and we are confident that this will be agreed and published to the wider TfL business. As a result, this audit is now closed. We would like to thank everyone involved in the follow up assessment. TfL RESTRICTED Page 3

4 Security of Back-Up Media and offsite storage (12_005/F) STATUS OF AGREED ACTIONS Ref Agreed action Owner and due date Status Further action required and due date Priority 2 actions 1. The five year contract for the new TfL backup solution has been awarded to Computacenter/EMC. IM will ensure that as they develop the solution fully all policies and procedures will be updated accordingly. Larry Botheras 30 November 2013 Satisfactorily. There are now an up to date set of procedures and supporting processes that have been communicated and published to those with a requirement. Not applicable Priority 3 actions 2. The five year contract for the new TfL backup solution has been awarded to Computacenter/EMC. IM will ensure that as they develop the solution fully the appropriate supporting documentation will be produced and communicated to stakeholders Larry Botheras 30 November 2013 Satisfactorily. There is a final draft back-up policy in circulation and this will soon be agreed and published to the wider TfL business Not applicable TfL RESTRICTED Page 4

5 Security of Back-Up Media and Offsite Storage (12_012/F) APPENDIX 1 Distribution list This report was sent to Steve Allen, Managing Director, Finance, by Clive Walker, Director of Internal Audit, and copied to: Steve Townsend Jeff Kim Larry Botheras Wayne Fitzgerald Nick Allen Patrice White Nigel Blore Andrea Clarke David Goldstone Howard Carter Robert Brent Chief Information Officer - TfL IM Head of Infrastructure Services IM Infrastructure Manager Assurance IM Infrastructure Manager Operations IM Senior Quality, Assurance & Risk Analyst IM Quality, Assurance & Risk Analyst as Key Risk Representative Head of Group Insurance Director of TfL Legal Chief Finance Officer General Counsel KPMG TfL RESTRICTED Page 5