Ref: Issue Raised Recommendation Priority Management Response Implementation Network and ABS E-Financials 1. Account security settings

Transcription

1 Appendix A Hertsmere Borough Council - Review of information technology controls Ref: Issue Raised Recommendation Priority Management Response Implementation Network and ABS E-Financials 1. Account security settings We recommend the following Medium Acceptable use policy requires a minimum of eight characters actions to be taken: but we noted that the AD only requires seven characters. Password encryption is not defined because of a compatibility issue with the Intranet that is scheduled to be replaced by June If this setting is enabled, passwords can be retrieved more easily than which results in increased vulnerability. Screensaver is enabled to activate after 7,200 seconds (120 minutes). This leaves the workstation unprotected for too long Within the password policy, set the minimum password length to 8 characters; After the implementation of the project to replace the Intranet, the setting "store passwords in reversible encryption" should be Complete The minimum password length is now 8 characters. Implementation of our new Intranet system is now scheduled for June 2013 following a successful procurement project and agreed implementation plan. increasing the risk that an unauthorised person has the disabled; opportunity to hijack an active session. Set the screensaver to Policy is that people should lock their The E-Financials system allows the user to change their activate after at least 900 screens. The screensaver is only a last resort passwords within a day. We noted that the system only seconds; and however the lockout will be reduced to 1 remembers 3 old passwords which means that when users are Require a minimum of 1 day hour timeout. required to change their passwords, they are able to change before users are allowed to their passwords three times in a row to be able to re-use a change passwords within the Complete favoured password. system. The number of Users are allowed to change their passwords remembered passwords at any point. Without strong password and account security, there is greater risk should also be increased to The number of passwords remembered has of unauthorised users gaining access to the network placing the at least five. now been set to 5. residing information at risk.

2 Network and ABS E-Financials 2. Review of user accounts Medium There are no housekeeping activities that involve the reviews over the following: inactive or dormant accounts to identify any accounts belonging to temporary staff, consultants, or accounts no longer required Active Directory (AD) membership and ABS E-Financials access permissions Complete. Processes are now in place. Amendments have been made to the starters / leavers process and there is a quarterly check on dormant accounts. If user access is not reviewed by management on a regular basis, there is a risk that access will become disproportionate over time with user job responsibilities owing to the accumulation of roles as individuals transfer or move on to different positions within the Council. We recognise that management believes not a vast amount of employees have changed roles in the year and that for E-financials users, temporary staff have limited access to raise purchase orders or sales invoices and restricted approval limit. We recommend the following a review of inactive accounts over 90 days at the network and on ABS E- financials on a monthly basis. This exercise may help in identifying accounts that are no longer required including existing temporary staff to ensure that they have appropriately been removed or disabled from the systems. a review of AD membership and ABS E-Financials access permissions on a regular basis (e.g. quarterly or semi-annually) to ensure that access is appropriate based on job functions. This is linked with the financial regulation and control procedures and rules. This is frequently reviewed by section heads.

3 Network 3. Privilege management The powerful privileges should High From our queries, domain admin access should be restricted to the two infrastructure staff. However, we have noted the following accounts with domain admin privileges: Andrew Lawlo (used by the IS Service Support Officer) chrisg_a (used by the IS Service Support Officer) Grahamp_a (used for the shared resource with Stevenage Borough Council) hacker (account used for internal security testing) johnr_a (used by John Robinson) be restricted to appropriate personnel based on their current job role and responsibilities. We therefore recommend management: Create a server admin group for the use of the relevant IS Service Support Officers; Rename service accounts to This project is now under way. The requisite change request has been approved and we are now in the process of removing these accounts. All non-admin accounts are scheduled to have been removed by the end of October Pat Moloney (left the organisation but account used by the reflect its actual nature and Infrastructure staff as a service account) use; patm_a, (same as the one above) Remove John Robinson and Simon Pascal (used by IS System Specialist) Tom Jackson's accounts tomj_a (used by Tom Jackson) from the domain admin group; These roles potentially provide more privileges to the users than Disable unnecessary account what is required, which is susceptible to exploitation. like the hacker account; and Remove duplicate accounts.

4 Network 4. Temporary staff access (Restated from prior year) Medium There is currently no process to ensure that temporary staff access to the network is removed on a timely basis. Therefore, there is no assurance that the users with access to the network are currently employees of the Council. Complete. The account request form has been amended and therefore all temporary accounts now get setup with an expiry date. The absence of an adequate process to remove temporary users from the network could result in people who do not work for the Council having access to the network and Council data. 5. Information security policy There is an overarching security policy in draft since 2010 so it has not yet been formally approved by senior management nor has it been communicated to staff. To raise awareness on information security, the IS team participates in the induction provided to new staff. This discusses the purpose of IS, its strategic objectives, the teams within IS, and a brief mention of Freedom of Information (FOI), Data Protection Act (DPA), and Environmental Information Regulation (EIR). However, this induction training does not cover information security roles and responsibilities like reporting of security incidents. There is an acceptable use policy made available to users but this also does not cover responsibilities over information security. Without documenting IT security practices and procedures within the framework of an overall IT security policy, there is a risk that inappropriate levels of information security are implemented across the Council. To ensure that only valid users have access to the Council's network, management should request a leaving date as part of the temporary user set up process. This would ensure that the system automatically identifies the user as a leaver and disables their account. If this functionality does not exist, the leaving date can be used as method of identifying temporary staff to ensure that their accounts are disabled on a timely basis. In order to ensure that effective security management practices are put in place to protect all IT assets, we recommend management develop an information security policy that sets out the following: a definition of information security, its overall objectives, and scope; a brief explanation of the security policy, principles, standards, and compliance requirements to relevant legislations and business continuity management requirements; Low Agreed. To be implemented by December 2012.

5 a definition of general and specific responsibilities for information security management including reporting of incidents; and references to supporting documentation, e.g. more detailed security policies and procedures to administer or monitor systems. Agreed. To be implemented by December 2012.

6 Network 6. IT risk management Low In the past, a corporate risk register was maintained which has now been delegated to the head of each individual unit. We observed that an IT risk register is being maintained. However, it only covers the following risks: Failure of IT system Failure to implement new IT system or upgrade Failure to implement a robust project planning management process The Council now has a shared service support for Risk Management with Stevenage Borough Council who will undertake risk management for Hertsmere. This action point is therefore expected to be completed by December Although we have noted appropriate network security controls, for example regular network penetration tests, other IT security risks that apply to the Council have not yet been identified and assessed resulting in unmanaged risks. 7. Remote access Staff requests for remote access via the service desk and approval is confirmed with the Head of the Unit. No request form is used to capture management approval nor is it reflected in the service desk call record. There is a risk that some requests may not undergo the proper management approval. ABS E-Financials 8. Generic privileged account The account used for user administration is "Security" which is being shared by the Business Support Officer and the Systems Accountant to carry out user maintenance activities. The use of shared accounts makes it more difficult to establish or trace accountability for the activities carried out by administrators. We recommend management perform a separate risk assessment exercise to identify and evaluate other IT securityspecific risks in line with existing business and operational risk management framework. This should document IT security risks and the mitigating strategies in place and confirm the extent of any residual risks which the organisation agrees to have reduced to an acceptable level. We recommend management integrate the request for remote access into the existing electronic form in order to properly and consistently document the management approval. Unique accounts should be provided for the administrators. Low Medium Complete. Service requests are now logged on the service desk system. This is not within the control of HBC, as this is a system design. We are in discussion with ABS (the system supplier) to find a way forward.