I will cover. Cyber Security and other recent performance audits. Report # 8 Why this audit? Background. Audit objective.

Transcription

1 I will cover. Report # 8 Security of information communications technology infrastructure Cyber Security and other recent performance audits Report # 9 TMAG: compliance with the National Standards for Australian Museums and Galleries Performance audits we are currently working on Implications for audit clients Client information sessions 2015 TAO annual plan of work 1 Report # 8 Why this audit? Government business reliance on ICT Cost of $100m pa Included on TAO s Annual Plan of Work Background ICT supports key systems Infrastructure needs protection from equipment failure, data loss or cyber attack Moving to WoG approach ASD says 85% of intrusions can be mitigated with Top 4 mitigation strategies 2 3 Background Top 4 mitigation strategies: 1. (4) Application whitelisting 2. (1) Patch applications 3. (2) Patch operating system 4. (3) Minimise the # of users with domain or local administrative privileges 5. Then examined compliance with the next 6 mitigation strategies Audit objective To assess the effectiveness of security measures for ICT infrastructure in government departments

2 Audit scope 1. What: ICT physical infrastructure, applications and information 2. Who: ; ; ; ; 3. When: Current data Criterion 1 Was there physical security over facilities, network infrastructure and servers within government buildings? 6 7 Physical Security? Summary Physical security? common findings Server rooms? Construction not robust More use of CCTV Access to server rooms and servers P P P P Protected network infrastructure P P Physical facilities certified or accredited Currently there is no accreditation process available Network infrastructure? No specific protection of network infrastructure Certification and accreditation? No system in place, recommend that implements 8 9 Physical security? by Dept Some exposed cabling in car park One server room had no alarms or swipe card access & Poor security over some network infrastructure Criterion 2 Was information safe and secure?

3 Was information safe? Summary Effective data back up P P Data safe from cyberattack P Restricted data access Was informa on safe? common findings Backups not tested, most relied on file restores No department implements the ASD Top 4 : Application whitelisting Systematic patching of applications and OS Most do not disable local admin accounts Most do not test or monitor access Was information safe? by Dept Some backups not stored off site No documentation for patching procedures Workstation firewalls only in some areas Outstanding server updates Many old accounts in system One server room had no alarms or swipe card access Was information safe? by Dept ( cont) Patching ad hoc Password parameters not enforced No application based firewalls Many procedures not documented Chapter 3 Was there a strategic approach? Strategic approach? Summary ICT security plan ICT security governance committee Inbuilt security controls P P P Incident recording BCP and DRP P

4 Strategic approach? common findings Lack of ICT security plans No linking to risk review No control over foreign media Lack of incident recording and management systems Lack of disaster and business continuity planning and testing Strategic approach? by Dept Timed lockout can be changed Had plans, but no DRP testing since 2011 Needs to enforce password standards Poor incident management system Is implementing dual data storage system Strategic approach? by Dept ( Cont) No timed lockout Problems with password standards No recording for near misses Weak DRP plan, under review with test planned Good ICT security plan with poor procedural support No control over internet access and unauthorised software Recommendations 44 recommendations: WoGsecurity accreditation Implement the ASD Top 4 Testing of backups Monitoring of system access ICT security plans and risk management Disaster recover and business continuity planning and testing Agency responses Felt the standard against which agencies were rated was too high Generally supported recommendations Some did not feel the risk was high enough to warrant cost of some recommendations Some recommendations covered work in progress Relevance to other agencies (including councils, GBEs etc) ASD mitigation strategies relevant to all agencies Financial audit findings raising similar matters

5 Report # 9 Why this audit? Not specifically detailed in our Annual Plan of Work (compliance audit) To assess TMAG s performance Protection and preservation of TMAG s collections important to Tasmanians Objective & scope Objective: To assess TMAG s compliance with the National Standards for Australian Museums and Galleries (National Standards) Scope: Only involved TMAG Criterion 1: sound legal and management framework? Criterion 2: was TMAG effectively managed? Criterion 3: was TMAG customer focussed? Criterion 4: appropriate rationale for presenting the collection? Criterion 4: did TMAG present and protect its significant collections? We made 11 recommendations of relevance to other agencies were observations around clarity of structure/authority Performance audits we are working on Number of government primary schools Management of local government roads Capital works programming and management Absenteeism Vehicle fleet management in government businesses Provision of social housing Follow up audit Annual plan of work Wrapping up the plan Finalising the plan Refer Any further questions?