Appendix 1c. DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA REVIEW OF NETWORK/INTERNET SECURITY

Transcription

1 Appendix 1c DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA REVIEW OF NETWORK/INTERNET SECURITY

2 DISTRIBUTION LIST Audit Team Prakash Gohil, Audit Manager Steven Snaith, Risk and Assurance Partner David Wayman, Risk and Assurance Auditor Report Distribution List David Munn, Head of Technology Group Jawaid Bhatti, Technology Services Manager

3 CONTENTS EXECUTIVE SUMMARY Page Background 1 Audit Assurance 1 Areas of Effective Control 1 Risk Issues for Management Action 2 FINDINGS and RECOMMENDATIONS Review Objectives 3 Scope 3 Policies and Procedures 3 Network Administrator Account and Logical Access Controls 4 Web Facing Server Standards 5 Patch Management Control Framework 5 ACTION PLAN Risk and Audit Assurance Statement 7 Findings and Recommendations 8 November 2012 Network and Internet Security

4 EXECUTIVE SUMMARY 1 Background 1.1 This review of the GLA Network and Internet Security Control Environment was carried out as part of the 2012/13 internal audit plan. 1.2 The objective for the GLA Technology Group is to ensure that network security controls have been designed and are operating to support the integrity, confidentiality and availability of GLA network operations. 1.3 At the outset of the review, the potential risks identified to achieving the objectives of Network/Internet Security were:- The network fails to meet the requirements of the organisation and its users; Degraded performance and possible network failure; Uncontrolled network administrator access, compromising accounts and damaging the GLA network; Unauthorised network and data access; Inappropriate use of networks, data and internet; and Data corruption. 1.4 The GLA manages a local area network for approximately 1000 systems users at City Hall, which is also accessible remotely using Citrix Secure Access Gateway. The network transmits data and voice traffic and is replicated to a Disaster Recovery site at TfL Woking. The network utilises primarily HP servers and desktop PCs and Foundry switches. The network operating system is Microsoft Windows 2008 and the environment is virtualised through the use of VMware and FalconStor data storage. 1.5 The Active Directory topology consists of a top-level domain at london.gov.uk and a child gla.london.gov.uk domain. The GLA utilises ITIL v3 standards for service management. 2 Audit Assurance Adequate Assurance Key risks to Network and Internet Security are being managed effectively, however some controls need to be improved to ensure business objectives are met. 3 Areas of Effective Control November 2012 Network and Internet Security 1

5 EXECUTIVE SUMMARY 3.1 Security standards for the network are documented within Technology Group Security Policies, which are published on the GLA intranet. These address the high-level security standards published by the Governance Steering Group within the Information Security intranet site, and provide a baseline for network and internet security. 3.2 The roles of technical staff in supporting the network are defined and appropriate. Job descriptions and person specifications are in place to reinforce the nature of duties ensuring network availability and integrity. 3.3 The default Administrator account had been renamed and disabled, in conformance to best practice and reducing the risk that this privileged account will be compromised and used to target unauthorised network access attempts. 3.4 Network logical access controls have been implemented that provide an adequate basis to reduce the risk of unauthorised network and systems access. 3.5 An established and documented process is in place for user account management, to ensure that only authorised users are allowed to access the network and that accounts are disabled when no longer required. 3.6 With regard to technical prevention controls, an intruder detection system (IDS) has been implemented to allow a proactive approach to network intrusion. Furthermore, web servers have been hardened to remove any unnecessary services that could be utilised by hackers and anti-virus software has been implemented across the network to prevent infection by malicious programs. 4 Risk Issues for Management Action 4.1 A high number of IT staff has administrator privileges on the network, relative to the size of the IT team and the organisation as a whole. Whilst management had no concerns in terms of the appropriateness of these privileges at the time of the review, there may be scope to rationalise the current number of administrator accounts to maintain system integrity and availability. 4.2 There is currently an absence of a documented patch management policy. Testing on a sample of servers identified a number of security updates that had not been applied to servers, increasing the risk to the security, integrity and availability of systems. November 2012 Network and Internet Security 2

6 FINDINGS AND RECOMMENDATIONS 5 Review Objectives 5.1 We reviewed the network and internet control framework, designed to mitigate the risks in achieving business objectives. In particular, we are looking to provide assurance that:- Policies and procedures are in place to effectively support the network infrastructure and access to the internet. Network administrator account restrictions and network logical access controls are in place to support the integrity and currency of privileged network activity and reduce the risk of unauthorised/inappropriate access. Web facing server standards are in place, designed to ensure that the exposure to security vulnerabilities is minimised. A patch management control framework is in place designed to support the security and availability of network services 6 Scope 6.1 We reviewed the network security control framework and supporting operational processes and procedures, focussing on controls designed to support the confidentiality, integrity and availability of network operations. We assessed policies and procedures on network infrastructure and controlling internet access, roles and responsibilities, network monitoring, user management on the network, encryption controls for transmitting data and documentation governance procedures. 7 Policies and Procedures 7.1 Network security standards are documented within Technology Group Security Policies, which are published on the GLA Intranet. These address the highlevel security standards published by the Governance Steering Group within the Information Security intranet site. The key areas regarding the Information Security Policy relating to network and remote use are: Information security monitoring carried out by the Technology Group; Allocation of personal data areas; Use of passwords; Use of portable storage devices; and Data retention and destruction. 7.2 The GLA has a documented change control process which incorporates the requirement for approval of changes by the Change Advisory Board (CAB). 7.3 An Internet Usage policy is in place that incorporates an adequate level of policy guidance. Furthermore, the GLA employ NetFort to capture and analyse network traffic flowing through the core switches. NetFort builds a database of November 2012 Network and Internet Security 3

7 FINDINGS AND RECOMMENDATIONS activity, allowing the administrators to troubleshoot bandwidth issues across the network, perform network forensics on past events, investigate activity on Windows file shares, and keep track of user activity on the Internet. 7.4 We confirmed the deployment and operation of this tool across the GLA network, proving assurance with regards to the integrity of web based access. 7.5 The roles of technical staff in supporting the network are defined within published principles, values, structure, functions, services and guarantees. Job descriptions and person specifications are in place for those responsible for network support, to reinforce the nature of their duties in relation to ensuring network availability and integrity. 8 Network Administrator Account and Logical Access Controls Administrator Accounts 8.1 The GLA policy sets out that only authorised system administrators are granted access to the network domain administrators group in Active Directory. There are 18 systems accounts and 23 user accounts. 8.2 We reviewed the membership of this group. Whilst we acknowledge management confirmation that all members were authorised system administrators and that all required this level of access, the number of administrators appears high for the size of GLA operations. A high number of domain administrators increase the risk of a loss to systems integrity and availability. Recommendation Management should further review the scope to reduce the number of domain administrators 8.3 We identified that the default Administrator account had been renamed and disabled, in conformance to best practice and reducing the risk that this privileged account will be compromised and used to target unauthorised network access attempts. Logical Access Controls 8.4 Network user administration procedures have been documented, designed to ensure that only authorised users are granted access to the network. Manager authorisation is required to allow any new user access to the network. No exception to this process was identified during our sample testing. Network logical access parameters have also been documented and are adequate. 8.5 We reviewed the Active Directory password policy and confirmed that the documented password controls had been applied across the GLA network user account population, thereby reducing the risk of unauthorised network access. 8.6 Internet access is unrestricted but logged. Activity can be monitored retrospectively or actively following appropriate authorisation. Management November 2012 Network and Internet Security 4

8 FINDINGS AND RECOMMENDATIONS reports are produced on internet browsing to identify any activity not in line with staff obligations. We confirmed that this monitoring takes place, supporting the controlled operation of internet based activity. 8.7 To ensure that only current staff have network access, the following controls have been designed: A monthly review of unused user accounts is performed by the GLA. Any accounts that have not been used for three months are required to be disabled, unless associated management staff specifically request otherwise. Our review confirmed that this process is being carried out. A formal Leaver process is in place that sets out the responsibilities of the Technology Group in identifying and progressing accounts to be disabled or removed. Our testing of the leavers process found that one account in our sample of ten had not yet been disabled. This was discussed with management at the time of the review and resolved. 8.8 Anti-virus software has been implemented across the network to prevent infection by malicious programs and an intruder detection system (IDS) has been implemented to allow a proactive approach to network intrusion. 9 Web Facing Server Standards 9.1 GLA web servers utilise a version of the Linux Ubuntu operating systems, with a baseline standard that is designed to disable any unnecessary services that could expose the GLA systems to malicious attack. 9.2 To assess the actual strength of these arrangements in practice, we conducted external low level scanning of a number of GLA web facing systems (we have removed the details of these systems in this report for confidentiality reasons and the detailed results have been provided to management directly). Our testing identified that all primary high risks services have been disabled. A number of internet ports were found to be open. These had been approved to allow secure transfer and access to services further access would require a number of conditions to be met, firstly enabling the appropriate internet address followed by passing through security authorisation provided by the application on the other end of the port. 10 Patch Management Control Framework 10.1 Stability of the IT environment (including the network) relies upon an effective change control process to prevent disruptive or inappropriate changes being implemented to Production. The change control process documents were reviewed and found to be conformant with best practice as outlined in ITIL v3. As there have been minimal changes to the production network this year (the period included a change embargo during the Olympics) only one completed November 2012 Network and Internet Security 5

9 FINDINGS AND RECOMMENDATIONS change and one in-progress change were identified. Our testing identified that the change control process was adhered to The GLA has not designed a formal patching policy but designates responsibility for maintaining servers with up-to-date security patches to service owners. To assess how up to date current server patching is, we conducted automated server scanning against four primary GLA servers to note the extent of up-to-date security patches. The scan identified that across 4 servers a number of security updates and service packs or rollups were missing. The details were passed to management for appropriate action. The absence of a formal patching policy may result in servers not being updated with critical security updates, exposing the Authority to the risk that these known vulnerabilities will be exploited. Recommendation Management implement a standing RFC (Request For Change) to be tabled at the CAB meeting; this RFC constitutes the GLA patching policy. November 2012 Network and Internet Security 6

10 ACTION PLAN RISK AND AUDIT ASSURANCE STATEMENT DEFINITIONS Overall Rating Substantial Adequate Limited No Assurance Criteria There is a sound framework of control operating effectively to mitigate key risks, which is contributing to the achievement of business objectives. The control framework is adequate and controls to mitigate key risks are generally operating effectively, although a number of controls need to improve to ensure business objectives are met. The control framework is not operating effectively to mitigate key risks. A number of key controls are absent or are not being applied to meet business objectives. A control framework is not in place to mitigate key risks. The business area is open to abuse, significant error or loss and/or misappropriation. Impact There is particularly effective management of key risks contributing to the achievement of business objectives. Key risks are being managed effectively, however, a number of controls need to be improved to ensure business objectives are met. Some improvement is required to address key risks before business objectives can be met. Significant improvement is required to address key risks before business objectives can be achieved. RISK RATINGS Priority Categories recommendations according to their level of priority. 1 Critical risk issues for the attention of senior management to address control weakness that could have significant impact upon not only the system, function or process objectives, but also the achievement of the organisation s objectives in relation to: The efficient and effective use of resources The safeguarding of assets The preparation of reliable financial and operational information Compliance with laws and regulations. 2 Major risk issues for the attention of senior management to address control weaknesses that has or is likely to have a significant impact upon the achievement of key system, function or process objectives. This weakness, whilst high impact for the system, function or process does not have a significant impact on the achievement of the overall organisational objectives. 3 Other recommendations for local management action to address risk and control weakness that has a low impact on the achievement of the key system, function or process objectives ; or this weakness has exposed the system, function or process to a key risk, however the likelihood is this risk occurring is low. 4 Minor matters need to address risk and control weakness that does not impact upon the achievement of key system, function or process or process objectives; however implementation of the recommendation would improve overall control. November 2012 Network and Internet Security 7

11 ACTION PLAN Findings and Recommendations Ref. Findings and Risk Priority Recommendations Accepted 8.2 The number of administrator accounts appears high for the size of the organisation. A high number of domain administrators increase the risk of a loss to systems integrity and availability A number of security updates and service packs or rollups were missing. The absence of a formal patching policy may result in servers not being updated with critical security updates, exposing the Authority to the risk that these known vulnerabilities will be exploited. 3 Management should further review the scope to reduce the number of domain administrators 2 Management implement a standing RFC (Request For Change) to be tabled at the CAB meeting; this RFC constitutes the GLA patching policy. Yes Yes Management Response and Responsibility We have now reviewed all the administrators and are satisfied they are appropriate A standing RFC (Request For Change) is tabled at every CAB meeting. All servers are now appropriately patched Target Date Complete Complete ##ISA4D87D77654C404A9A924F78FE705525##Finding November 2012 Network and Internet Security 8