Argyll and Bute Council

Transcription

1 Argyll and Bute Council 3 June 2009

2 Contents Page 1 Executive Summary 1 Appendices A B Action plan Progress in implementation of prior year recommendations

3 1 1 Executive Summary 1.1 Introduction The Council's key operations rely on information technology for processing, recording and reporting transactions. Information technology is, therefore critical to the ability of the Council to operate effectively and deliver high quality services to the public. As a result, adequate controls should be in place to ensure the availability, confidentiality and integrity of data. In addition, the Council is required to comply with the provisions of the Data Protection Act 1998 to ensure the safety and security of personal data. As part of our audit, we have reviewed the design and operational effectiveness of general controls over IT systems and applications in the Council. We focused our review on the operation of the Oracle Financial Management System, the Council Tax system (iworld) and the Non Domestic Rates system (Orbis). We also reviewed the progress of implementation of the agreed action plan points from our audit of IT systems and applications. This report sets out the key findings from our review. 1.2 Findings Our overall conclusion is that the controls over IT systems and applications continue to operate effectively. We made four new recommendations from our follow up review of which 1 is classed as medium risk: no disaster recovery tests were performed in the last financial year. The absence of such tests increases the risk that the Council systems may not be recovered within a reasonable time in the event of a systems failure. We were pleased to note that management have taken action to implement the majority of the recommendations from our review. Of the ten outstanding recommendations, eight are now fully implemented, with two low risk recommendations partially implemented. 1.3 Way Forward The findings and recommendations from our review are summarised in an Action Plan that accompanies this report. The Action Plan has been agreed with management and incorporates the management response to audit recommendations. We have summarised the progress of implementation on recommendations made in our IT Systems and Applications Report in Appendix B. This report includes some specific recommendations to strengthen internal controls. It is the responsibility of management to decide the extent of the internal control system appropriate to the Council.

4 2 1.4 Acknowledgements We would like to take this opportunity to thank Council staff who have been involved in this review for their assistance and co-operation. This report is part of a continuing dialogue between the Council and Grant Thornton UK LLP and is not, therefore, intended to cover every matter which came to our attention. Our procedures are designed to support our audit opinion and they cannot be expected to identify all weaknesses or inefficiencies in systems and work practices. The report is not intended for use by third parties and we do not accept responsibility for any reliance that third parties may place on it.

5 1 A Action plan No Finding Risk Recommendation Management Response Implementation Date Financial management and budgetary control 1 We noted that an external consultant had Low Contractors should have their a privileged user account in the Oracle FMS system. This user account was no longer required at the time of our visit and was disabled when brought to management attention. In addition, the password of this Oracle user account was set to never expire. user accounts disabled when their assistance has finalised. This is particularly relevant for privileged user accounts. June 2009 We also noted that the network account of this consultant was disabled. There is a risk that unauthorised access may be gained to finance data. All Oracle FMS users should be forced to change their passwords on a regular basis. The external consultant referred to has now been re-engaged by the Council for a further piece of work and therefore requires access at present. We will ensure that the password is set to expire after 30 days in common with other users, and is disabled when we are certain that their piece of work has been completed to a satisfactory standard. 2 We found that four members of staff in Benefits and three employees in Council Tax have access to the password of the only privileged account in this system. There is a risk that unauthorised access may be gained to Council Tax or Benefits data. Low The Council should reassess the number of individuals that know the password of the privileged "RB" account in the iworld system. The individuals in question in both Council Tax and Benefits are all engaged in systems administration activities for either Benefits or Council Tax and require access to this particular account. This will be kept under review and the minimum number of people given access to the RB account. Immediate

6 2 No Finding Risk Recommendation Management Response Implementation Date 3 We noted that no disaster recovery tests Medium Already in place were performed in the last financial year. There is a risk that the Council systems may not be recovered within a reasonable time in the event of a disaster. Disaster recovery plans should be subject to testing at least on an annual basis to ensure their effectiveness. Test results should be analysed to identify any issues that may hinder the recovery process. Although the test has not been carried out within a strict 12 months of the last one, a test is completed each financial year as part of our disaster recovery contract and will continue to do so. This has been slightly delayed due to need to amend the contract coverage reflecting changes in requirements. We identified four former members of staff with user accounts in the Oracle FMS system. Line Managers did not report three of these leavers to the Oracle FMS Lead User. In addition, the fourth user was not reported to the Lead User until March 2009 but had left the Council in December We found that the Service Desk does not usually contact the Oracle FMS Lead User when it becomes aware of a staff leaver. There is a risk that unauthorised access may be gained to finance data. Low The Service Desk should report leavers to Application Lead Users as soon as it becomes aware of them. Leavers' user accounts should be disabled or deleted on their leaving date. Line Managers should be reminded of the importance of responding accurately to the six-monthly user review of access to the Oracle FMS system. and user accounts should be disabled where confirmation is not obtained after a reasonable period of time. The monthly payroll reports of all leavers provided to the Service Desk will be passed on to system administrators to assist them in identifying accounts to be disabled. However it should be noted that as the network accounts for these individuals have already been disabled by the Service Desk, there is no possibility of the individuals actually gaining access to the Oracle FMS system or any other system and so the risk of unauthorised access is considered very low. June 2009

7 4 B Progress in implementation of prior year recommendations No Finding Recommendation Management Response Position at May One of the privileged user accounts on the network belongs to an employee that left the Council three years ago. The password of this account was changed but the account was not deleted to avoid errors when running processes. The Council should review the processes administered under this privileged account. The account should then be disabled or deleted and processes reassigned as appropriate. The privileged account referred to here belonged to Craig Brown, a former Senior Engineer. The account had been left open to deal with any problems which may have surfaced from any undocumented processes Craig implemented. There is a risk that unauthorised access is gained to network data. Risk: Medium Once this change is actioned, data processing should be monitored for a period of time to ensure that any errors are promptly detected and resolved. The password of this account had been changed as soon as Craig left the Council s employment. The account has now been disabled and we will deal with any problems that may arise.

8 5 No Finding Recommendation Management Response Position at May We tested a sample of fifteen leavers and found that the accounts of two users had not been disabled. Business Managers / Human resources should promptly report staff movements to IT. Agreed. There is a risk that unauthorised access could be gained to the network. Risk: Medium Leavers should have their user accounts deleted or disabled on their leaving date. 3 We understand that a review of network user accounts is performed every six months. However, we noted that evidence of this review is not always retained. The most recent evidence was from July There is a risk that employees may gain unauthorised access to the network. Evidence should be retained for the regular review of network user accounts. This evidence should include the user accounts that were checked, any communications and actions that were taken as a result of this review. We review user accounts on a six monthly basis and we will retain evidence of each review.

9 6 No Finding Recommendation Management Response Position at May Information to retrieve the password of the root user for the UNIX system is stored in a password-protected Word document. The document contains the data to be used in the retrieval of the password for this user. The Council should detail the password of the root user in a closed envelope. This envelope should be properly sealed, countersigned and stored in a fireproof safe. Our practice with keeping the passwords electronically has been audited many times in the past and has not been questioned. However the password for the root users will be stored in an envelope within the fireproof safe in the Service Desk There is a risk that the password of the root user could not be retrieved within a reasonable time in the event of a disaster. A procedure should be implemented to detail how members of staff could have access to this envelope. 5 User accounts on the network are not locked out after a number of invalid logon attempts. There is a risk that unauthorised access to the network is gained through password guessing or a brute force attack. Network user accounts should be locked out after a number of invalid logon attempts. This setting should be implemented as part of a change management process that educates users about the benefits and implications of this change. The incorrect password limit had been implemented previously but relaxed due to the excessive increase in the number of support calls. It will be re-implemented but will result in a considerably higher number of support calls for the server team.

10 7 No Finding Recommendation Management Response Position at May Our review of a sample of ten changes to business applications and noted that: Test plans should be attached to change records once testing has been completed by Lead Users or Agreed. IT staff. One change record was closed in the HEAT system and the Lead User had not accepted its implementation. No user test plan was attached to one change record. There is a risk that changes are not tested adequately before being migrated into the live environment. In addition, there is a risk that changes do not meet business requirements. HEAT records should only be closed once the Lead User has formally accepted the implementation of a change.

11 8 No Finding Recommendation Management Response Position at May From a review of ten changes to Agreed. Partially implemented databases, we noted that: two changes to databases were approved by users who were not the nominated Lead User per the master table; and a change to a database was requested by an individual who is not a Lead User. The Council should define a procedure to update the table of Lead Users and applications on a regular basis. Once updated, this document should be communicated to all relevant members of staff. Direct changes to databases should only be approved by Lead Users. In the event of an emergency change; this should be retrospectively approved by Lead Users. A new sample of 10 changes to databases was selected and it was noted that one out of these 10 changes was not requested by a Lead User. There is a risk that unauthorised changes to databases are performed.

12 9 No Finding Recommendation Management Response Position at May Although the Council has restricted access to USB memory devices to authorised members of staff, we noted that some training PCs still have write access to USB memory devices. The Council should reassess the user accounts that have been granted write access to USB devices. This access level should only be granted to authorised individuals. The IT Security forum has not as yet produced the policy for controlling access by USB devices. There is a risk that data is saved to USB memory devices by unauthorised users. Software capable of managing USB devices has been purchased as part of the Centennial Security suite; however it has not been deployed until the policy has been agreed. One of the training PC s was accessed to ascertain if the alternative device registry method had blocked the use of writing to USB device. This PC had been locked previously but had recently been patched and when tested it was possible to write to the USB device. Desktop staff are checking all training PCs. 9 We noted that the last two penetration tests were performed in 2006 and April There is a risk that new vulnerabilities in systems and IT infrastructure are not promptly addressed. Giving the rate at which IT vulnerabilities are identified and published in the Internet; the Council should consider performing a penetration test on a quarterly basis. Penetration testing is now scheduled annually. We will carry out as much penetration testing as our budget allows. Partially implemented. A penetration test was carried out last December. However, the vulnerabilities that were identified had not been analysed and addressed at the time of our visit due to staff shortages. 10 Windows patches are released by Microsoft on a regular basis. The Council should update patches in PCs on a more regular basis. We We have a WSUS service available to deliver patches to desktops when

13 10 No Finding Recommendation Management Response Position at May 2009 However, we noted that these patches are only implemented in a PC when the machine is rebuilt. This process is usually performed every three years. are aware that software has been recently implemented to assist in the identification of critical patches. required. There are WSUS servers in Kilmory and key locations. There is a risk that Windows vulnerabilities may be exploited by intruders or "malware" (software designed to infiltrate or damage a computer system) due to patches not being applied on a regular basis. Patches should be subject to an adequate level of testing before being implemented across the PC estate Rather than patch desktops when Microsoft release patches we use Centennial Security Advisor (CSA) to ascertain if a patch is considered critical and to check if desktops are vulnerable. There are currently no desktops reported as vulnerable by CSA. Patches are tested, and incorporated in the corporate build constantly, and desktops are built to the highest level of patch available. Indiscriminate patching (even after testing) has caused problems in the past, with non-standard desktops and departmental applications.

14 "Grant Thornton" means Grant Thornton UK LLP, a limited liability partnership. Grant Thornton UK LLP is a member firm within Grant Thornton International Ltd ('Grant Thornton International'). Grant Thornton International and the member firms are not a worldwide partnership. Services are delivered by the member firms independently. This publication has been prepared only as a guide. No responsibility can be accepted by us for loss occasioned to any person acting or refraining from acting as a result of any material in this publication