Argyll and Bute Council
|
|
- Antony Wright
- 8 years ago
- Views:
Transcription
1 Argyll and Bute Council 3 June 2009
2 Contents Page 1 Executive Summary 1 Appendices A B Action plan Progress in implementation of prior year recommendations
3 1 1 Executive Summary 1.1 Introduction The Council's key operations rely on information technology for processing, recording and reporting transactions. Information technology is, therefore critical to the ability of the Council to operate effectively and deliver high quality services to the public. As a result, adequate controls should be in place to ensure the availability, confidentiality and integrity of data. In addition, the Council is required to comply with the provisions of the Data Protection Act 1998 to ensure the safety and security of personal data. As part of our audit, we have reviewed the design and operational effectiveness of general controls over IT systems and applications in the Council. We focused our review on the operation of the Oracle Financial Management System, the Council Tax system (iworld) and the Non Domestic Rates system (Orbis). We also reviewed the progress of implementation of the agreed action plan points from our audit of IT systems and applications. This report sets out the key findings from our review. 1.2 Findings Our overall conclusion is that the controls over IT systems and applications continue to operate effectively. We made four new recommendations from our follow up review of which 1 is classed as medium risk: no disaster recovery tests were performed in the last financial year. The absence of such tests increases the risk that the Council systems may not be recovered within a reasonable time in the event of a systems failure. We were pleased to note that management have taken action to implement the majority of the recommendations from our review. Of the ten outstanding recommendations, eight are now fully implemented, with two low risk recommendations partially implemented. 1.3 Way Forward The findings and recommendations from our review are summarised in an Action Plan that accompanies this report. The Action Plan has been agreed with management and incorporates the management response to audit recommendations. We have summarised the progress of implementation on recommendations made in our IT Systems and Applications Report in Appendix B. This report includes some specific recommendations to strengthen internal controls. It is the responsibility of management to decide the extent of the internal control system appropriate to the Council.
4 2 1.4 Acknowledgements We would like to take this opportunity to thank Council staff who have been involved in this review for their assistance and co-operation. This report is part of a continuing dialogue between the Council and Grant Thornton UK LLP and is not, therefore, intended to cover every matter which came to our attention. Our procedures are designed to support our audit opinion and they cannot be expected to identify all weaknesses or inefficiencies in systems and work practices. The report is not intended for use by third parties and we do not accept responsibility for any reliance that third parties may place on it.
5 1 A Action plan No Finding Risk Recommendation Management Response Implementation Date Financial management and budgetary control 1 We noted that an external consultant had Low Contractors should have their a privileged user account in the Oracle FMS system. This user account was no longer required at the time of our visit and was disabled when brought to management attention. In addition, the password of this Oracle user account was set to never expire. user accounts disabled when their assistance has finalised. This is particularly relevant for privileged user accounts. June 2009 We also noted that the network account of this consultant was disabled. There is a risk that unauthorised access may be gained to finance data. All Oracle FMS users should be forced to change their passwords on a regular basis. The external consultant referred to has now been re-engaged by the Council for a further piece of work and therefore requires access at present. We will ensure that the password is set to expire after 30 days in common with other users, and is disabled when we are certain that their piece of work has been completed to a satisfactory standard. 2 We found that four members of staff in Benefits and three employees in Council Tax have access to the password of the only privileged account in this system. There is a risk that unauthorised access may be gained to Council Tax or Benefits data. Low The Council should reassess the number of individuals that know the password of the privileged "RB" account in the iworld system. The individuals in question in both Council Tax and Benefits are all engaged in systems administration activities for either Benefits or Council Tax and require access to this particular account. This will be kept under review and the minimum number of people given access to the RB account. Immediate
6 2 No Finding Risk Recommendation Management Response Implementation Date 3 We noted that no disaster recovery tests Medium Already in place were performed in the last financial year. There is a risk that the Council systems may not be recovered within a reasonable time in the event of a disaster. Disaster recovery plans should be subject to testing at least on an annual basis to ensure their effectiveness. Test results should be analysed to identify any issues that may hinder the recovery process. Although the test has not been carried out within a strict 12 months of the last one, a test is completed each financial year as part of our disaster recovery contract and will continue to do so. This has been slightly delayed due to need to amend the contract coverage reflecting changes in requirements. We identified four former members of staff with user accounts in the Oracle FMS system. Line Managers did not report three of these leavers to the Oracle FMS Lead User. In addition, the fourth user was not reported to the Lead User until March 2009 but had left the Council in December We found that the Service Desk does not usually contact the Oracle FMS Lead User when it becomes aware of a staff leaver. There is a risk that unauthorised access may be gained to finance data. Low The Service Desk should report leavers to Application Lead Users as soon as it becomes aware of them. Leavers' user accounts should be disabled or deleted on their leaving date. Line Managers should be reminded of the importance of responding accurately to the six-monthly user review of access to the Oracle FMS system. and user accounts should be disabled where confirmation is not obtained after a reasonable period of time. The monthly payroll reports of all leavers provided to the Service Desk will be passed on to system administrators to assist them in identifying accounts to be disabled. However it should be noted that as the network accounts for these individuals have already been disabled by the Service Desk, there is no possibility of the individuals actually gaining access to the Oracle FMS system or any other system and so the risk of unauthorised access is considered very low. June 2009
7 4 B Progress in implementation of prior year recommendations No Finding Recommendation Management Response Position at May One of the privileged user accounts on the network belongs to an employee that left the Council three years ago. The password of this account was changed but the account was not deleted to avoid errors when running processes. The Council should review the processes administered under this privileged account. The account should then be disabled or deleted and processes reassigned as appropriate. The privileged account referred to here belonged to Craig Brown, a former Senior Engineer. The account had been left open to deal with any problems which may have surfaced from any undocumented processes Craig implemented. There is a risk that unauthorised access is gained to network data. Risk: Medium Once this change is actioned, data processing should be monitored for a period of time to ensure that any errors are promptly detected and resolved. The password of this account had been changed as soon as Craig left the Council s employment. The account has now been disabled and we will deal with any problems that may arise.
8 5 No Finding Recommendation Management Response Position at May We tested a sample of fifteen leavers and found that the accounts of two users had not been disabled. Business Managers / Human resources should promptly report staff movements to IT. Agreed. There is a risk that unauthorised access could be gained to the network. Risk: Medium Leavers should have their user accounts deleted or disabled on their leaving date. 3 We understand that a review of network user accounts is performed every six months. However, we noted that evidence of this review is not always retained. The most recent evidence was from July There is a risk that employees may gain unauthorised access to the network. Evidence should be retained for the regular review of network user accounts. This evidence should include the user accounts that were checked, any communications and actions that were taken as a result of this review. We review user accounts on a six monthly basis and we will retain evidence of each review.
9 6 No Finding Recommendation Management Response Position at May Information to retrieve the password of the root user for the UNIX system is stored in a password-protected Word document. The document contains the data to be used in the retrieval of the password for this user. The Council should detail the password of the root user in a closed envelope. This envelope should be properly sealed, countersigned and stored in a fireproof safe. Our practice with keeping the passwords electronically has been audited many times in the past and has not been questioned. However the password for the root users will be stored in an envelope within the fireproof safe in the Service Desk There is a risk that the password of the root user could not be retrieved within a reasonable time in the event of a disaster. A procedure should be implemented to detail how members of staff could have access to this envelope. 5 User accounts on the network are not locked out after a number of invalid logon attempts. There is a risk that unauthorised access to the network is gained through password guessing or a brute force attack. Network user accounts should be locked out after a number of invalid logon attempts. This setting should be implemented as part of a change management process that educates users about the benefits and implications of this change. The incorrect password limit had been implemented previously but relaxed due to the excessive increase in the number of support calls. It will be re-implemented but will result in a considerably higher number of support calls for the server team.
10 7 No Finding Recommendation Management Response Position at May Our review of a sample of ten changes to business applications and noted that: Test plans should be attached to change records once testing has been completed by Lead Users or Agreed. IT staff. One change record was closed in the HEAT system and the Lead User had not accepted its implementation. No user test plan was attached to one change record. There is a risk that changes are not tested adequately before being migrated into the live environment. In addition, there is a risk that changes do not meet business requirements. HEAT records should only be closed once the Lead User has formally accepted the implementation of a change.
11 8 No Finding Recommendation Management Response Position at May From a review of ten changes to Agreed. Partially implemented databases, we noted that: two changes to databases were approved by users who were not the nominated Lead User per the master table; and a change to a database was requested by an individual who is not a Lead User. The Council should define a procedure to update the table of Lead Users and applications on a regular basis. Once updated, this document should be communicated to all relevant members of staff. Direct changes to databases should only be approved by Lead Users. In the event of an emergency change; this should be retrospectively approved by Lead Users. A new sample of 10 changes to databases was selected and it was noted that one out of these 10 changes was not requested by a Lead User. There is a risk that unauthorised changes to databases are performed.
12 9 No Finding Recommendation Management Response Position at May Although the Council has restricted access to USB memory devices to authorised members of staff, we noted that some training PCs still have write access to USB memory devices. The Council should reassess the user accounts that have been granted write access to USB devices. This access level should only be granted to authorised individuals. The IT Security forum has not as yet produced the policy for controlling access by USB devices. There is a risk that data is saved to USB memory devices by unauthorised users. Software capable of managing USB devices has been purchased as part of the Centennial Security suite; however it has not been deployed until the policy has been agreed. One of the training PC s was accessed to ascertain if the alternative device registry method had blocked the use of writing to USB device. This PC had been locked previously but had recently been patched and when tested it was possible to write to the USB device. Desktop staff are checking all training PCs. 9 We noted that the last two penetration tests were performed in 2006 and April There is a risk that new vulnerabilities in systems and IT infrastructure are not promptly addressed. Giving the rate at which IT vulnerabilities are identified and published in the Internet; the Council should consider performing a penetration test on a quarterly basis. Penetration testing is now scheduled annually. We will carry out as much penetration testing as our budget allows. Partially implemented. A penetration test was carried out last December. However, the vulnerabilities that were identified had not been analysed and addressed at the time of our visit due to staff shortages. 10 Windows patches are released by Microsoft on a regular basis. The Council should update patches in PCs on a more regular basis. We We have a WSUS service available to deliver patches to desktops when
13 10 No Finding Recommendation Management Response Position at May 2009 However, we noted that these patches are only implemented in a PC when the machine is rebuilt. This process is usually performed every three years. are aware that software has been recently implemented to assist in the identification of critical patches. required. There are WSUS servers in Kilmory and key locations. There is a risk that Windows vulnerabilities may be exploited by intruders or "malware" (software designed to infiltrate or damage a computer system) due to patches not being applied on a regular basis. Patches should be subject to an adequate level of testing before being implemented across the PC estate Rather than patch desktops when Microsoft release patches we use Centennial Security Advisor (CSA) to ascertain if a patch is considered critical and to check if desktops are vulnerable. There are currently no desktops reported as vulnerable by CSA. Patches are tested, and incorporated in the corporate build constantly, and desktops are built to the highest level of patch available. Indiscriminate patching (even after testing) has caused problems in the past, with non-standard desktops and departmental applications.
14 "Grant Thornton" means Grant Thornton UK LLP, a limited liability partnership. Grant Thornton UK LLP is a member firm within Grant Thornton International Ltd ('Grant Thornton International'). Grant Thornton International and the member firms are not a worldwide partnership. Services are delivered by the member firms independently. This publication has been prepared only as a guide. No responsibility can be accepted by us for loss occasioned to any person acting or refraining from acting as a result of any material in this publication
Scottish Sports Council Group and Lottery Fund
Scottish Sports Council Group and Lottery Fund Annual Audit Report 2012-13 September 2013 2 2013 Grant Thornton UK LLP. All rights reserved Scottish Sports Council Group and Lottery Fund 2012-13 Annual
More informationInformation Commissioner's Office
Information Commissioner's Office Internal Audit 2013-14: Follow up Last updated 4 July 2014 Distribution For action Senior Corporate Governance Manager Timetable Fieldwork completed 21 May 2014 Draft
More informationThe Annual Audit Letter for West Mercia Police and Crime Commissioner and Chief Constable
The Annual Audit Letter for West Mercia Police and Crime Commissioner and Chief Constable Year ended 31 March 2015 October 2015 John Gregory Director and Engagement Lead T +44 (0)121 232 5333 E john.gregory@uk.gt.com
More informationHigh level review of the general IT control environment
High level review of the general IT control environment South Lakeland District Council 2012/13 Last updated 9 April 2013 Summary In January 2013 our information systems specialist performed a high level
More informationThe Annual Audit Letter for Torbay Council
The Annual Audit Letter for Torbay Council Year ended 31 March 2014 October 2014 Alex Walling Engagement Lead T 0117 305 7804 E alex.j.walling@uk.gt.com Mark Bartlett Manager T 0117 305 7896 E mark.bartlett@uk.gt.com
More informationPolicy Document. Communications and Operation Management Policy
Policy Document Communications and Operation Management Policy [23/08/2011] Page 1 of 11 Document Control Organisation Redditch Borough Council Title Communications and Operation Management Policy Author
More informationIT Data Security Policy
IT Data Security Policy Contents 1. Purpose...2 2. Scope...2 3. Policy...2 Access to the University computer network... 3 Security of computer network... 3 Data backup... 3 Secure destruction of data...
More informationTameside Metropolitan Borough Council ICT Security Policy for Schools. Adopted by:
Tameside Metropolitan Borough Council ICT Security Policy for Schools Adopted by: 1. Introduction 1.1. The purpose of the Policy is to protect the institution s information assets from all threats, whether
More informationUniversity of Liverpool
University of Liverpool Information Security Policy Reference Number Title CSD-003 Information Security Policy Version Number 3.0 Document Status Document Classification Active Open Effective Date 01 October
More informationAGENDA ITEM: SUMMARY. Author/Responsible Officer: John Worts, ICT Team Leader
AGENDA ITEM: SUMMARY Report for: Committee Date of meeting: 30 May 2012 PART: 1 If Part II, reason: Title of report: Contact: Purpose of report: Recommendations Corporate objectives: Implications: INFORMATION
More informationAudit and Governance Committee Report. 4 July 2011. quarter. Internal audit activity report. one 2011/2012 1/2012. Purpose of Report. Report No.
Audit and Governance Committee Report 4 July 2011 Report of Audit Manager Author: Adrianna Partridge Telephone: 01235 547615 Telephone: 01491 823544 E-mail: adrianna.partridge@southandvale.gov.uk Cabinet
More informationAppendix 1c. DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA REVIEW OF NETWORK/INTERNET SECURITY
Appendix 1c DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA REVIEW OF NETWORK/INTERNET SECURITY DISTRIBUTION LIST Audit Team Prakash Gohil, Audit Manager Steven Snaith, Risk
More informationSecurity around the Oracle platform. Report by the Director of Finance and Head of ICT
Audit Committee Item No 6 28 September 2006 Security around the Oracle platform. Report by the Director of Finance and Head of ICT This report follows a recent internal audit of the security around the
More informationImplementation of Internal Audit Recommendations: Summary of Progress Report by Head of Finance
Financial Scrutiny and Audit Committee 11 February 2014 Agenda Item No 13 Implementation of Internal Audit : Summary of Progress Report by Finance Summary: This report updates members on progress in implementing
More informationAUDIT COMMITTEE 10 DECEMBER 2014
AUDIT COMMITTEE 10 DECEMBER 2014 AGENDA ITEM 8 Subject Report by MANAGEMENT OF INFORMATION RISKS DIRECTOR OF CORPORATE SERVICES Enquiries contact: Tony Preston, Ext 6541, email tony.preston@chelmsford.gov.uk
More informationFINAL. Internal Audit Report. Data Centre Operations and Security
FINAL Internal Audit Report Data Centre Operations and Security Document Details: Reference: Report nos from monitoring spreadsheet/2013.14 Senior Manager, Internal Audit & Assurance: ext. 6567 Engagement
More informationSolihull Metropolitan Borough Council. IT Audit Findings Report September 2015
Solihull Metropolitan Borough Council IT Audit Findings Report September 2015 Version: Responses v6.0 SMBC Management Response July 2015 Financial Year: 2014/2015 Key to assessment of internal control
More informationCleveland Police. Data protection audit report. Executive summary November 2014
Cleveland Police Data protection audit report Executive summary November 2014 1. Background The Information Commissioner is responsible for enforcing and promoting compliance with the Data Protection Act
More informationANNUAL REPORT ON INTERNAL AUDIT ACTIVITY 2006/07 REPORT AUTHOR SANDRA KING, AUDIT MANAGER, SOUTH NORFOLK COUNCIL
BROADLAND COUNCIL ANNUAL REPORT ON INTERNAL AUDIT ACTIVITY 2006/07 REPORT AUTHOR SANDRA KING, AUDIT MANAGER, SOUTH NORFOLK COUNCIL Summary: This report has been prepared in accordance with the requirements
More informationBOARD OF DIRECTORS PAPER COVER SHEET. Meeting date: 22 February 2006. Title: Information Security Policy
BOARD OF DIRECTORS PAPER COVER SHEET Meeting date: 22 February 2006 Agenda item:7 Title: Purpose: The Trust Board to approve the updated Summary: The Trust is required to have and update each year a policy
More informationWorking Practices for Protecting Electronic Information
Information Security Framework Working Practices for Protecting Electronic Information 1. Purpose The following pages provide more information about the minimum working practices which seek to ensure that
More informationRecommendations which have been implemented have been removed from this report. The original numbering of recommendations has been retained.
Audit Committee, 25 June 2013 Internal audit Review of recommendations Executive summary and recommendations At its meeting on 29 September 2011, the Committee agreed that it should receive a paper at
More informationInformation Security Policy September 2009 Newman University IT Services. Information Security Policy
Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms
More informationAppendix 1c. DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA REVIEW OF INTERNET- BASED NETWORK SECURITY
Appendix 1c DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA REVIEW OF INTERNET- BASED NETWORK SECURITY DISTRIBUTION LIST Audit Team David Esling, Head of Audit Assurance, Risk
More informationHow To Audit Health And Care Professions Council Security Arrangements
Audit Committee 28 Internal audit report ICT Security Executive summary and recommendations Introduction Mazars has undertaken a review of ICT Security controls, in accordance with the internal audit plan
More informationAn Oracle White Paper December 2010. Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance
An Oracle White Paper December 2010 Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance Executive Overview... 1 Health Information Portability and Accountability Act Security
More informationUCLH VPN User Guide. January 2009. VPN User Guide v1.3 20090106
UCLH VPN User Guide January 2009 VPN User Guide v1.3 20090106 1. What is the VPN? The VPN (Virtual Private Network) provides users with secure access, using a web browser, to a standard terminal screen
More informationIT Security Procedure
IT Security Procedure 1. Purpose This Procedure outlines the process for appropriate security measures throughout the West Coast District Health Board (WCDHB) Information Systems. 2. Application This Procedure
More informationRemote Access and Network Security Statement For Apple
Remote Access and Mobile Working Policy & Guidance Document Control Document Details Author Adrian Last Company Name The Crown Estate Division Name Information Services Document Name Remote Access and
More informationWalton Centre. Document History Date Version Author Changes 01/10/04 1.0 A Cobain L Wyatt 31/03/05 1.1 L Wyatt Update to procedure
Page 1 Walton Centre Access and Authentication (network) Document History Date Version Author Changes 01/10/04 1.0 A Cobain L Wyatt 31/03/05 1.1 L Wyatt Update to procedure Page 2 Table of Contents Section
More informationScoMIS Encryption Service
Introduction This guide explains how to implement the ScoMIS Encryption Service for a secondary school. We recommend that the software should be installed onto the laptop by ICT staff; they will then spend
More informationThe Annual Audit Letter for West Midlands Fire & Rescue Authority
The Annual Audit Letter for West Midlands Fire & Rescue Authority Year ended 31 March 2014 October 2014 James Cook Engagement Lead T: 0121 232 5343 E: james.a.cook@uk.gt.com Emily Mayne Manager T: 07880
More informationInternal Audit Progress Report Performance and Overview Committee (19 th August 2015) Cheshire Fire Authority
Internal Audit Progress Report (19 th August 2015) Contents 1. Introduction 2. Key Messages for Committee Attention 3. Work in progress Appendix A: Risk Classification and Assurance Levels Appendix B:
More informationName: Position held: Company Name: Is your organisation ISO27001 accredited:
Third Party Information Security Questionnaire This questionnaire is to be completed by the system administrator and by the third party hosting company if a separate company is used. Name: Position held:
More informationInformation System Audit Report Office Of The State Comptroller
STATE OF CONNECTICUT Information System Audit Report Office Of The State Comptroller AUDITORS OF PUBLIC ACCOUNTS KEVIN P. JOHNSTON ROBERT G. JAEKLE TABLE OF CONTENTS EXECUTIVE SUMMARY...1 AUDIT OBJECTIVES,
More informationOffice of Inspector General
DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Security Weaknesses Increase Risks to Critical United States Secret Service Database (Redacted) Notice: The Department of Homeland Security,
More informationManchester City Council
Manchester City Council Accounts Audit Plan 2009/10 18 December 2009 Contents Page 1 Introduction 2 2 Approach and audit risks 3 3 Administration 13 4 Planned outputs 16 Appendices A B IFRS Action Plan
More informationReport 6c. Final Internal Audit Report Network and Communications. April 2008
Report 6c Final Internal Audit Report Network and Communications April 2008 Contents Page Executive Summary 3 Observations and Recommendations 4 Appendix 2 - Staff Interviewed 14 Appendix 3 Benchmark Results
More informationBetter secure IT equipment and systems
Chapter 5 Central Services Data Centre Security 1.0 MAIN POINTS The Ministry of Central Services, through its Information Technology Division (ITD), provides information technology (IT) services to government
More informationEstate Agents Authority
INFORMATION SECURITY AND PRIVACY PROTECTION POLICY AND GUIDELINES FOR ESTATE AGENTS Estate Agents Authority The contents of this document remain the property of, and may not be reproduced in whole or in
More informationInterim Audit Report. Borough of Broxbourne Audit 2010/11
Interim Audit Report Borough of Broxbourne Audit 2010/11 The Audit Commission is an independent watchdog, driving economy, efficiency and effectiveness in local public services to deliver better outcomes
More informatione-governance Password Management Guidelines Draft 0.1
e-governance Password Management Guidelines Draft 0.1 DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India. Document Control S.
More informationUniversity of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template
University of California, Riverside Computing and Communications IS3 Local Campus Overview Departmental Planning Template Last Updated April 21 st, 2011 Table of Contents: Introduction Security Plan Administrative
More informationWest Highland College. Internal Audit 2014/15 Annual Report August 2015
Internal Audit 2014/15 Annual Report August 2015 TABLE OF CONTENTS Section Page 1. Introduction 3 2. Executive Summary 4 5 3. Audit Findings 6 11 4. Benchmarking 12 5. Key Performance Indicators 13 Appendices
More informationb. Contact for contract issues/requests (Including billing)
1. Responsibilities of the customer a. Appointed contact(s) The customer is required to provide a named contact with E-Mail address and phone contact for each of the following roles (they can be the same
More informationNewcastle University Information Security Procedures Version 3
Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations
More informationSupplier Information Security Addendum for GE Restricted Data
Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,
More informationData Security Policy
Policy Number: Revision Number: 0 QP1.44 Date of issue: March 2009 Status: Approved Date of approval: April 2009 Responsibility for policy: Responsibility for implementation: Responsibility for review:
More informationHow To Audit A Windows Active Directory System
South Northamptonshire Council Windows Active Directory Final Internal Audit Report - September Distribution list: Mike Shaw IT & Customer Services Manager David Price Director of Community Engagement
More informationAudit of Case Activity Tracking System Security Report No. OIG-AMR-33-01-02
Audit of Case Activity Tracking System Security Report No. OIG-AMR-33-01-02 BACKGROUND OBJECTIVES, SCOPE, AND METHODOLOGY FINDINGS INFORMATION SECURITY PROGRAM AUDIT FOLLOW-UP CATS SECURITY PROGRAM PLANNING
More informationSUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This
More informationUniversity of Brighton School and Departmental Information Security Policy
University of Brighton School and Departmental Information Security Policy This Policy establishes and states the minimum standards expected. These policies define The University of Brighton business objectives
More informationSouthwest District Health Nomination Narrative
EXECUTIVE SUMMARY Southwest District Health was created by the Idaho Legislature in 1970. The mission of the Health District is to promote and protect the health of people and their environment in Adams,
More informationIT Checklist. for Small Business INFORMATION TECHNOLOGY & MANAGEMENT INTRODUCTION CHECKLIST
INFORMATION TECHNOLOGY & MANAGEMENT IT Checklist INTRODUCTION A small business is unlikely to have a dedicated IT Department or Help Desk. But all the tasks that a large organization requires of its IT
More informationOffice of Education Technology (OET) Security Best Practices Guideline for Districts
Office of Education Technology (OET) Security Best Practices Guideline for Districts Version 1.0 0000 January 12, 2010 Document Owner: Date Created: 1/12/2010 Approver(s): Date Approved: 1/01/2010 Summary:
More informationWestern Australian Auditor General s Report. Information Systems Audit Report
Western Australian Auditor General s Report Information Systems Audit Report Report 23: November 2015 Office of the Auditor General Western Australia 7 th Floor Albert Facey House 469 Wellington Street,
More informationAberdeen City Council IT Asset Management
Aberdeen City Council IT Asset Management Internal Audit Report 2014/2015 for Aberdeen City Council January 2015 Terms or reference agreed 4 weeks prior to fieldwork Target Dates per agreed Actual Dates
More informationPointsec Enterprise Encryption and Access Control for Laptops and Workstations
Pointsec Enterprise Encryption and Access Control for Laptops and Workstations Overview of PC Security Since computer security has become increasingly important, almost all of the focus has been on securing
More informationTailored Technologies LLC
685 Third Avenue New York, NY 10017 Tel: (212) 503-6300 Fax: (212) 503-6312 Date: January 9, 2014 To: The Audit File of the Hugh L. Carey Battery Park City Authority From: Tailored Technology Observations
More informationHow To Ensure Network Security
NETWORK SECURITY POLICY Policy approved by: Assurance Committee Date: 3 December 2014 Next Review Date: December 2016 Version: 1.0 Page 1 of 12 Review and Amendment Log/Control Sheet Responsible Officer:
More informationDocument Number: SOP/RAD/SEHSCT/007 Page 1 of 17 Version 2.0
Standard Operating Procedures (SOPs) Research and Development Office Title of SOP: Computerised Systems for Clinical Trials SOP Number: 7 Version Number: 2.0 Supercedes: 1.0 Effective date: August 2013
More informationUSFSP Network Security Guidelines
USFSP Network Security Guidelines Table of Contents I. Access to Data II. Workstations and Personal Computers A. Computer Viruses B. Software C. Hardware D. Storage Media III. Local Area Networks (LANs)
More informationHow To Protect Decd Information From Harm
Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the
More informationInternal Audit Report Business Continuity Planning Arrangements
The Highland Council Community Services Committee 6 November 2014 Agenda Item Report No 19 COM 45/14 Internal Audit Report Planning Arrangements Report by Director of Community Services Summary This report
More informationCouncil/ Community Board/ Council Subcommittee/ Board Committee. Medium
COVER SHEET Subject IT SECURITY Author Deidre Butler Typed by Harma Freese Submitted to Council/ Community Board/ Council Subcommittee/ Board Committee Name of Board/ Committee/ Subcommittee Audit & Risk
More informationInformatics Policy. Information Governance. Network Account and Password Management Policy
Informatics Policy Information Governance Policy Ref: 3589 Document Title Author/Contact Document Reference 3589 Document Control Network Account Management and Password Policy Pauline Nordoff-Tate, Information
More informationNetwork and Host-based Vulnerability Assessment
Network and Host-based Vulnerability Assessment A guide for information systems and network security professionals 6600 Peachtree-Dunwoody Road 300 Embassy Row Atlanta, GA 30348 Tel: 678.443.6000 Toll-free:
More informationApplying the Principle of Least Privilege to Windows 7
1 Applying the Principle of Least Privilege to Windows 7 2 Copyright Notice The information contained in this document ( the Material ) is believed to be accurate at the time of printing, but no representation
More informationInternal audit report Information Security / Data Protection review
Audit Committee 29 September 2011 Internal audit report Information Security / Data Protection review Executive summary and recommendations Introduction Mazars have undertaken a review of Information Security
More informationLAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES
LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable
More informationSOFTWARE ASSET MANAGEMENT POLICY
SOFTWARE ASSET MANAGEMENT POLICY Metadata Author.Contributor Derrick Bates Coverage.spatial UK, Cumbria Creator ICT Client Team Organisational Development Date.issued 1 st May 2008 Description The document
More informationNETWORK INFRASTRUCTURE USE
NETWORK INFRASTRUCTURE USE Information Technology Responsible Office: Information Security Office http://ooc.usc.edu infosec@usc.edu (213) 743-4900 1.0 Purpose The (USC) provides its faculty, staff and
More informationInformation Commissioner's Office
Phil Keown Engagement Lead T: 020 7728 2394 E: philip.r.keown@uk.gt.com Will Simpson Associate Director T: 0161 953 6486 E: will.g.simpson@uk.gt.com Information Commissioner's Office Internal Audit 2015-16:
More informationManagement Standards for Information Security Measures for the Central Government Computer Systems
Management Standards for Information Security Measures for the Central Government Computer Systems April 21, 2011 Established by the Information Security Policy Council Table of Contents Chapter 1.1 General...
More informationSOFTWARE LICENSING POLICY
SOFTWARE LICENSING POLICY Version 12/12/2012 University of Birmingham 2012 David Deighton, IT Services CONTENTS 1. Policy on Software Licensing... 3 1.1 Software Licensing Compliance... 3 1.2 Software
More informationService Children s Education
Service Children s Education Data Handling and Security Information Security Audit Issued January 2009 2009 - An Agency of the Ministry of Defence Information Security Audit 2 Information handling and
More informationHengtian Information Security White Paper
Hengtian Information Security White Paper March, 2012 Contents Overview... 1 1. Security Policy... 2 2. Organization of information security... 2 3. Asset management... 3 4. Human Resources Security...
More informationREGULATIONS FOR THE SECURITY OF INTERNET BANKING
REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY
More informationDHHS Information Technology (IT) Access Control Standard
DHHS Information Technology (IT) Access Control Standard Issue Date: October 1, 2013 Effective Date: October 1,2013 Revised Date: Number: DHHS-2013-001-B 1.0 Purpose and Objectives With the diversity of
More informationSafeGuard Enterprise Web Helpdesk
SafeGuard Enterprise Web Helpdesk Product version: 5.60 Document date: April 2011 Contents 1 SafeGuard web-based Challenge/Response...3 2 Installation...5 3 Authentication...8 4 Select the Web Help Desk
More informationIntroduction. PCI DSS Overview
Introduction Manage Engine Desktop Central is part of ManageEngine family that represents entire IT infrastructure with products such as Network monitoring, Helpdesk management, Application management,
More informationSecure Storage, Communication & Transportation of Personal Information Policy Disclaimer:
Secure Storage, Communication & Transportation of Personal Information Policy Version No: 3.0 Prepared By: Information Governance, IT Security & Health Records Effective From: 20/12/2010 Review Date: 20/12/2011
More informationNETWORK SERVICES WITH SOME CREDIT UNIONS PROCESSING 800,000 TRANSACTIONS ANNUALLY AND MOVING OVER 500 MILLION, SYSTEM UPTIME IS CRITICAL.
NETWORK SERVICES WITH SOME CREDIT UNIONS PROCESSING 800,000 TRANSACTIONS ANNUALLY AND MOVING OVER 500 MILLION, SYSTEM UPTIME IS CRITICAL. Your Credit Union information is irreplaceable. Data loss can result
More informationRef: Issue Raised Recommendation Priority Management Response Implementation Network and ABS E-Financials 1. Account security settings
Appendix A Hertsmere Borough Council - Review of information technology controls 2011-12 Ref: Issue Raised Recommendation Priority Management Response Implementation Network and ABS E-Financials 1. Account
More informationReport 7 Appendix 1d Final Internal Audit Report Sundry Income and Debtors (inc. Fees and Charges) Greater London Authority February 2010
Report 7 Appendix 1d Final Internal Audit Report Sundry Income and Debtors (inc. Fees and Charges) Greater London Authority February 2010 This report has been prepared on the basis of the limitations set
More informationCOVER SHEET OF POLICY DOCUMENT Code Number Policy Document Name
COVER SHEET OF POLICY DOCUMENT Code Number Policy Document Name Introduction Removable Media and Mobile Device Policy Removable media and mobile devices are increasingly used to enable information access
More informationROSS PHILO EXECUTIVE VICE PRESIDENT AND CHIEF INFORMATION OFFICER
July 22, 2010 ROSS PHILO EXECUTIVE VICE PRESIDENT AND CHIEF INFORMATION OFFICER DEBORAH J. JUDY DIRECTOR, INFORMATION TECHNOLOGY OPERATIONS CHARLES L. MCGANN, JR. MANAGER, CORPORATE INFORMATION SECURITY
More informationInformation Security Policy
Information Security Policy Last updated By A. Whillance/ Q. North/ T. Hanson On April 2015 This document and other Information Services documents are held online on our website: https://staff.brighton.ac.uk/is
More informationTechnical Writing - The Perfect Research Paper
October 2010 REQUEST FOR PESTICIDE REGISTRY OR PESTICIDE APPLICATION INFORMATION NEW YORK STATE DEPARTMENT OF HEALTH HEALTH RESEARCH SCIENCE BOARD I. ORGANIZATION AND INDIVIDUAL REQUESTING PESTICIDE REGISTRY
More informationHuman Resources Policy documents. Data Protection Policy
Policy documents Aims of the Policy apetito is committed to meeting its obligations under data protection law. As a business, apetito handles a range of Personal Data relating to its customers, staff and
More informationInformation Security Policy
Document reference: Version 3.0 Date issued: April 2015 Contact: Matthew Jubb Information Security Policy Revision History Version Summary of changes Date V1.0 First version finalised. February 2006 V1.1
More informationCITRUS COMMUNITY COLLEGE DISTRICT GENERAL INSTITUTION COMPUTER AND NETWORK ACCOUNT AND PASSWORD MANAGEMENT
CITRUS COMMUNITY COLLEGE DISTRICT GENERAL INSTITUTION AP 3721 COMPUTER AND NETWORK ACCOUNT AND PASSWORD MANAGEMENT 1.0 Purpose The purpose of this procedure is to establish a standard for the administration
More informationReport for Information
Report for Information Report to Audit Committee Item 21 Report of Subject Purpose Audit Manager Internal Audit 2009/10 - Update To advise members of progress on the 2009/10 audit plan. Recommendations
More informationCyber Essentials Scheme
Cyber Essentials Scheme Requirements for basic technical protection from cyber attacks June 2014 December 2013 Contents Contents... 2 Introduction... 3 Who should use this document?... 3 What can these
More informationSafeGuard Enterprise Web Helpdesk. Product version: 6 Document date: February 2012
SafeGuard Enterprise Web Helpdesk Product version: 6 Document date: February 2012 Contents 1 SafeGuard web-based Challenge/Response...3 2 Installation...5 3 Authentication...8 4 Select the Web Helpdesk
More informationSecurity Features: Lettings & Property Management Software
Security Features: Lettings & Property Management Software V 2.0 (23/02/2015) Table of Contents Introduction to Web Application Security... 2 Potential Security Vulnerabilities for Web Applications...
More informationBirkenhead Sixth Form College IT Disaster Recovery Plan
Author: Role: Mal Blackburne College Learning Manager Page 1 of 14 Introduction...3 Objectives/Constraints...3 Assumptions...4 Incidents Requiring Action...4 Physical Safeguards...5 Types of Computer Service
More informationUniversity of Kent Information Services Information Technology Security Policy
University of Kent Information Services Information Technology Security Policy IS/07-08/104 (A) 1. General The University IT Security Policy (the Policy) shall be approved by the Information Systems Committee
More informationCapital District Vulnerability Assessment
Capital District Vulnerability Assessment Audit Report Report Number IT-AR-15-1 December 12, 214 These vulnerabilities expose the infrastructure to unauthorized remote access by potential attackers who
More informationNetwork Password Management Policy & Procedures
Network Password Management Policy & Procedures Document Ref ISO 27001 Section 11 Issue No Version 1.3 Document Control Information Issue Date April 2009, June 2010, September 2011 Status Approved By FINAL
More information