INFORMATION SECURITY California Maritime Academy

Transcription

1

2 CSU The California State University Office of Audit and Advisory Services INFORMATION SECURITY California Maritime Academy Audit Report April 8, 2015 Senior Director: Mike Caldera IT Audit Manager: Greg Dove Senior Auditor: Linda Rathfelder

3 EXECUTIVE SUMMARY OBJECTIVE The objectives of the audit were to ascertain the effectiveness of existing policies and procedures related to the administration of information security and to determine the adequacy of controls over the related processes; to evaluate adherence to the Integrated California State University Administrative Manual (ICSUAM) information security policy, or where appropriate to an industry-accepted standard; and to ensure compliance with relevant governmental regulations, Trustee policy, Office of the Chancellor directives, and campus procedures. CONCLUSION Based upon the results of the work performed within the scope of the audit, the operational and administrative controls for information security activities as of November 21, 2014, taken as a whole, were sufficient to meet the objectives of this audit. In general, the controls and processes established over information security at California Maritime Academy (CMA) provide reasonable assurance that the network, systems, and data are protected and that access privileges are provided in a consistent and controlled manner. In addition, our results indicate that the campus exercises prudent oversight of departments, colleges, and auxiliary organizations and operates in accordance with the California State University (CSU) information security policy. Our audit procedures did identify opportunities to improve the process and methodologies used for general governance and oversight and to improve network security controls. Specific observations, recommendations, and management responses are detailed in the remainder of this report. Audit Report Office of Audit and Advisory Services Page 1

4 S, S, AND RESPONSES 1. GOVERNANCE AND OVERSIGHT The information security office had not developed a formal action plan to identify and prioritize information security risks and a corresponding remediation plan and had not documented timelines to address campus information security issues. We found that the information security officer (ISO) maintained a list of projects that he considered to be important, but there was no formal plan tying projects to specific risks and no management commitment to their implementation. The absence of a comprehensive information security action plan limits the campus ability to direct a comprehensive system of information security management. We recommend that the campus develop a formal action plan to identify and prioritize information security risks and a corresponding remediation plan and document project timelines to address campus information security issues. We concur. The campus IT governance committee will develop an action plan to identify and prioritize the review of IT projects, including information security. 2. FIREWALL SETTINGS The campus firewall configuration settings were not adequate to meet campus security objectives. Our technical analysis identified various areas where the firewall rules needed adjustments to adequately control network traffic. An inadequately configured system increases the risk that a remote attacker may be able to exploit network resources, gain access to protected confidential information, or execute malicious programs that could potentially disable other network resources. Audit Report Office of Audit and Advisory Services Page 2

5 We recommend that the campus evaluate and adjust the firewall configuration settings identified as concerns to ensure that they are adequate to meet campus security objectives. We concur. The campus will review and update firewall configuration, as well as document all firewall policy changes for future reference. 3. WEBSITE VULNERABILITY MANAGMENT A website vulnerability scan was not performed on the campus website when the website was placed into production, and there was no process to perform website vulnerability scans on a scheduled basis. We found that the campus had outsourced its website development and support to a thirdparty service but had not conducted a vulnerability scan of the website. A lack of website vulnerability scans increases the risk that a remote attacker may be able to access protected information or execute malicious programs on the server that could affect campus computing resources. We recommend that the campus develop a process to perform website vulnerability scans of the campus website when significant changes are made or on a scheduled basis. We concur. The campus will develop a process to perform vulnerability scans. 4. INTERNET THREAT MANAGEMENT The campus did not have methods or network tools to detect external attacks and other network threats from the Internet. CSU policy requires that system administrators scan and remediate vulnerabilities on critical systems. Audit Report Office of Audit and Advisory Services Page 3

6 Inadequate monitoring and identifying of Internet threats increases the risk that system breaches may not be detected and increases the risk of loss or exposure of sensitive data. We recommend that the campus implement a method or network tools to detect external attacks and other network threats from the Internet. We concur. The campus will implement a network detection solution. 5. SOFTWARE MANAGEMENT The campus software management process did not include removal of all obsolete versions of some products installed on desktop computers and workstations. We found that the process included removal of products purchased by the campus, but that obsolete versions of commonly installed free software were not being updated. Inadequate removal of vulnerable obsolete software products may lead to compromise and potential loss of protected confidential information or inappropriate access to systems. We recommend that the campus enhance its software management process to include removal of all obsolete products installed on desktop computers and workstations. We concur. The campus is in the process of implementing a new remote management product that would allow the IT department to manage software for all workstations. 6. SYSTEM BACKUP The campus did not encrypt data on backup tapes and did not send them to a remote location. Audit Report Office of Audit and Advisory Services Page 4

7 We found that the campus issued a purchase order for backup software that enables encryption and created plans to send the tapes to another CSU campus after encryption was enabled, but had not yet installed the software or carried out the plans. Inadequate processes for securing system backups increases the risk of loss or exposure of sensitive data and could adversely affect the campus ability to recover from system failure. We recommend that the campus encrypt backup copies of data and implement a procedure to send the backups to a remote location. We concur. The campus will encrypt backup copies of data and implement a procedure to send backups to a remote location. 7. REVIEW OF SECURITY EVENT LOGS The campus did not perform regular reviews of security event logs. We found that the campus had enabled the logging of security events for servers and network devices; however, the event logs were not reviewed on a routine basis. Inadequate review of security logs increases the risk that malicious activity could go undetected and viruses or other malicious code could be embedded within the campus network and its resources, which could lead to confidential information being breached and not reported. We recommend that the campus perform regular reviews of security event logs. We concur. The campus is in the process of procuring a solution to collect and analyze logs and provide effective reports and alerts. Audit Report Office of Audit and Advisory Services Page 5

8 GENERAL INFORMATION BACKGROUND The CSU Information Security Policy, dated April 19, 2010, states that the Board of Trustees of the CSU is responsible for protecting the confidentiality, integrity, and availability of CSU information assets. Unauthorized modification, deletion, or disclosure of information assets can compromise the mission of the CSU, violate individual privacy rights, and possibly constitute a criminal act. It is the collective responsibility of all users to ensure confidentiality of information that the CSU must protect from unauthorized access; integrity and availability of information stored on or processed by CSU information systems; and compliance with applicable laws, regulations, and CSU/campus policies governing information security and privacy protection. It further states that the CSU Information Security Policy shall apply to the following: All campuses. Central and departmentally managed campus information assets. All users employed by campuses or any other person with access to campus information assets. All categories of information, regardless of the medium in which the information asset is held or transmitted (e.g., physical or electronic). Information technology facilities, applications, hardware systems, and network resources owned or managed by the CSU. Auxiliaries, external businesses, and organizations that use campus information assets must also operate those assets in conformity with the CSU Information Security Policy. The CSU Information Security Policy directs the campus president to appoint an ISO and assign responsibility and authority for administering the information security function. Information security at CSU campuses covers a broad range of sensitive data that requires protection to be in compliance with numerous state and federal regulations. Campuses collect social security numbers for employee personnel and for student financial aid tax reporting, which is regulated by federal and state law. Other forms of data include student grades and academic records that must be protected under federal privacy laws. In addition, CSU campuses that have student health centers, psychological counseling centers, and pharmacies may also have medical and prescription records that must be protected under federal health privacy laws. Campus retail operations for bookstores, convenience stores, restaurants and dining, and student activities involve collection and processing of credit card information that is regulated by the banking industry. Audit Report Office of Audit and Advisory Services Page 6

9 SCOPE At the CMA campus, information security is administered by the ISO, who reports to a parttime chief information officer through a contractual agreement with CSU Sonoma. CMA also has an incident-handling team that provides oversight and guidance. CMA data processing activities are consolidated under a central information technology department. CMA has outsourced most of the business- and student-related applications systems, including those of the auxiliary organizations, and is primarily responsible for supporting the network infrastructure and systems used for teaching classes. Our audit and evaluation included the audit tests we considered necessary in determining whether operational and administrative controls are in place and operative. The audit focused on procedures in effect from August 11, 2014, through September 12, Specifically, we reviewed and tested: The activities and measures undertaken to protect the confidentiality, integrity, and access and availability of information. Processes for identifying confidential, private, or sensitive information; authorizing access; securing information; detecting security breaches; and evaluating security incident reporting and response. Measures to limit collection of information, control access to data, and assure that individuals with access to data do not utilize the data for unauthorized purposes. Encryption of data in storage and transmission. Physical and logical security measures for all data repositories. We also retained outside contractors to perform a technical security assessment that included running diagnostic software designed to identify improper configuration of selected systems, servers, and network devices. The purpose of the technical security assessment was to determine the effectiveness of technology and security controls governing the confidentiality, integrity, and availability of selected campus assets. Specifically, this configuration testing included assessment of the following technologies: selected operating systems, border firewall settings, network traffic analysis, vulnerability scanning, and website vulnerability assessment. As a result of changing conditions and the degree of compliance with procedures, the effectiveness of controls changes over time. Specific limitations that may hinder the effectiveness of an otherwise adequate system of controls include, but are not limited to, resource constraints, faulty judgments, unintentional errors, circumvention by collusion, and management overrides. Establishing controls that would prevent all these limitations would not be cost-effective; moreover, an audit may not always detect these limitations. Our testing and methodology was designed to provide a managerial level review of key information security practices, which included detailed testing of a limited number of network and computing devices. Our review did not examine all aspects of information security, and our testing approach was designed to provide a view of the security technologies used to Audit Report Office of Audit and Advisory Services Page 7

10 CRITERIA AUDIT TEAM protect only key computing resources. In addition, selected emerging technologies were not included in the scope of this review. Our audit was based upon standards as set forth in CSU Board of Trustee policies; Office of the Chancellor policies, letters, and directives; campus procedures; and other sound administrative practices. This audit was conducted in conformance with the Institute of Internal Auditors International Standards for the Professional Practice of Internal Auditing. This review emphasized, but was not limited to, compliance with: ICSUAM 8000, Information Security ICSUAM 7000, Identity Management Government Code International Standards Organization 27001, Information Security Management System Standard Senior Director: Mike Caldera Audit Manager: Greg Dove Audit Report Office of Audit and Advisory Services Page 8