FINAL. Internal Audit Report. Data Centre Operations and Security

Transcription

1 FINAL Internal Audit Report Data Centre Operations and Security Document Details: Reference: Report nos from monitoring spreadsheet/ Senior Manager, Internal Audit & Assurance: ext Engagement Manager: Auditor: Date: 17 September 2014 This report is not for reproduction publication or disclosure by any means to unauthorised persons. Page 1

2 1. EXECUTIVE SUMMARY 1.1 INTRODUCTION As part of the 2014/15 Internal Audit Plan an audit of the Data centre operations and security was carried out. The objective of this review is to evaluate the security of the data centre, in particular the following areas: data centre policies and procedures are defined, documented, and communicated for all key functions; Council systems are secured to prevent unauthorised access (including 3rd party access); access to the data centre is monitored and reviewed, and access rights are periodically reviewed; data is backed up from servers held at the civic data centre; data transferred off site is secured at all times and appropriate controls are in place to monitor the location of the data; environmental controls are present to protect the servers from fire, electrical and water damage; capacity for the data centre is adequate for the server rooms equipment and storage needs; environmental equipment is routinely maintained in line with manufacturer recommended schedules; and backup electricity supplies are in place to ensure systems and services are not affected in the event of a power outage. 1.2 OVERALL OPINION The overall opinion of this review is significant assurance. There are some areas that are appropriately managed and in line with acceptable good practice, including: A computer room policy has been developed and is reviewed on an annual basis; Backup schedules are in place and failed backups are monitored and actioned by ICT staff; An offsite location is used for storage of backup tapes; and Storage capacity for the data centre is considered adequate based on the plans of ICT. However, we also identified a number of areas that require improvement, and have thus led to the limited assurance rating: Failure to test restores of critical applications regularly; Lack of documented back up policy and procedures; Excessive computer room access; A lack of regular review of the computer room access; Page 2

3 Lack of formalised computer room training as required by the computer room policy; Lack of a visitors register in the computer room, as required by the computer room policy; Lack of a fire suppression system; and The backup process is inefficient due to the increase of data over the last five years. Recommendations 7 and 8 are included for completeness. Management have agreed a response to these recommendations in the Disaster Recovery audit report. These recommendations have not influence the overall opinion. Overall Audit Opinion Full assurance Full assurance that the system of internal control meets the organisation s objectives and controls are consistently applied. Significant assurance Limited assurance No assurance Significant assurance that there is a generally sound system of control designed to meet the organisation s objectives. However, some weaknesses in the design or inconsistent application of controls put the achievement of some objectives at some risk. Limited assurance as weaknesses in the design or inconsistent application of controls put the achievement of the organisation s objectives at risk in some of the areas reviewed. No assurance can be given on the system of internal control as weaknesses in the design and/or operation of key control could result or have resulted in failure(s) to achieve the organisation s objectives in the area(s) reviewed. Page 3

4 2. SUMMARY OF CONCLUSIONS 2.1 The conclusion for each control objective evaluated as part of this audit was as follows: Control Objective Assurance Full Significant Limited None CO1: data centre policies and procedures are defined, documented, and communicated for all key functions; CO2: Council systems are secured to prevent unauthorised access (including 3rd party access); CO3: access to the data centre is monitored and reviewed, and access rights are periodically reviewed; CO4: data is backed up from servers held at the data centre; CO5: data transferred off site is secured at all times and appropriate controls are in place to monitor the location of the data; CO6: environmental controls are present to protect the servers from fire, electrical and water damage; CO7: capacity for the data centre is adequate for the server rooms equipment and storage needs CO8: environmental equipment is routinely maintained in line with manufacturer recommended schedules CO9: backup electricity supplies are in place to ensure systems and services are not affected in the event of a power outage 2.2 The recommendations arising from the review are ranked according to their level of priority as detailed at the end of the report within the detailed audit findings. Recommendations are also colour coded according to their level of priority with the highest priorities highlighted in red, medium priorities in amber and lower priorities in green. In addition, the detailed audit findings include columns for the management response, the responsible officer and the time scale for implementation of all agreed recommendations. 2.3 Where high recommendations are made within this report it would be expected that they should be implemented within three months from the date of the report to ensure that the major areas of risk have either been resolved or that mitigating controls have been put in place and that medium and low recommendations will be implemented within six and nine months respectively. Page 4

5 3. LIMITATIONS REGARDING THE SCOPE OF THE AUDIT The scope of our work will be limited to those areas outlined above. 4. ACKNOWLEDGEMENTS Audit would like to thank all involved for their assistance during this review. Page 5

6 5. DETAILED AUDIT FINDINGS Ref. Priority Findings Risk Arising/ Consequence CO1: Policies and Procedures 1 Low Lack of Backup Policy and Procedures On inspection of the Computer room policy, it was noted that the document does not contain any details on the backup policy and procedure. We accept that the off-site backup storage arrangements are detailed in the IT Disaster Recovery document. In the absence of a documented backup policy and procedure, there is an increased risk that backups are not performed in line with ICT s requirements. This may result in the loss of data, interruption of ICT services and operational difficulties. Recommendation Management Response Responsibility and Timescale We recommend that the Computer Room policy is expanded to include the backup cycle, backup transit and storage arrangements. The Computer Room Policy and description of the data back-up and restore service are given in two separate documents. These can be combined, giving the back-up and restore weight by placing it into policy. Service Operations Manager, End November Recommendation Implemented (Officer & Date) CO2: Access to the data centre 2 High Excessive access to Computer Room On inspection of the access list dated 14 August 2014, we noted that there are a total of 65 access cards that provide staff access to the County Hall computer room. Examples of these include the following: 20 temporary passes held by Reception; Senior Internal Auditor; Unauthorised/inappro priate physical access to the computer room may result in accidental or malicious damage to ICT equipment resulting in loss of data, interruption of ICT services and operational difficulties. The access to all computer rooms should be restricted to and other who require access to perform their responsibilities. The access list should be reviewed by management on a regular basis to ensure that the access granted is valid. Proof of the review should be maintained. The current security group used within the Door Access Control System (Net2) to cover the computer rooms is also shared with other duty staff requiring access 'all hours, all doors'. This is inappropriate, as some staff will require open access to most areas, but not the computer areas. S&CA have already arranged with Facilities to create a Technical Services manager, end November 2014.

7 Ref. Priority Findings Risk Arising/ Consequence Audit assistant Two members of the applications team; One staff member from Adult Services & Health; One staff member from Children s Services; Six temporary contractors; and One leaver who has not yet been removed. We accept that part of the issues arises due to Reception issuing an all hours all doors pass, that is out of the control of ICT. Recommendation Management Response Responsibility and Timescale dedicated access group for Computer rooms. This will be used for appropriate staff who require access to the computer rooms only. Access to the computer rooms will be removed from the 'all hours, all doors' group. Recommendation Implemented (Officer & Date) 3 Medium Computer Room Access Logging The computer room policy states that access to the central computer rooms must be logged. For regular staff this can be via the automated Access Control System, for other staff, this must be via an electronic or manual booking system administered centrally. The 'booking system' should Unauthorised/inappro priate physical access to the computer room may result in accidental or malicious damage to ICT equipment resulting in loss of data, interruption of ICT services and operational difficulties. Where non authorised staff require access to the computer room, they should be accompanied by a member of the ICT team and their access logged (utilising an access log form). The log should be reviewed by Management on a regular basis (monthly), to identify any unauthorised access. Agreed, S&CA will create a manual logging process that can be used to record access for individuals that do not have access right to the computer room within their own responsibility. Will record Date/time Who requires access Reason for access Technical Services manager, end November 2014.

8 Ref. Priority Findings Risk Arising/ Consequence show name of the person accessing the computer room, data and time from and until, reason for access and detail of work to be carried out. We noted that there is no booking system in place for visitors. Recommendation Management Response Responsibility and Timescale Recommendation Implemented (Officer & Date) 4 Low Computer Room Training The computer room policy states that access is granted once users have received training. There is currently no proof of the training. We understand that the training is currently verbal and there is an intention for ICT to implement an online training course going forward. A lack of training may result in staff not understanding the controls appropriate for the computer room. This may result in accidental or malicious damage to ICT equipment resulting in loss of data, interruption of ICT services and operational difficulties. A formalised training programme should be developed, that includes details of the policies and procedures staff must follow, guidance on escalation and roles and responsibilities. Evidence of a formal training record should be maintained. S&CA are working in conjunction with Development and Training to derive an on-line Computer Room Access course to be completed by staff before being allowed access to the computer rooms. Service Operations Manager, and Development and Training End December CO3: Management review of data centre access 5 Medium Access List Reviews Access list reviews are performed on an ad-hoc basis. The last review was performed in February We noted that there are many users on the access list that should not have access to the computer room. See CO2 Unauthorised/inappro priate physical access to the computer room may result in accidental or malicious damage to IT equipment resulting in loss of data, interruption of IT services and operational difficulties. We recommend that computer room access lists are reviewed more formally on a regular basis, and proof of review is retained. As a minimum the recommended guidance is every 3 months. Agreed, this is good practice and will be scheduled within the team. Service Operations Manager, End November 2014.

9 Ref. Priority Findings Risk Arising/ Consequence above for details. In addition there is no evidence of the access review. Recommendation Management Response Responsibility and Timescale Recommendation Implemented (Officer & Date) CO4: Data is backed up 6 Medium New Backup System Netbackup, the backup system currently in use by the Council, was implemented five years ago. Since the implementation, there has been a 12% annual growth of the data that requires backup. The backup process has thus become very slow and inefficient. We understand that a budget for the implementation of a new backup system has already been approved and will form part of the commissioning process. In the event that a disaster occurs and data is not appropriately backed up, inability to recover the data may result in critical business functions not being recovered in a timely, accurate and controlled fashion. This could result in the loss of data, interruption of ICT services and operational difficulties Implement a backup system that is scalable and therefore can cope with the level of data growth within the Council. This system should cope with the demands of Council and projected changes to occur. The review of the back-up process will be done by HP as the new Service Provider, in conjunction with S&CA, to achieve a solution that will be strategic for the needs of the Council and in line with HP support model going forward Service Operations Manager, September High Key System restores We noted that restores for key systems (SAP and Framework i) are not performed on a regular basis, and no restore documentation is retained. Refer to IT Disaster Management should develop a policy on how often restores will be performed and retain all supporting documentation Refer to IT Disaster Refer to IT Disaster Recovery report Refer to IT Disaster Refer to IT Disaster Recovery

10 Ref. Priority Findings Risk Arising/ Consequence report, section CO4: What testing is performed to validate IT Disaster Recovery, how the outcomes are reported and corrective actions implemented, issue 5. Recommendation Management Response Responsibility and Timescale Recommendation Implemented (Officer & Date) CO6: Environmental controls are present to protect the servers 8 High Fire suppression system Refer to IT Disaster There is no fire suppression system in place. Refer to IT Disaster Refer to IT Disaster Refer to IT Disaster Recovery report Refer to IT Disaster For more details, refer to IT Disaster, section CO3: Whether inclusion of end-to-end recovery processes and the identification of interfaces between dependent and feeder systems are understood within the ITDR Plan(s), issue 3. Key to Priorities: High Medium Low This is essential to provide satisfactory control of serious risk(s) This is important to provide satisfactory control of risk This will improve internal control

11 Limitations relating to the Internal Auditor's work The matters raised in this report are limited to those that came to our attention, from the relevant sample selected, during the course of our audit and to the extent that every system is subject to inherent weaknesses such as human error or the deliberate circumvention of controls. Our assessment of the controls which are developed and maintained by management is also limited to the time of the audit work and cannot take account of future changes in the control environment.