SUMMARY OF AUDIT FINDINGS

Transcription

1 SUMMARY OF AUDIT FINDINGS EXECUTIVE SUMMARY Citizens' Office of Internal Infrastructure - July 2010 The audit determined the overall effectiveness of the controls over the processes for the acquisition, implementation and upgrade of the Citizens technology infrastructure needed improvement in the areas of; 1) formal procedures, policies and standards, 2) monitoring controls (reporting and procedures) that provide metrics for major production systems, 3) Service and Operational Level Agreements, and 4) management and monitoring of third party vendors. Of the 10 findings reported, IT management has completed corrective measures on eight with the remaining issues scheduled for completion by June 30, Vulnerability Scan of the External Network July 2010 This external network vulnerability assessment and penetration/intrusion review was coordinated through the Office of Internal. The focus of the assessment included; review of the design of the Citizens external network, penetration testing of all firewalls and other critical network devices facing outside parties, and a review of network connections and remote devices. Of the 14 findings reported, IT management has completed corrective measures on nine with the remaining issues scheduled for completion by June 30, General Computer Controls November 2010 This audit was an evaluation of the general computer controls in-place over Citizens IT related functions. The audit determined improvement is needed in the areas of; 1) data center environment, 2) formal procedures, policies and standards for operating systems security, 3) physical security, and 4) corporate level programs for risk assessment, compliance training and business continuity. Of the 6 IT findings reported, IT management has completed corrective measures on one, with four scheduled for completion by June 30, 2011 and one finding scheduled to be completed December 31, Carr, Riggs & Ingram, LLC (External of Financial Statements) IT General Controls April 2010 The scope of this IT general controls audit was to review general security issues, access controls, program change and patch management, systems software, physical security, operations procedures, and disaster recovery. The external auditor reported that the IT department has implemented numerous improvements to the IT control environment, and that the development of change management processes, security, and alignment of the IT department with Citizen s business

2 goals have improved dramatically. The 4 medium rated issues reported, which were addressed through audits performed by the Office of Internal, have been closed. Office Of Insurance Regulation (External of Market Conduct) Target Market Conduct Exam February 2011 This market conduct examination included an evaluation of information systems controls following the COBIT Framework as designated in the applicable National Association of Insurance Commissioners examiners handbooks. The audit report included recommendations for strengthening production environment testing controls and physical access to data centers. The report noted that Disaster Recovery controls were found to be adequate with the improvements completed since the last examination and it was recommended consideration be given for an out of state geographical placement of a Disaster Recovery Site. Summary of IT Findings Last 3 Quarters: IT Open Items Metrics 6/30/2010 9/30/ /31/2010* Open Closed New Remaining * this quarter s data is subject to change pending updates from OIA Findings: In our response to each individual audit, IT Management has agreed with the audit recommendations and we have submitted action plans which address all audit exceptions. RECOMMENDATION There is no staff recommendation for the Information Systems Advisory Committee at this time.

3 HISTORICAL IT AUDIT COVERAGE Below is a summary of IT reviews and audits conducted during the period Period Entity 2007 KPMG 2007 CRI 2008 Gartner 2008 OIA 2008 AG Service Level and Operations Review Annual of Financial Statements Reporting Policy Applications Systems Study Ensure Systems Security Operational of IT Internal Controls Strategic Planning Process IT Steering Committee Technical Training IT Staffing and Capacity Assessment Enterprise Catastrophic Response Plan KPI - Operations PMO Acquire, Install, Test Software / Infrastructure Define and Manage Service Level Manage Problems, Incidents, Changes Manage Data, Operations, Configuration Manage Third Party Services Ensure Systems Security Develop and Maintain Policies and Procedures Project Feasibility, Requirements Management Software Development Lifecycle (Overall) IT Testing and Change Mgt Product Integration and Release Management Availability and Service Level Mgt Operations, Support, and Maintenance Supplier Management Capacity, Continuity, Incident, Configuration Mgt Verification and Validation, Measurement & Analysis Governance, IT Strategy Overview Project Planning, Monitoring and Control Enterprise Architecture Portfolio, Process, Resource, Financial Mgt Management of IT Security IT Security Plan Identity Management User Account Management Security Testing, Surveillance and Monitoring Security Incident Definition Protection of Security Technology Malicious Software Management Network Security Systems Maintenance and Development Physical and Environmental Controls Disaster Recovery User Account Management IT Long Term Strategic Planning 1 The functional areas listed are as stated during the audit. Coverage of an entire function or process does not necessarily occur; instead an overview risk assessment/analysis is performed prior to audit work to scope out processes perceived to have lower risk.

4 Period Entity 2008 OIR Market Conduct Exam General IT Controls Acquire, Install, Test Software / Infrastructure Define and Manage Service Level Annual of Manage Problems, Incidents, Changes 2009 CRI Financial Statements Manage Data, Operations, Configuration Reporting Manage Third Party Services Ensure Systems Security Develop and Maintain Policies and Procedures Change Standards and Procedures Manage Changes Impact Assessments, Prioritization and Authorization Change Status, Service Desk, Incident Mgt Manage Data General Ledger ProFinancial Application Kronos Application (HR) Check & Cash Disbursement (Acctg) Reserving & Loss Data Reporting (Claims) IT Infrastructure / TG Risk Assessment - PenTest Loss Adjusting Expense (Acctg) Bus / Sec Requirements for Data Management Storage and Retention Arrangements Media Library, Disposal, Backup and Restoration Emergency Changes Implementation Project Management Application Change Control File Backup and Recovery System Access and Segregation of Duties Reserving Exception Reporting Access to Maintain Sensitive Tables ewind System Default Reserves IT Contingency Plans - HiPath 4000 Technology Infrastructure Planning Backup and Recovery Process for App/Systems Policies, Procedures and Standards Vendor Management Monitoring: Infrastructure and Operations Metrics. Service and Operational Level Agreements Exchange Test Environment Policies and Procedures Doc Standards CPIC IT DR Plan Unencrypted Telnet Servers Remote Administration Over HTTPS Apache Web Servers SNMP External Access NTP External Access TFTP External Access DNS Open Resolver Network Monitoring Protocol Encryption Weaknesses Windows 2000 Web Server Information Leakage Other Service Vulnerabilities Global Policy Search Application ewind Inquiry Logon Credentials LAE Expense Reporting

5 Period Entity Personal Lines (Underwriting) Commercial Lines (Underwriting) General Computer Controls 2010 OIR Market Conduct Exam User Access Accounts (epas, ImageRight) Password Parameters (ImageRight) Underwriting Practices and Documentation Cancellation and Non-Renewal Notice Reasons Agent Appointment Verification Data Center and Disaster Recovery Capabilities Security Policies and Logging Database Logging Windows Domains Information Technology Business Continuity Plans Physical Security Compliance Training Business Continuity Policy Risk Assessment Policy Change Management testing controls Disaster Recovery (no exceptions) Physical Security