South Northamptonshire Council

Size: px
Start display at page:

Download "South Northamptonshire Council"

Transcription

1 South Northamptonshire Council Windows Active Directory Final Internal Audit Report - September Distribution list: Mike Shaw IT & Customer Services Manager David Price Director of Community Engagement and Corporate Services Martin Henry Head of Finance Sue Smith Chief Executive (Final Report Only) Key dates: Date of fieldwork: June 2011 Date of draft report: August 2011 Receipt of responses: September 2011 Date of final report: September 2011 This report and the work connected therewith are subject to the Terms and Conditions of the contract dated 18/06/07, which was extended on the 10 th December 2009, between South Northamptonshire Council and Deloitte & Touche Public Sector Internal Audit Limited. The report is produced solely for the use of South Northamptonshire Council. Its contents should not be quoted or referred to in whole or in part without our prior written consent except as required by law. Deloitte & Touche Public Sector Internal Audit Limited will accept no responsibility to any third party, as the report has not been prepared, and is not intended for any other purpose.

2 Contents 1. EXECUTIVE SUMMARY 1 2. SCOPE OF ASSIGNMENT 3 3. ASSESSMENT OF CONTROL ENVIRONMENT 4 4. OBSERVATIONS AND RECOMMENDATIONS 5 APPENDIX A REPORTING DEFINITIONS 20 APPENDIX B STAFF INTERVIEWED 21 APPENDIX C SUMMARY OF DOMAIN ACCOUNTS POLICY VALUES 22 APPENDIX D - SUMMARY OF DOMAIN CONTROLLER AUDIT POLICY SETTINGS 22 APPENDIX E - STATEMENT OF RESPONSIBILITY 23

3 1. Executive summary 1.1. Background As part of the 2011/12 Internal Audit Plan we have carried out an audit of Windows Active Directory Security. The audit made use of the third party security evaluation tool entitled Sekchek to obtain a security extract from the ADTOW02 domain controller in the snclive.gov.uk domain and involved subsequent analysis of this data extract produced. The results were benchmarked against industry and leading practice standards (see Appendices C and D). Leading practice is the standard adopted by the top 10-20% of organisations). The Active Directory is managed by Capita on behalf of the Council Objectives and Scope The overall objective of this audit was to provide assurance that the network system, components, configuration and access permissions are able to maintain the accuracy, confidentially and availability of the IT resources and data, in line with the control objectives listed in section 2, which also sets out the objective and scope of our work Summary assessment The security analysis found overall, security to be below average compared with other Windows Domain Controllers running Active Directory used in the Government sector. Weaknesses in the system of internal control design are such as to put the system objectives at risk. Our assessment in terms of the design of, and compliance with, the system of internal control covered is set out below. Design of Controls Limited Operation of Controls Limited Management should be aware that our internal audit work was performed according to UK Government Internal Audit Standards which are different from audits performed in accordance with International Standards on Auditing (UK and Ireland) issued by the Auditing Practices Board. Similarly, the assessment gradings provided in our internal audit report are not comparable with the International Standard on Assurance Engagements (ISAE 3000) issued by the International Audit and Assurance Standards Board. The classifications of our audit assessments and priority ratings definitions for our recommendations are set out in more detail in Appendix A, whilst further analysis of the control is shown in Section 3 and Appendices C and D. 1

4 1.4. Key findings We have raised ten priority 2 and five priority 3 recommendations where we believe there is scope for improvement within the control environment. The key findings are set out below: The SekChek analysis found some of the system policy settings to be set at weaker settings, for example passwords are stored using reversible password encryption, account lockout settings are not fully defined, and the default administrator and guest accounts have not been renamed. These and other policies should be aligned with leading practice standards and monitored to confirm they are appropriate. The audit policy settings have not been enabled for the majority of events or activities, see Appendix D. There was also no established process for pro-active log review. While the majority of registry key settings were appropriately defined to assist in the maintenance of a secure operating environment, some exceptions were identified, for example unassigned driver installation behaviour is set to silently succeed. There were no standard account management profiles, for example inconsistent application of domain policy settings for home directories, scripts and profiles was identified. Due to account settings some users are never required to change their passwords and the accounts can be set by an Administrator to not require a password for logon. We also identified some redundant and generic accounts. The security analysis identified named accounts with rights that are recommended should not be granted to anyone. These need to be reviewed to ensure the permissions are required, and are appropriate. A large number of Discretionary Access Controls Lists (DACLs) were identified. As the system allows permissions to be granted through them, DACLs need to be monitored, to ensure that these permissions remain appropriate. A significant number of accounts can be used to dial-in to the Active Directory via RAS. However, dial-back controls have not been implemented. Full details of the audit findings and recommendations are shown in Section 4 of the report. Some of the identified weaknesses were rectified during the course of the audit: in some cases the recommendation has been withdrawn but in cases where a composite recommendation was raised this has been highlighted Management Response We have included a summary of management s response in Section 4 s & s. We would like to take this opportunity to thank all staff involved for their time and cooperation during the course of this visit. 2

5 2. Scope of assignment 2.1 Objective The overall objective of this audit was to provide assurance that the system of control in respect of the administration of Windows Active Directory, with regards the areas set out in section 2.3, are adequate and are being consistently applied. 2.2 Approach and methodology The following procedures were developed with reference to the Code of Practice for Internal Audit in Local Government as produced by CIPFA and by an assessment of risks and management controls operating within each area of the scope. The following procedures were adopted: Identification of the role and objectives of each area; Identification of risks within the systems, and controls in existence to allow the control objectives to be achieved; and Evaluation and testing of controls within the systems. 2.3 Areas covered In accordance with our agreed terms of reference, dated June 2011, our work was undertaken to ascertain whether the network system, components, configuration and access permissions are able to maintain the accuracy, confidentially and availability of the IT resources and data. The following areas were audited: System Accounts Policy; Audit Policy Setting; Registry Key Settings; Analysis of Trusted and Trusting Domains; Use of Home Directories, Logon Scripts; Analysis of Services and Drivers; User Account Management; Discretionary Access Controls; and User Permissions. 3

6 3. Assessment of Control Environment The following table sets out in summary the control objectives we have covered as part of this audit, our assessment of risk based on the adequacy of controls in place, the effectiveness of the controls tested and any resultant recommendations. Control Objectives Assessed Design of Controls Operation of Controls s Raised System Accounts Policy s 1, 2,3, 4, 8 Audit Policy 5 Registry Key settings s 6,7 Analysis of Trusting and Trusted Domains 15 Use of Home Directories, Logon Scripts Analysis of Services and Drivers 10 s 13,14 User Account Management 9 Discretionary Access Controls 12 User Permissions 11 The classifications of our assessment of risk for the design and operation of controls are set out in more detail in Appendix A. 4

7 4. s and s 1: Password Controls (Priority 3) The following password parameter settings should be amended to comply with leading practice values. We recommend the following settings are enabled: Password complexity is enabled; Password History Size is increased from 10 to 13; and Reversible Password Encryption is disabled (when this setting is enabled, passwords are stored in clear text). Adopting stronger password system account policy settings helps to ensure that good password control policies are adopted and also increases assurance that only authenticated and authorised users can gain system access. Audit analysis and review of the system account policy settings identified the following exceptions, where password account policies were not fully applied in line with leading practice: (See Appendix C ) Password history size was set to remember the last 10 passwords; Password complexity is disabled; and Reversible Password Encryption is enabled. Evidence provided at the exit meeting showed that password complexity has now been enabled. Unless effective account policy settings are established, there is an increased risk that passwords may be compromised which could result in unauthorised access. Password complexity is enabled and was demonstrated along with screen shot as evidence ( to Martha Nkomo 04/07/2011) Completed Password history will be adjusted from 10 months to 13 Deadline 01/11/11 Reversible Password Encryption (RPE) is disabled (when this setting is enabled, passwords are stored in clear text). A request has been passed to Capita to update this setting if there is no implication to existing systems. - Deadline 01/01/12 5

8 2: Account Lockout (Priority 2) The domain accounts policy settings are amended as follows: The Lockout threshold should be set to lock a user account after three unsuccessful attempts; The Lockout duration should be set to 0 which means a user account is locked out until reset by an Administrator; and The lockout counter should be set to 1440 minutes (One day). Where cases exist that settings are required to be set to weaker settings, this should be separately recorded. The lockout threshold indicates the number of failed logon attempts for user accounts before accounts are locked out. The lockout duration indicates the amount of time an account will remain locked and reset lockout counter specifies the period within which invalid logon attempts are monitored. Setting appropriate values within the domain accounts policy can play an important role in restricting access to accounts which have had repeated access attempts. Review of the domain account policy (see Appendix C) identified that the Lockout threshold has not been set and that lockout duration and reset lockout counter has not been set. Evidence provided at the exit meeting showed that lock-out threshold was subsequently set to 3 attempts. Use of suitable lockout threshold, lockout duration and reset lockout counter settings within the domain accounts policy will help reduce the risk of unauthorised access. Lockout threshold was set and demonstrated to the auditor with a duration of 15 minutes - This level lockout is considered suitable to the needs of the business at this time. We do not intend to set the lock-out counter to 1440 or require a manual intervention to unlock the account. Completed 6

9 3: Default Accounts (Priority 2) It is recommended that the following settings are enforced: The administrator and guest accounts are renamed from the default setting to a new name; and The lockout of the local administrator account is enabled. Renaming of the administrator and guest accounts will minimise the risks of intruders using these well-known accounts when attempting to log on to the domain. Enabling the lockout of the local administrator account helps to ensure that the built-in administrator account can be locked out if targeted to obtain unauthorised access to the system. The policy values for 'Rename administrator account' and 'Rename guest account' were set as 'not defined' and the policy value for Allow lockout of local administrator account' was disabled. Failure to rename the administrator and guest accounts to a less obvious name increases the risk that unauthorised access can be gained to these accounts. Where lockout of the local administrator account is not enabled, there is an increased risk of repeated, unauthorised access attempts. A request has been made to Capita to cost this item - Deadline 01/12/11 7

10 4: Group Policy Objects (Priority 2) It is recommended that: A review of all the Group Policy Objects (GPOs) defined on the network domain is undertaken, and where they appear to be redundant or inconsistent, that the required corrective action is taken; and A process is put in place to periodically review the GPOs defined on the domain to help ensure that they are valid, current and consistent. Review of the GPOs will assist in the best use of resources and will help ensure that the correct policy is applied as necessary. A review of the security analysis report identified the following exception in relation to the GPOs defined on the system: 5% (10) do not exist on disk; 13% (24) have the Computer Configuration Disabled; 54% (98) have the User Configuration Disabled; and 5% (9) are not linked to a container. The lack of review of permissions and settings provided by GPO access increases the risk that permissions could be incorrectly allocated and settings enforced on the system. A review of the group policy setup will be conducted in line with the joint working agreement with Cherwell Council as part of the life after capita program (31/03/12). This should allow both councils to work together towards a consistent and appropriate solution. Deadline 31/06/12. 8

11 5: Audit Policy (Priority 2) The domain audit policy settings should be reviewed and aligned to leading practice, and where appropriate the policy events should be audited for success and failure. It is also recommended that a process to regularly review audit logs for unusual or suspicious events is implemented. Effective audit policy settings help to ensure that accountability can be established for both successful and failed user activities on the network. The security analysis identified the following auditing features have been enabled: Audit Account Logon Events Success; Audit Directory Service Access Success; Audit Logon Events Success; Audit Object Access- No auditing; Audit Policy Change Success; Audit Privilege Use- No auditing; Audit Process Tracking- No auditing; and Audit System Events- No auditing. Management advised that a tool is currently being implemented to log all activity, however, there is currently no process for the proactive review of audit logs. Inappropriate audit policy settings increase the risk that accountability cannot be established for activities on the system. The SureCloud audit log tool is compliant with GCSX Government Connect 4.1 (highest level) and has been used successfully over the past year to review/highlight events within the log files. The above audit recommendation will be passed to the supplier to make sure the relevant areas logs are captured and to ask advice on automatic escalation of key inconsistencies to avoid having to employ staff solely to review these logs. Deadline 01/01/12. 9

12 6: Event Logs (Priority 3) It is recommended that the event log size settings are reviewed and, where necessary, amended to ensure that logs are of appropriate size to facilitate the recording of system activity. Event logs contain all events that have been logged as directed by audit policy settings. Event log size and retention methods direct the length of time for which these event details are maintained. Reviewing event logs helps to ensure that unusual activity identified by the event logs is reported and reviewed. The default event log settings were found to be in excess of the recommended values. However, these log settings are not proactively monitored and reviewed. Where event log settings are not monitored and reviewed, there is a risk that unusual or suspicious activities identified may not be reported to management. As explained to the auditor these logs are captured by the SureCloud - GCSX Government Code Of Connection Compliant software product, and held in line with Government s for at least 6 months. Completed 10

13 7: Security Options (Priority 3) Security Options should be reviewed and consideration should be given to adopting the following security configuration settings: Restrict CD-ROM access to locally logged-on users only Enable; Restrict floppy access to locally logged-on users only Enable; and Unsigned driver installation behaviour: Do Not Allow' or 'Warn but allow installation'. Appropriately defined registry key settings can assist in the maintenance of a secure operating environment. Examination of the security configuration options found leading practice requirements to be generally applied and enforced, apart from the following exceptions: Restrict CD-ROM access to locally logged-on users only Disabled; Restrict floppy access to locally logged-on users only Disabled; Unsigned driver installation behaviour - silently succeed; and Clear virtual memory page file Disabled. Where appropriate restrictions are not enforced on the Windows Operating System, there is a risk that the settings identified could mean that unauthorised access to system resources is obtained. The locking out of CD Roms has been reviewed and is enabled due to widespread need to import image and MSOffice files Risk has been mitigated against installation of unauthorised software through the locking down of PCs via a enforced standard operation system (SOE) which restricts the installation or activation of unauthorised software. Completed. 11

14 8: Use of passwords (Priority 2) A review should be performed of all accounts whose passwords are set to never expire, and controls for these passwords to be changed in line with good password practice implemented. It is also recommended that for accounts that may be allocated a zero length password by a System Administrator are reviewed and the password requirements are aligned to comply with the Council's password policy. Requiring the use of passwords that meet leading practice standards enhances the integrity and security of the system. Changing passwords on a regular basis helps to improve security and minimises the risk of unauthorised access. The security analysis identified that due to account level security settings: 175 users and 15 administrator accounts are not required to change their password in line with the settings established by the domain policy; and 117 users may have their account set to not require a password by an Administrator. It was also established that the passwords for Councillor's accounts are not set to expire. Weak password controls can result in loss of accountability for actions performed, and increase the risk of unauthorised, or inappropriate, access to the system and information resources. It was demonstrated at the exit meeting that users on list not requiring passwords did require passwords at login or be refused access. Completed 12

15 9: Redundant and Generic Accounts (Priority 2) It is recommended that improvements in user account management are made to: Remove redundant accounts; and Eliminate generic accounts by assigning accounts to named users where possible. Where generic system accounts are required these should be specifically recorded and approved. Removing redundant accounts and assigning accounts to specific individuals helps ensure that only the required accounts are retained. Audit testing of the of the user list, identified a number of generic accounts were present on the system: Northgate1 - Northgate8; Public01 - Public03; Soetest1 - Soetest7; Training1-Training8. It was also identified that of the active user accounts: 281 user accounts have not logged-on in the last 30 days; 266 user accounts have not logged-on in the last 60 days; 257 user accounts have not logged-on in the last 90 days; 254 user accounts have not logged-on in the last 2 years; and 254 have never been used, or their last logon date is unknown. Of the active accounts that have been assigned administrator permissions: 34 of the administrator accounts have not logged-on in the last 30 days; 31 have not logged-on in the last 60 days; and 30 have never been used, or their last logon date is unknown. Where user accounts are not reviewed to ensure they are current, there is a risk that a large number of redundant accounts exist on the network. This could mean that these accounts could be used to obtain access to the network. The use of generic accounts reduces the accountability of user actions as accountability for the use of the account cannot be established. Active accounts will be reviewed as suggested Deadline 31/03/12. 13

16 10: Home directories, scripts and profiles (Priority 2) Management should consider configuring and implementing standardised account management profiles, and this should be consistently applied for home directories, logon scripts and logon profiles across the domain. The consistent application of domain policy settings for user accounts including the use of home directories, logon scripts and logon profiles which can connect drives to network shares, printers, and command line utilities, such as backups and restores helps to ensure the efficient system administration, management and security. The security analysis identified that of the active user accounts defined on the ADTOW02 Domain: 299 of user accounts do not have a home directory; 559 of user accounts do not have a logon script; and 538 of user accounts do not have specific logon profiles. Inconsistent use of home directories, login scripts and login profiles can complicate user administration and increases the risk of data being retained inappropriately on local drives, resulting in the potential loss of data and weakened security. Active accounts will be reviewed as suggested Deadline 31/03/12. 14

17 11: Rights and Privileges (Priority 3) A review of the currently assigned rights and privileges should be performed and rights that should not be granted to anyone should only be permitted to allow the operation and maintenance of the Active Directory. Restricting powerful system rights and privileges helps to ensure that users do not have excessive rights to system processes. Examination of the rights and privileges that have been assigned to users on the ADTOW02 domain identified that while the following rights and permissions that should not have been granted to anyone were assigned to service accounts, they were also assigned to a small number of named administrator accounts: Three user accounts have the right to 'Act as part of the operating system'; Fifty-Six user accounts have the right to 'Adjust memory Quotas for a process'; Two user accounts have the right to 'Create a token object'; One user account has the right to 'Lock pages in memory'; Eleven user accounts have the right to 'Log on as a batch job'; Three user accounts have right 'Log on as a service'; and Four user accounts have the right to 'Replace a process-level token'. Where powerful system rights that should be granted to 'no one' are assigned and available for users, there is an increased risk to the security, stability and integrity of the system. The list of privileged account will be reviewed as suggested - Deadline 31/03/12. 15

18 12: Discretionary Access controls (DACLs) (Priority 2) The Discretionary Access Control Lists (DACLs) should be reviewed to ensure they are valid, current and that permissions granted through them are appropriate. Management should ensure that the granting of permissions through the DACL process is monitored to help ensure that the number of these control remain controlled. Reviewing the Access Control List and the permissions granted will help ensure that the DACLs and the user permissions are current, valid and in line with users responsibilities. A discretionary access control list (DACL) identifies the trustees that are allowed or denied access to a securable object. The DACL is a protective measure to add, improve and ensure security. It is also an authorisation restriction mechanism used to identify the users and groups that are assigned or denied access permissions on an object, and therefore important components of workstation and of server security. The security extract identified 29,959 DACLs defined on the following classes of container objects: Containers: DACLs; Domains: 56 DACLs; Organizational Units: UNKNOWN; and Sites: 50 DACLs. Permissions for 14, 515 are inherited from the parent object. Unless the number of allocation of resources through DACLs is restricted there is a risk that local access controls over write or conflict with the current domain accounts policy. This causes additional requirements to maintain effective security over the system. The DACL list will be reviewed as suggested - Deadline 31/03/12. 16

19 13: Remote Access Service (Priority 3) A review of the accounts with Remote Access Service (RAS) dial in privileges is undertaken. Where possible accounts with RAS should have dial back enabled to provide additional controls over system access. RAS allows users to access servers remotely. Best practice requires that RAS settings on all RAS servers are reviewed on a regular basis. The analysis identified that of the 47 accounts that can access via RAS that none of these are called back. Five of these accounts have Administrator permissions. RAS increases the risk of unauthorised access to the Council's systems due to remote access provided which allows remote users to access the system. There is a risk that unless effective controls are established that unauthorised users may obtain access to the system through poorly configured remote access controls. The Councils RAS meets current standards set by GCSX Government Code of Connection 4.1 (highest level). This standard has requires an annual review as suggested in this recommendation. Completed 17

20 14: Services and Drivers (Priority 2) It is recommended that a review of the services and drivers installed on the network is undertaken to confirm that: Only essential devices are running; The configuration and security settings are appropriate; Service executables are in secure directories; and Devices with known vulnerabilities are not installed. Review of services and drivers provides assurance that only valid services are enabled and appropriately configured to minimise the security exposure of the network and the server. The security analysis identified a total of 321 installed services, of these 157 are running. Anti-virus software was not detected on the machine when the security analysis was run. Evidence provided at the exit meeting showed that Management had subsequently installed it this following our audit work. Inappropriate or unnecessary services and drivers that are installed can create security risks and provide potential access paths or tools to intruders. Agreed and already completed 18

21 15: Trusting and Trusted Domains (Priority 2) It is recommended that the Council ensure that the level of security applied to domains trusted by ADT0W02 domain are checked to confirm that the level of security applied to trusted domains remains appropriate, and does not compromise security. Establishing and monitoring compliance to clearly defined security standards by using appropriate tools, for any trusted domain ensures that the security and integrity of trusted domains is either equal to or above the corporate security standards. This will help ensure that security is not compromised by insecure controls in trusted environments. The security analysis identified that the ADT0W02 domain has trust relationships with the Cherwell domain, and that this is a trusted and trusting relationship. Security on the domain analysed is dependent on the quality of security (particularly user authentication controls) on the trusted domain, as the 1258 accounts from the trusted domain are members of local groups, including administrators group and will generally acquire the privileges of the local groups they belong to. If periodic due diligence assessments (to confirm that effective security standards are complied with) are not carried out, there is an increased risk that weak security standards applied in trusted domains could undermine security on the ADT0W02 domain. Due diligence work will be undertaken as recommended. Deadline 31/03/12 19

22 Appendix A Reporting definitions Audit assessment In order to provide management with an assessment of the adequacy and effectiveness of their systems of internal control, the following definitions are used: Level Symbol Design of Controls Operation of Controls Full Substantial Limited Nil There is a sound system of internal control designed to achieve the system objectives. Whilst there is a basically sound system of internal control design, there are weaknesses in design which may place some of the system objectives at risk. Weaknesses in the system of internal control design are such as to put the system objectives at risk. Control is generally weak leaving the system open to significant error or abuse. The controls are being consistently applied. There is evidence that the level of non-compliance with some of the controls may put some of the system objectives at risk. The level of non-compliance puts the system objectives at risk. Significant non-compliance with basic controls leaves the system open to error or abuse. The assessment gradings provided here are not comparable with the International Standard on Assurance Engagements (ISAE 3000) issued by the International Audit and Assurance Standards Board and as such the grading of Full does not imply that there are no risks to the stated control objectives. Grading of recommendations In order to assist management in using our reports, we categorise our recommendations according to their level of priority as follows: Level Priority 1 Priority 2 Priority 3 System Improvement Opportunity Definition s which are fundamental to the system and upon which the organisation should take immediate action. s which, although not fundamental to the system, provide scope for improvements to be made. s concerning issues which are considered to be of a minor nature, but which nevertheless need to be addressed. Issues concerning potential opportunities for management to improve the operational efficiency and/or effectiveness of the system. 20

23 Appendix B Staff interviewed The following personnel were consulted: Mike Shaw - Tim Bartlett - Information Systems Team Daniel Clifton - Capita We would like to thank the staff involved for their co-operation during the audit. 21

24 Appendix C Summary of Domain Accounts Policy Values Minimum Password Length*** Effective Minimum Password Length*** Maximum Password Age*** Minimum Password Age* Password History Size** Password Complexity** Reversible Password Encryption** Lockout Duration** Lockout Threshold** Reset Lockout Counter** Force Logoff When Logon Time Expires* I N D U S T R Y A V E R A G E Allow Lockout of Local Administrator Account* Disable Password Changes for Machine Accounts* Least Secure Leading Practice Appendix D - Summary of Domain Controller Audit Policy Settings Audit Account Logon Events* Audit Account Management** Audit Directory Service Access* Audit Logon Events* Audit Object Access** Audit Policy Change** Audit Privilege Use* Audit Process Tracking* I N D U S T R Y A V E R A G E Audit System Events* Least Secure Leading Practice Asterisks (*) after Policy Values indicate their relative importance and individual contribution towards L B security of your system. I.e. Policy Values followed by 3 asterisks (***) are considered more important, and to have a greater impact on security than those followed by 1 asterisk (*). 22

25 Appendix E - Statement of responsibility We take responsibility for this report which is prepared on the basis of the limitations set out below. The matters raised in this report are only those which came to our attention during the course of our internal audit work and are not necessarily a comprehensive statement of all the weaknesses that exist or all improvements that might be made. s for improvements should be assessed by you for their full impact before they are implemented. The performance of internal audit work is not and should not be taken as a substitute for management s responsibilities for the application of sound management practices. We emphasise that the responsibility for a sound system of internal controls and the prevention and detection of fraud and other irregularities rests with management and work performed by internal audit should not be relied upon to identify all strengths and weaknesses in internal controls, nor relied upon to identify all circumstances of fraud or irregularity. Auditors, in conducting their work, are required to have regards to the possibility of fraud or irregularities. Even sound systems of internal control can only provide reasonable and not absolute assurance and may not be proof against collusive fraud. Internal audit procedures are designed to focus on areas as identified by management as being of greatest risk and significance and as such we rely on management to provide us full access to their accounting records and transactions for the purposes of our audit work and to ensure the authenticity of these documents. Effective and timely implementation of our recommendations by management is important for the maintenance of a reliable internal control system. The assurance level awarded in our internal audit report is not comparable with the International Standard on Assurance Engagements (ISAE 3000) issued by the International Audit and Assurance Standards Board. Deloitte & Touche Public Sector Internal Audit Limited London September 2011 In this document references to Deloitte are references to Deloitte & Touche Public Sector Internal Audit Limited. Registered office: Hill House, 1 Little New Street, London EC4A 3TR, United Kingdom. Registered in England and Wales No Deloitte & Touche Public Sector Internal Audit Limited is a subsidiary of Deloitte LLP, the United Kingdom member firm of Deloitte Touche Tohmatsu Limited ( DTTL ), a UK private company limited by guarantee, whose member firms are legally separate and independent entities. Please see for a detailed description of the legal structure of DTTL and its member firms. Member of Deloitte Touche Tohmatsu Limited 23

Dacorum Borough Council Final Internal Audit Report

Dacorum Borough Council Final Internal Audit Report Dacorum Borough Council Final Internal Audit Report ICT Change Management Distribution list: Chris Gordon Group Manager Neil Telkman - Information, Security and Standards Officer Gary Osler ICT Service

More information

SOUTH NORTHAMPTONSHIRE COUNCIL. 11/31 ICT Capacity Management FINAL REPORT. June 2011

SOUTH NORTHAMPTONSHIRE COUNCIL. 11/31 ICT Capacity Management FINAL REPORT. June 2011 SOUTH NORTHAMPTONSHIRE COUNCIL 11/31 ICT Capacity Management FINAL REPORT June 2011 This report and the work connected therewith are subject to the Terms and Conditions of the contract dated 18/06/07,

More information

Report 6c. Final Internal Audit Report Network and Communications. April 2008

Report 6c. Final Internal Audit Report Network and Communications. April 2008 Report 6c Final Internal Audit Report Network and Communications April 2008 Contents Page Executive Summary 3 Observations and Recommendations 4 Appendix 2 - Staff Interviewed 14 Appendix 3 Benchmark Results

More information

Dacorum Borough Council Final Internal Audit Report. IT Business Continuity and Disaster Recovery

Dacorum Borough Council Final Internal Audit Report. IT Business Continuity and Disaster Recovery Dacorum Borough Council Final Internal Audit Report IT Business Continuity and Disaster Recovery Distribution list: Chris Gordon Group Manager Performance, Policy and Projects John Worts ICT Team Leader

More information

SOUTH NORTHAMPTONSHIRE COUNCIL 10/11 REMOTE WORKING FINAL REPORT MARCH 2011

SOUTH NORTHAMPTONSHIRE COUNCIL 10/11 REMOTE WORKING FINAL REPORT MARCH 2011 SOUTH NORTHAMPTONSHIRE COUNCIL 10/11 REMOTE WORKING FINAL REPORT MARCH 2011 This report and the work connected therewith are subject to the Terms and Conditions of the contract dated 18/06/07 between South

More information

Internal Audit Report 2010/11 North Norfolk District Council. February 2011

Internal Audit Report 2010/11 North Norfolk District Council. February 2011 Internal Audit Report 2010/11 North Norfolk District Council NN/11/17 Network Infrastructure, Security and Telecommunications February 2011 This report has been prepared on the basis of the limitations

More information

Coleg Gwent Internal Audit Report 2012/13 Assets and Inventory. Assurance Rating:

Coleg Gwent Internal Audit Report 2012/13 Assets and Inventory. Assurance Rating: Coleg Gwent Internal Audit Report 2012/13 Assets and Inventory Assurance Rating: Distribution List: Draft Report: Principal Vice Principal, (Finance, Estates and Information Services) Clerk to the Corporation

More information

Implementation of Internal Audit Recommendations: Summary of Progress Report by Head of Finance

Implementation of Internal Audit Recommendations: Summary of Progress Report by Head of Finance Financial Scrutiny and Audit Committee 11 February 2014 Agenda Item No 13 Implementation of Internal Audit : Summary of Progress Report by Finance Summary: This report updates members on progress in implementing

More information

Coleg Gwent Internal Audit Report 2014/15 Staff Performance Management. Assurance Rating:

Coleg Gwent Internal Audit Report 2014/15 Staff Performance Management. Assurance Rating: Coleg Gwent Internal Audit Report 2014/15 Staff Performance Management Assurance Rating: Distribution List: Final Report Audit Committee Principal Vice Principal, (Resources and Financial Planning)/Director

More information

Report 7 Appendix 1d Final Internal Audit Report Sundry Income and Debtors (inc. Fees and Charges) Greater London Authority February 2010

Report 7 Appendix 1d Final Internal Audit Report Sundry Income and Debtors (inc. Fees and Charges) Greater London Authority February 2010 Report 7 Appendix 1d Final Internal Audit Report Sundry Income and Debtors (inc. Fees and Charges) Greater London Authority February 2010 This report has been prepared on the basis of the limitations set

More information

Walton Centre. Document History Date Version Author Changes 01/10/04 1.0 A Cobain L Wyatt 31/03/05 1.1 L Wyatt Update to procedure

Walton Centre. Document History Date Version Author Changes 01/10/04 1.0 A Cobain L Wyatt 31/03/05 1.1 L Wyatt Update to procedure Page 1 Walton Centre Access and Authentication (network) Document History Date Version Author Changes 01/10/04 1.0 A Cobain L Wyatt 31/03/05 1.1 L Wyatt Update to procedure Page 2 Table of Contents Section

More information

Business Planning & Budgetary Control 2012/13

Business Planning & Budgetary Control 2012/13 Cymdeithas Tai Cantref Cyf Final Internal Audit Report Business Planning & Budgetary Control 2012/13 Date of fieldwork: October November 2012 Date of draft report: November 2012 Date of final report: November

More information

Coleg Gwent Internal Audit Report 2012/13 Payroll and HR. Assurance Rating: Payroll

Coleg Gwent Internal Audit Report 2012/13 Payroll and HR. Assurance Rating: Payroll Coleg Gwent Internal Audit Report 2012/13 Payroll and HR Assurance Rating: Payroll HR Distribution List: Final Report Audit Committee Principal Vice Principal, (Finance, Estates and Information Services)

More information

Windows Server 2008/2012 Server Hardening

Windows Server 2008/2012 Server Hardening Account Policies Enforce password history 24 Maximum Password Age - 42 days Minimum Password Age 2 days Minimum password length - 8 characters Password Complexity - Enable Store Password using Reversible

More information

Appendix 6c. Final Internal Audit Report Disaster Recovery Planning. June 2007. Report 6c Page 1 of 15

Appendix 6c. Final Internal Audit Report Disaster Recovery Planning. June 2007. Report 6c Page 1 of 15 Appendix 6c Final Internal Audit Report Disaster Recovery Planning June 2007 Report 6c Page 1 of 15 Contents Page Executive Summary 3 Observations and Recommendations 8 Appendix 1 - Audit Framework 13

More information

At its meeting in March 2012, the Committee approved the Internal Audit Plan for 2012-13.

At its meeting in March 2012, the Committee approved the Internal Audit Plan for 2012-13. Audit Committee 28 Internal audit report ICT Security Executive summary and recommendations Introduction Mazars has undertaken a review of ICT Security controls, in accordance with the internal audit plan

More information

Draft Internal Audit Report Software Licensing Audit. December 2009

Draft Internal Audit Report Software Licensing Audit. December 2009 Draft Internal Audit Report Software Licensing Audit December 2009 Contents Page Executive Summary 3 Observations and Recommendations 6 Appendix 1 Audit Framework 9 Appendix 2 - Staff Interviewed 10 Statement

More information

Symantec Enterprise Security Manager Baseline Policy Manual for CIS Benchmark

Symantec Enterprise Security Manager Baseline Policy Manual for CIS Benchmark Symantec Enterprise Security Manager Baseline Policy Manual for CIS Benchmark For Windows Server 2008 Domain Controllers Version: 3.0.0 Symantec Enterprise Security Manager Baseline Policy Manual for

More information

Security Options... 1

Security Options... 1 Effective Server Security Options Period: Last 20 week(s) Generated: For: Brian Bartlett bbartlett@ecora.com By: Ecora Auditor Professional 4.5 - Windows Module 4.5.8010.20310 Using: Customized FFR Definition

More information

APPENDIX 4 GREATER LONDON AUTHORITY SUN ACCOUNTS UNIX REVIEW FINAL AUDIT REPORT. Auditor: Chris Power & Michael Lacey Date: April 2003 Reference: 320

APPENDIX 4 GREATER LONDON AUTHORITY SUN ACCOUNTS UNIX REVIEW FINAL AUDIT REPORT. Auditor: Chris Power & Michael Lacey Date: April 2003 Reference: 320 APPENDIX 4 GREATER LONDON AUTHORITY SUN ACCOUNTS UNIX REVIEW FINAL AUDIT REPORT Auditor: Chris Power & Michael Lacey Date: April Reference: 320 Table of Contents 1 INTRODUCTION 2 Page 2 OBJECTIVES AND

More information

About Microsoft Windows Server 2003

About Microsoft Windows Server 2003 About Microsoft Windows Server 003 Windows Server 003 (WinK3) requires extensive provisioning to meet both industry best practices and regulatory compliance. By default the Windows Server operating system

More information

Web. Security Options Comparison

Web. Security Options Comparison Web 3 Security Options Comparison Windows Server 2003 provides a number of Security Options that can be applied within the scope of managing a GPO. Most are the same as those available in Windows 2000.

More information

Item 10 Appendix 1d Final Internal Audit Report Performance Management Greater London Authority April 2010

Item 10 Appendix 1d Final Internal Audit Report Performance Management Greater London Authority April 2010 Item 10 Appendix 1d Final Internal Audit Report Performance Management Greater London Authority April 2010 This report has been prepared on the basis of the limitations set out on page 16. Contents Page

More information

Objectives. At the end of this chapter students should be able to:

Objectives. At the end of this chapter students should be able to: NTFS PERMISSIONS AND SECURITY SETTING.1 Introduction to NTFS Permissions.1.1 File Permissions and Folder Permission.2 Assigning NTFS Permissions and Special Permission.2.1 Planning NTFS Permissions.2.2

More information

Windows Operating Systems. Basic Security

Windows Operating Systems. Basic Security Windows Operating Systems Basic Security Objectives Explain Windows Operating System (OS) common configurations Recognize OS related threats Apply major steps in securing the OS Windows Operating System

More information

Symantec Enterprise Security Manager Baseline Policy Manual for CIS Benchmark. For Windows Server 2008 (Domain Member Servers and Domain Controllers)

Symantec Enterprise Security Manager Baseline Policy Manual for CIS Benchmark. For Windows Server 2008 (Domain Member Servers and Domain Controllers) Symantec Enterprise Security Manager Baseline Policy Manual for CIS Benchmark For Windows Server 2008 (Domain Member Servers and Domain Controllers) Symantec Enterprise Security Manager Baseline Policy

More information

Aberdeen City Council IT Security (Network and perimeter)

Aberdeen City Council IT Security (Network and perimeter) Aberdeen City Council IT Security (Network and perimeter) Internal Audit Report 2014/2015 for Aberdeen City Council August 2014 Internal Audit KPIs Target Dates Actual Dates Red/Amber/Green Commentary

More information

Coleg Gwent. Wireless Audit. Internal Audit Report (2.10/11) 23 May 2011. Overall Opinion: Amber Green

Coleg Gwent. Wireless Audit. Internal Audit Report (2.10/11) 23 May 2011. Overall Opinion: Amber Green Coleg Gwent Wireless Audit Internal Audit Report (2.10/11) 23 May 2011 Overall Opinion: Amber Green Coleg Gwent CONTENTS Section Page Executive Summary 1 Action Plan 5 Findings and Recommendations 10 Debrief

More information

SECURITY BEST PRACTICES FOR CISCO PERSONAL ASSISTANT (1.4X)

SECURITY BEST PRACTICES FOR CISCO PERSONAL ASSISTANT (1.4X) WHITE PAPER SECURITY BEST PRACTICES FOR CISCO PERSONAL ASSISTANT (1.4X) INTRODUCTION This document covers the recommended best practices for hardening a Cisco Personal Assistant 1.4(x) server. The term

More information

REVIEW OF THE FIREWALL ARRANGEMENTS

REVIEW OF THE FIREWALL ARRANGEMENTS WEST DORSET DISTRICT COUNCIL REVIEW OF THE FIREWALL ARRANGEMENTS Report issued: December 2007 The matters raised in this report are only those, which came to the attention of the auditor during the course

More information

Internal Audit at the University of Cambridge.

Internal Audit at the University of Cambridge. Internal Audit at the University of Cambridge. Contents Introduction to Deloitte 1 Our team 2 What is Internal Audit? 4 Our approach to Internal Audit 5 Authority and reporting lines 7 Planning 8 Ad Hoc

More information

Avon & Somerset Police Authority

Avon & Somerset Police Authority Avon & Somerset Police Authority Internal Audit Report IT Service Desk FINAL REPORT Report Version: Date: Draft to Management: 19 February 2010 Management Response: 12 May 2010 Final: 13 May 2010 Distribution:

More information

Chapter 1 Scenario 1: Acme Corporation

Chapter 1 Scenario 1: Acme Corporation Chapter 1 Scenario 1: Acme Corporation In This Chapter Description of the Customer Environment page 18 Introduction to Deploying Pointsec PC page 20 Prepare for Deployment page 21 Install Pointsec PC page

More information

Implementing HIPAA Compliance with ScriptLogic

Implementing HIPAA Compliance with ScriptLogic Implementing HIPAA Compliance with ScriptLogic A ScriptLogic Product Positioning Paper By Nick Cavalancia 1.800.424.9411 www.scriptlogic.com Table of Contents INTRODUCTION... 3 HIPAA BACKGROUND... 3 ADMINISTRATIVE

More information

LSE PCI-DSS Cardholder Data Environments Information Security Policy

LSE PCI-DSS Cardholder Data Environments Information Security Policy LSE PCI-DSS Cardholder Data Environments Information Security Policy Written By: Jethro Perkins, Information Security Manager Reviewed By: Ali Lindsley, PCI-DSS Project Manager Endorsed By: PCI DSS project

More information

PREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date:

PREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date: A SYSTEMS UNDERSTANDING A 1.0 Organization Objective: To ensure that the audit team has a clear understanding of the delineation of responsibilities for system administration and maintenance. A 1.1 Determine

More information

Appendix 1c. DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA REVIEW OF INTERNET- BASED NETWORK SECURITY

Appendix 1c. DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA REVIEW OF INTERNET- BASED NETWORK SECURITY Appendix 1c DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA REVIEW OF INTERNET- BASED NETWORK SECURITY DISTRIBUTION LIST Audit Team David Esling, Head of Audit Assurance, Risk

More information

Internal Audit Progress Report Performance and Overview Committee (19 th August 2015) Cheshire Fire Authority

Internal Audit Progress Report Performance and Overview Committee (19 th August 2015) Cheshire Fire Authority Internal Audit Progress Report (19 th August 2015) Contents 1. Introduction 2. Key Messages for Committee Attention 3. Work in progress Appendix A: Risk Classification and Assurance Levels Appendix B:

More information

Advanced Audit Policy Configurations for LT Auditor+ Reference Guide

Advanced Audit Policy Configurations for LT Auditor+ Reference Guide Advanced Audit Policy Configurations for LT Auditor+ Reference Guide Contents WINDOWS AUDIT POLICIES REQUIRED FOR LT AUDITOR+....3 ACTIVE DIRECTORY...3 Audit Policy for the Domain...3 Advanced Auditing

More information

Group Policy Objects: What are They and How Can They Help Your Firm?

Group Policy Objects: What are They and How Can They Help Your Firm? Group Policy Objects: What are They and How Can They Help Your Firm? By Sharon Nelson and John Simek 2011 Sensei Enterprises, Inc. The obvious first question: What is a Group Policy Object? Basically,

More information

Pension Benefit Guaranty Corporation. Office of Inspector General. Evaluation Report. Penetration Testing 2001 - An Update

Pension Benefit Guaranty Corporation. Office of Inspector General. Evaluation Report. Penetration Testing 2001 - An Update Pension Benefit Guaranty Corporation Office of Inspector General Evaluation Report Penetration Testing 2001 - An Update August 28, 2001 2001-18/23148-2 Penetration Testing 2001 An Update Evaluation Report

More information

GFI White Paper PCI-DSS compliance and GFI Software products

GFI White Paper PCI-DSS compliance and GFI Software products White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption

More information

84-01-31 Windows NT Server Operating System Security Features Carol A. Siegel Payoff

84-01-31 Windows NT Server Operating System Security Features Carol A. Siegel Payoff 84-01-31 Windows NT Server Operating System Security Features Carol A. Siegel Payoff This article is designed to provide security administrators with a security checklist for going live with Windows NT.

More information

Table Of Contents. - Microsoft Windows - WINDOWS XP - IMPLEMENTING & SUPPORTING MICROSOFT WINDOWS XP PROFESSIONAL...10

Table Of Contents. - Microsoft Windows - WINDOWS XP - IMPLEMENTING & SUPPORTING MICROSOFT WINDOWS XP PROFESSIONAL...10 Table Of Contents - - WINDOWS SERVER 2003 MAINTAINING AND MANAGING ENVIRONMENT...1 WINDOWS SERVER 2003 IMPLEMENTING, MANAGING & MAINTAINING...6 WINDOWS XP - IMPLEMENTING & SUPPORTING MICROSOFT WINDOWS

More information

Policy Document. Communications and Operation Management Policy

Policy Document. Communications and Operation Management Policy Policy Document Communications and Operation Management Policy [23/08/2011] Page 1 of 11 Document Control Organisation Redditch Borough Council Title Communications and Operation Management Policy Author

More information

Appendix 1c. DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA REVIEW OF NETWORK/INTERNET SECURITY

Appendix 1c. DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA REVIEW OF NETWORK/INTERNET SECURITY Appendix 1c DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA REVIEW OF NETWORK/INTERNET SECURITY DISTRIBUTION LIST Audit Team Prakash Gohil, Audit Manager Steven Snaith, Risk

More information

Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite. www.lepide.com/2020-suite/

Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite. www.lepide.com/2020-suite/ Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite 7. Restrict access to cardholder data by business need to know PCI Article (PCI DSS 3) Report Mapping How we help 7.1 Limit access to system

More information

Defense Security Service Office of the Designated Approving Authority Standardization of Baseline Technical Security Configurations

Defense Security Service Office of the Designated Approving Authority Standardization of Baseline Technical Security Configurations Defense Security Service Office of the Designated Approving Authority Standardization of Baseline Technical Security Configurations March 2009 Version 2.2 This page intentionally left blank. 2 1. Introduction...4

More information

e-governance Password Management Guidelines Draft 0.1

e-governance Password Management Guidelines Draft 0.1 e-governance Password Management Guidelines Draft 0.1 DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India. Document Control S.

More information

AGENDA ITEM: SUMMARY. Author/Responsible Officer: John Worts, ICT Team Leader

AGENDA ITEM: SUMMARY. Author/Responsible Officer: John Worts, ICT Team Leader AGENDA ITEM: SUMMARY Report for: Committee Date of meeting: 30 May 2012 PART: 1 If Part II, reason: Title of report: Contact: Purpose of report: Recommendations Corporate objectives: Implications: INFORMATION

More information

New Systems and Services Security Guidance

New Systems and Services Security Guidance New Systems and Services Security Guidance Version Version Number Date Author Type of modification / Notes 0.1 29/05/2012 Donna Waymouth First draft 0.2 21/06/2012 Donna Waymouth Update re certificates

More information

ICT OPERATING SYSTEM SECURITY CONTROLS POLICY

ICT OPERATING SYSTEM SECURITY CONTROLS POLICY ICT OPERATING SYSTEM SECURITY CONTROLS POLICY TABLE OF CONTENTS 1. INTRODUCTION... 3 2. LEGISLATIVE FRAMEWORK... 3 3. OBJECTIVE OF THE POLICY... 4 4. AIM OF THE POLICY... 4 5. SCOPE... 4 6. BREACH OF POLICY...

More information

IT ACCESS CONTROL POLICY

IT ACCESS CONTROL POLICY Reference number Approved by Information Management and Technology Board Date approved 30 April 2013 Version 1.0 Last revised Review date March 2014 Category Owner Target audience Information Assurance

More information

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING 6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING The following is a general checklist for the audit of Network Administration and Security. Sl.no Checklist Process 1. Is there an Information

More information

AIR FORCE ASSOCIATION S CYBERPATRIOT NATIONAL YOUTH CYBER EDUCATION PROGRAM UNIT FIVE. Microsoft Windows Security. www.uscyberpatriot.

AIR FORCE ASSOCIATION S CYBERPATRIOT NATIONAL YOUTH CYBER EDUCATION PROGRAM UNIT FIVE. Microsoft Windows Security. www.uscyberpatriot. AIR FORCE ASSOCIATION S CYBERPATRIOT NATIONAL YOUTH CYBER EDUCATION PROGRAM UNIT FIVE Microsoft Windows Security www.uscyberpatriot.org AIR FORCE ASSOCIATION S CYBERPATRIOT NATIONAL YOUTH CYBER EDUCATION

More information

The Annual Audit Letter for West Mercia Police and Crime Commissioner and Chief Constable

The Annual Audit Letter for West Mercia Police and Crime Commissioner and Chief Constable The Annual Audit Letter for West Mercia Police and Crime Commissioner and Chief Constable Year ended 31 March 2015 October 2015 John Gregory Director and Engagement Lead T +44 (0)121 232 5333 E john.gregory@uk.gt.com

More information

Protection of Computer Data and Software

Protection of Computer Data and Software April 2011 Country of Origin: United Kingdom Protection of Computer Data and Software Introduction... 1 Responsibilities...2 User Control... 2 Storage of Data and Software... 3 Printed Data... 4 Personal

More information

Newcastle University Information Security Procedures Version 3

Newcastle University Information Security Procedures Version 3 Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations

More information

Smithsonian Enterprises

Smithsonian Enterprises Smithsonian Enterprises Audit of the Effectiveness of the Information Security Program Table of Contents I. Introduction... 1 II. Background... 2 III. Results of Audit... 3 Finding #1: Needed Improvement

More information

Dublin Institute of Technology IT Security Policy

Dublin Institute of Technology IT Security Policy Dublin Institute of Technology IT Security Policy BS7799/ISO27002 standard framework David Scott September 2007 Version Date Prepared By 1.0 13/10/06 David Scott 1.1 18/09/07 David Scott 1.2 26/09/07 David

More information

Access Control Policy. Document Status. Security Classification. Level 4 - PUBLIC. Version 1.0. Approval. Review By June 2012

Access Control Policy. Document Status. Security Classification. Level 4 - PUBLIC. Version 1.0. Approval. Review By June 2012 Access Control Policy Document Status Security Classification Version 1.0 Level 4 - PUBLIC Status DRAFT Approval Life 3 Years Review By June 2012 Owner Secure Research Database Analyst Retention Change

More information

MCTS Guide to Microsoft Windows 7. Chapter 7 Windows 7 Security Features

MCTS Guide to Microsoft Windows 7. Chapter 7 Windows 7 Security Features MCTS Guide to Microsoft Windows 7 Chapter 7 Windows 7 Security Features Objectives Describe Windows 7 Security Improvements Use the local security policy to secure Windows 7 Enable auditing to record security

More information

INTERNAL AUDIT DIVISION CLERK OF THE CIRCUIT COURT

INTERNAL AUDIT DIVISION CLERK OF THE CIRCUIT COURT INTERNAL AUDIT DIVISION CLERK OF THE CIRCUIT COURT FOLLOW UP REVIEW TO AUDIT OF COURTROOM AUTOMATION Karleen F. De Blaker Clerk of the Circuit Court Ex officio County Auditor Robert W. Melton, CPA*, CIA,

More information

LockoutGuard v1.2 Documentation

LockoutGuard v1.2 Documentation LockoutGuard v1.2 Documentation (The following graphics are screen shots from Microsoft ISA Server and Threat Management Gateway which are the property of Microsoft Corp. and are included here for instructive

More information

SQL Server Hardening

SQL Server Hardening Considerations, page 1 SQL Server 2008 R2 Security Considerations, page 4 Considerations Top SQL Hardening Considerations Top SQL Hardening considerations: 1 Do not install SQL Server on an Active Directory

More information

Managing and Maintaining a Microsoft Windows Server 2003 Environment

Managing and Maintaining a Microsoft Windows Server 2003 Environment Managing and Maintaining a Microsoft Windows Server 2003 Environment Course 2273: Five days; Blended (classroom/e-learning) Introduction Elements of this syllabus are subject to change. This course combines

More information

AUDIT REPORT 03-11 WEB PORTAL SECURITY REVIEW. 2004 FEBRUARY R. D. MacLEAN CITY AUDITOR

AUDIT REPORT 03-11 WEB PORTAL SECURITY REVIEW. 2004 FEBRUARY R. D. MacLEAN CITY AUDITOR AUDIT REPORT 03-11 WEB PORTAL SECURITY REVIEW 2004 FEBRUARY R. D. MacLEAN CITY AUDITOR Web Portal Security Review Page 2 Audit Report 03-11 Web Portal Security Review INDEX SECTION I EXECUTIVE SUMMARY

More information

Security Guide for the BD Remote Instrument Support Solution BD Biosciences workstations

Security Guide for the BD Remote Instrument Support Solution BD Biosciences workstations Security Guide for the BD Remote Instrument Support Solution BD Biosciences workstations 11/2010 This document includes the following topics: About this guide (page 2) TeamViewer remote desktop support

More information

Internal audit report Information Security / Data Protection review

Internal audit report Information Security / Data Protection review Audit Committee 29 September 2011 Internal audit report Information Security / Data Protection review Executive summary and recommendations Introduction Mazars have undertaken a review of Information Security

More information

EA-ISP-011-System Management Policy

EA-ISP-011-System Management Policy Technology & Information Services EA-ISP-011-System Management Policy Owner: Adrian Hollister Author: Paul Ferrier Date: 17/03/2015 Document Security Level: PUBLIC Document Version: 1.00 Document Ref:

More information

Appendix 1b. DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA. Review of Mobile Portable Devices Management

Appendix 1b. DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA. Review of Mobile Portable Devices Management Appendix 1b DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA Review of Mobile Portable Devices Management DISTRIBUTION LIST Audit Team David Esling, Head of Audit and Assurance

More information

Solihull Metropolitan Borough Council. IT Audit Findings Report September 2015

Solihull Metropolitan Borough Council. IT Audit Findings Report September 2015 Solihull Metropolitan Borough Council IT Audit Findings Report September 2015 Version: Responses v6.0 SMBC Management Response July 2015 Financial Year: 2014/2015 Key to assessment of internal control

More information

Department of Information Technology Active Directory Audit Final Report. August 2008. promoting efficient & effective local government

Department of Information Technology Active Directory Audit Final Report. August 2008. promoting efficient & effective local government Department of Information Technology Active Directory Audit Final Report August 2008 promoting efficient & effective local government Executive Summary Active Directory (AD) is a directory service by Microsoft

More information

NETWRIX IDENTITY MANAGEMENT SUITE

NETWRIX IDENTITY MANAGEMENT SUITE NETWRIX IDENTITY MANAGEMENT SUITE FEATURES AND REQUIREMENTS Product Version: 3.3 February 2013. Legal Notice The information in this publication is furnished for information use only, and does not constitute

More information

CC4 TEN: Pre-installation instructions for Windows Server networks

CC4 TEN: Pre-installation instructions for Windows Server networks CC4 TEN: Pre-installation instructions for Windows Server networks Contents Introduction to CC4 TEN... 1 How the transition works... 3 Your pre-installation tasks... 5 Back up your servers... 5 Ensure

More information

Experiment No.5. Security Group Policies Management

Experiment No.5. Security Group Policies Management Experiment No.5 Security Group Policies Management Objectives Group Policy management is a Windows Server 2003 features in which it allows administrators to define policies for both servers and user machines.group

More information

Catapult PCI Compliance

Catapult PCI Compliance Catapult PCI Compliance Table of Contents Catapult PCI Compliance...1 Table of Contents...1 Overview Catapult (PCI)...2 Support and Contact Information...2 Dealer Support...2 End User Support...2 Catapult

More information

Data Transfer Policy. Data Transfer Policy London Borough of Barnet

Data Transfer Policy. Data Transfer Policy London Borough of Barnet Data Transfer Policy Data Transfer Policy London Borough of Barnet Document Control POLICY NAME Data Transfer Policy Document Description Policy surrounding data transfers (electronic and paper based).

More information

VERITAS Backup Exec TM 10.0 for Windows Servers

VERITAS Backup Exec TM 10.0 for Windows Servers VERITAS Backup Exec TM 10.0 for Windows Servers Quick Installation Guide N134418 July 2004 Disclaimer The information contained in this publication is subject to change without notice. VERITAS Software

More information

NE-2273B Managing and Maintaining a Microsoft Windows Server 2003 Environment

NE-2273B Managing and Maintaining a Microsoft Windows Server 2003 Environment NE-2273B Managing and Maintaining a Microsoft Windows Server 2003 Environment Summary Duration Vendor Audience 5 Days Microsoft IT Professionals Published Level Technology 05 October 2005 200 Microsoft

More information

The Education Fellowship Finance Centralisation IT Security Strategy

The Education Fellowship Finance Centralisation IT Security Strategy The Education Fellowship Finance Centralisation IT Security Strategy Introduction This strategy outlines the security systems in place to optimise, manage and protect The Education Fellowship data and

More information

Essex Fire Authority. Fleet Management. Internal Audit Report (4.12/13) 28 February 2013 FINAL. Overall Opinion

Essex Fire Authority. Fleet Management. Internal Audit Report (4.12/13) 28 February 2013 FINAL. Overall Opinion Essex Fire Authority Fleet Management Internal Audit Report (4.12/13) 28 February 2013 FINAL Overall Opinion Essex Fire Authority Fleet Management 4.12/13 CONTENTS Section Page Executive Summary 1 Action

More information

Northumberland National Park Authority Report on the audit for the year ended 31 March 2012

Northumberland National Park Authority Report on the audit for the year ended 31 March 2012 Northumberland National Park Authority Report on the audit for the year ended 31 March 2012 September 2012 Dear Sirs We have pleasure in setting out in this document our report to the Northumberland National

More information

10 Hidden IT Risks That Threaten Your Financial Services Firm

10 Hidden IT Risks That Threaten Your Financial Services Firm Your firm depends on intelligence. But can you count on your technology? You may not be in the intelligence technology business, but it s probably impossible to imagine your business without IT. Today,

More information

An Oracle White Paper December 2010. Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

An Oracle White Paper December 2010. Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance An Oracle White Paper December 2010 Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance Executive Overview... 1 Health Information Portability and Accountability Act Security

More information

Stellar Active Directory Manager

Stellar Active Directory Manager Stellar Active Directory Manager What is the need of Active Directory Manager? Every organization uses Active Directory Services (ADMS) to manage the users working in the organization. This task is mostly

More information

Lesson Plans Microsoft s Managing and Maintaining a Microsoft Windows Server 2003 Environment

Lesson Plans Microsoft s Managing and Maintaining a Microsoft Windows Server 2003 Environment Lesson Plans Microsoft s Managing and Maintaining a Microsoft Windows Server 2003 Environment (Exam 70-290) Table of Contents Table of Contents... 1 Course Overview... 2 Section 0-1: Introduction... 4

More information

A Rackspace White Paper Spring 2010

A Rackspace White Paper Spring 2010 Achieving PCI DSS Compliance with A White Paper Spring 2010 Summary The Payment Card Industry Data Security Standard (PCI DSS) is a global information security standard defined by the Payment Card Industry

More information

Charity Audit Committee performance evaluation Self assessment checklist. October 2014

Charity Audit Committee performance evaluation Self assessment checklist. October 2014 Charity Audit Committee performance evaluation Self assessment checklist October 2014 With increasing responsibilities and complexities, being a member of the Audit Committee has never been more challenging

More information

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms

More information

Microsoft Windows Client Security Policy. Version 2.1 POL 033

Microsoft Windows Client Security Policy. Version 2.1 POL 033 Microsoft Windows Client Security Policy Version 2.1 POL 033 Ownership Policy Owner: Information Security Manager Revision History Next Review Date: 2 nd April 2015 Approvals This document requires the

More information

Supplier IT Security Guide

Supplier IT Security Guide Revision Date: 28 November 2012 TABLE OF CONTENT 1. INTRODUCTION... 3 2. PURPOSE... 3 3. GENERAL ACCESS REQUIREMENTS... 3 4. SECURITY RULES FOR SUPPLIER WORKPLACES AT AN INFINEON LOCATION... 3 5. DATA

More information

The Annual Audit Letter for Torbay Council

The Annual Audit Letter for Torbay Council The Annual Audit Letter for Torbay Council Year ended 31 March 2014 October 2014 Alex Walling Engagement Lead T 0117 305 7804 E alex.j.walling@uk.gt.com Mark Bartlett Manager T 0117 305 7896 E mark.bartlett@uk.gt.com

More information

U 09 Remote Access Policy

U 09 Remote Access Policy Dartmoor National Park Authority U 09 Remote Access Policy June 2010 This document is copyright to Dartmoor National Park Authority and should not be used or adapted for any purpose without the agreement

More information

Chapter 8: Security Measures Test your knowledge

Chapter 8: Security Measures Test your knowledge Security Equipment Chapter 8: Security Measures Test your knowledge 1. How does biometric security differ from using password security? Biometric security is the use of human physical characteristics (such

More information

MCSE TestPrep: Windows NT Server 4, Second Edition - 3 - Managing Resources

MCSE TestPrep: Windows NT Server 4, Second Edition - 3 - Managing Resources MCSE TestPrep: Windows NT Server 4, Second Edition - CH 3 - Managing Resources Page 1 of 36 [Figures are not included in this sample chapter] MCSE TestPrep: Windows NT Server 4, Second Edition - 3 - Managing

More information

safend a w a v e s y s t e m s c o m p a n y

safend a w a v e s y s t e m s c o m p a n y safend a w a v e s y s t e m s c o m p a n y SAFEND Data Protection Suite Installation Guide Version 3.4.5 Important Notice This guide is delivered subject to the following conditions and restrictions:

More information

Activity 1: Scanning with Windows Defender

Activity 1: Scanning with Windows Defender Activity 1: Scanning with Windows Defender 1. Click on Start > All Programs > Windows Defender 2. Click on the arrow next to Scan 3. Choose Custom Scan Page 1 4. Choose Scan selected drives and folders

More information

Information Security Policies. Version 6.1

Information Security Policies. Version 6.1 Information Security Policies Version 6.1 Information Security Policies Contents: 1. Information Security page 3 2. Business Continuity page 5 3. Compliance page 6 4. Outsourcing and Third Party Access

More information

PASSWORD MANAGEMENT. February 2008. The Government of the Hong Kong Special Administrative Region

PASSWORD MANAGEMENT. February 2008. The Government of the Hong Kong Special Administrative Region PASSWORD MANAGEMENT February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without

More information