INFORMATION SECURITY Humboldt State University

Transcription

1

2 CSU The California State University Office of Audit and Advisory Services INFORMATION SECURITY Humboldt State University Audit Report October 30, 2014

3 EXECUTIVE SUMMARY OBJECTIVE The objectives of the audit were to ascertain the effectiveness of existing policies and procedures related to the administration of information security and to determine the adequacy of controls over the related processes, to evaluate adherence to the Integrated California State University Administrative Manual (ICSUAM) information security policy, or where appropriate to an industry-accepted standard, and to ensure compliance with relevant governmental regulations, Trustee policy, Office of the Chancellor directives, and campus procedures. CONCLUSION Based upon the results of the work performed within the scope of the audit, the operational and administrative controls for information security activities in effect as of June 27, 2014, taken as a whole, were sufficient to meet the objectives of this audit. In general, the controls and processes established over information security at Humboldt State University (HSU) provide reasonable assurance that the network, systems, and data are protected and that access privileges are provided in a consistent and controlled manner. In addition, our results indicate that the campus exercises prudent oversight of departments, colleges, and auxiliary organizations and operates in accordance with the California State University (CSU) information security policy. Our audit procedures did identify opportunities to improve the process and methodologies used to administer desktop software and website development. Specific observations, recommendations, and management responses are detailed in the remainder of this report. Audit Report Office of Audit and Advisory Services Page 1

4 OBSERVATIONS, RECOMMENDATIONS, AND RESPONSES 1. SOFTWARE MANAGEMENT OBSERVATION The campus did not remove obsolete versions of some products installed on desktop computers and workstations. ICSUAM 8055, Change Control, dated April, 19, 2010, states that changes to information technology systems, network resources, and applications need to be appropriately managed to minimize the risk of introducing unexpected vulnerabilities and ensure that existing security protections are not adversely impacted. The chief technology officer stated that the system management process included all products purchased by the campus, but that obsolete versions of commonly installed free software had not been considered in that process. Inadequate removal of vulnerable obsolete software products may lead to compromise and potential loss of protected confidential information or inappropriate access to systems. RECOMMENDATION We recommend that the campus enhance its software management process to include removal of all obsolete products installed on desktop computers and workstations. MANAGEMENT RESPONSE We concur. The campus will enhance its software management process to include removal of all obsolete products installed on desktop computers and workstations. Completion date: January 30, WEB APPLICATION DEVELOPMENT OBSERVATION The campus did not have policies or procedures for system development and program change management. We reviewed select campus departments that perform application development and maintenance, and we noted that: Testing criteria for the security of application vulnerabilities were not documented. User acceptance testing and system deployment were not documented. Developers had unlimited access to source code. Developers had the ability to move applications into production. Audit Report Office of Audit and Advisory Services Page 2

5 Written approval was not required for projects put into production. ICSUAM 8070, Information Systems Acquisition, Development and Maintenance, dated April 19, 2010, states that campuses must integrate information security requirements into the software life cycle of information systems that contain protected data. The security requirements must identify controls that are needed to ensure confidentiality, integrity, and availability. These controls must be appropriate, cost-effective, and mitigate risks that may result from unauthorized access, use, disclosure, disruption, modification, or destruction of the protected data. The director of application development stated that formal procedures were used by the information technology services department. She further stated that creation of a formal policy was already under way, and the policy was scheduled for campuswide deployment later this year. The lack of proper system development policy and procedures increases the risk that web application projects may be unauthorized and inconsistent with user expectations, may contain vulnerabilities, and may be modified without management consent. RECOMMENDATION We recommend that the campus: a. Establish and document testing criteria for the security of application vulnerabilities. b. Establish a documented process for user acceptance and deployment of applications. c. Protect application source code by limiting access to only those employees who need it as part of their job responsibilities. d. Limit developers ability to move web applications into production. e. Require written approval of all application projects put into production. MANAGEMENT RESPONSE We concur. The campus will enhance its Enterprise Change Control process to include written documentation of pre go-live security scans, user acceptance testing, and written approval of moves to production. The campus will also implement a version control system to control developer access to code, and that has the ability to move code into production. Completion date: February 27, 2015 Audit Report Office of Audit and Advisory Services Page 3

6 3. WEBSITE VULNERABILITY MANAGEMENT OBSERVATION Website vulnerability scans were not always performed on campus websites when the websites were placed into production, and regularly thereafter, and some websites had technical vulnerabilities. ICSUAM 8050, Configuration Management, dated April 19, 2010, states that campuses must develop, implement, and document configuration standards to ensure that information technology systems, network resources, and applications are appropriately secured to protect confidentiality, integrity, and availability. The director of application development stated that the campus was in the process of developing formal practices for website development and testing. A lack of website vulnerability scans increases the risk that a remote attacker may be able to access protected confidential information or execute malicious programs on the server that could disable additional network resources. RECOMMENDATION We recommend that the campus perform website vulnerability scans on campus websites when the websites are placed into production and regularly thereafter. MANAGEMENT RESPONSE We concur. The campus will perform website vulnerability scans on campus websites when the websites are placed into production and regularly thereafter. Completion date: January 30, SYSTEM POLICY OBSERVATION The campus system usage policy did not specify that sent or received through the official campus system was part of official campus business and was the property of the campus. Information Standards Organization 27001, Information Security Management System Standard, states that systems should be configured and managed to conform to established security policies and existing industry standards. Proper configuration and management should ensure that vulnerabilities are not allowed into the network; incidents are properly escalated; campus usage and retention guidelines are followed; and addresses are maintained in a central location to facilitate campuswide communications. Audit Report Office of Audit and Advisory Services Page 4

7 The chief information officer stated that the CSU had procured the contract for using this outside service provider and that the Information Technology Advisory Committee had developed guidelines for , but third-party systems under systemwide procurement should be addressed at the system level. The lack of documented policies increases the risk of unauthorized use of . RECOMMENDATION We recommend that the campus update its policy to specify that sent or received through the official campus system is part of official campus business and is the property of the campus. MANAGEMENT RESPONSE We concur. The campus will update its policy to specify that sent or received through the official campus system is part of official campus business and is the property of the campus. Completion date: February 27, 2015 Audit Report Office of Audit and Advisory Services Page 5

8 GENERAL INFORMATION BACKGROUND The CSU Information Security Policy, dated April 19, 2010, states that the Board of Trustees of the CSU is responsible for protecting the confidentiality, integrity, and availability of CSU information assets. Unauthorized modification, deletion, or disclosure of information assets can compromise the mission of the CSU, violate individual privacy rights, and possibly constitute a criminal act. It is the collective responsibility of all users to ensure confidentiality of information that the CSU must protect from unauthorized access; integrity and availability of information stored on or processed by CSU information systems; and compliance with applicable laws, regulations, and CSU/campus policies governing information security and privacy protection. It further states that the CSU Information Security Policy shall apply to the following: All campuses. Central and departmentally managed campus information assets. All users employed by campuses or any other person with access to campus information assets. All categories of information, regardless of the medium in which the information asset is held or transmitted (e.g., physical or electronic). Information technology facilities, applications, hardware systems, and network resources owned or managed by the CSU. Auxiliaries, external businesses, and organizations that use campus information assets must also operate those assets in conformity with the CSU Information Security Policy. The CSU Information Security Policy directs the campus president to appoint an information security officer (ISO) and assign responsibility and authority for administering the information security function. Information security at CSU campuses covers a broad range of sensitive data that requires protection to be in compliance with numerous state and federal regulations. Campuses collect social security numbers for employee personnel and for student financial aid tax reporting, which is regulated by federal and state law. Other forms of data include student grades and academic records that must be protected under federal privacy laws. In addition, CSU campuses that have student health centers, psychological counseling centers, and pharmacies may also have medical and prescription records that must be protected under federal health privacy laws. Campus retail operations for bookstores, convenience stores, restaurants and dining, and student activities involve collection and processing of credit card information that is regulated by the banking industry. Audit Report Office of Audit and Advisory Services Page 6

9 HSU has established formal governance over the information security function, and authority has been adequately communicated to the entire campus community. At HSU, the ISO reports to the campus chief information officer (CIO). The information security function is established with broad campus oversight and in accordance with CSU policy. HSU has a governance oversight committee that has routine involvement in information security initiatives, as well as oversight of campus security incidents and system breaches. In addition, the CIO is a member of the security oversight committee and is a member of the campus executive council. SCOPE Our audit and evaluation included the audit tests we considered necessary in determining whether operational and administrative controls are in place and operative. The audit focused on procedures in effect from June 9, 2014, through June 27, Specifically, we reviewed and tested: The activities/measures undertaken to protect the confidentiality, integrity, and access/availability of information. Processes for identifying confidential, private, or sensitive information; authorizing access; securing information; detecting security breaches; and evaluating security incident reporting and response. Measures to limit collection of information, control access to data, and assure that individuals with access to data do not utilize the data for unauthorized purposes. Encryption of data in storage and transmission. Physical and logical security measures for all data repositories. We also retained outside contractors to perform a technical security assessment that included running diagnostic software designed to identify improper configuration of selected systems, servers, and network devices. The purpose of the technical security assessment was to determine the effectiveness of technology and security controls governing the confidentiality, integrity, and availability of selected campus assets. Specifically, this configuration testing included assessment of the following technologies: selected operating systems, border firewall settings, network traffic analysis, vulnerability scanning, and website vulnerability assessment. As a result of changing conditions and the degree of compliance with procedures, the effectiveness of controls changes over time. Specific limitations that may hinder the effectiveness of an otherwise adequate system of controls include, but are not limited to, resource constraints, faulty judgments, unintentional errors, circumvention by collusion, and management overrides. Establishing controls that would prevent all these limitations would not be cost-effective; moreover, an audit may not always detect these limitations. Our testing and methodology was designed to provide a managerial level review of key information security practices, which included detailed testing of a limited number of network and computing devices. Our review did not examine all aspects of information security, and Audit Report Office of Audit and Advisory Services Page 7

10 our testing approach was designed to provide a view of the security technologies used to protect only key computing resources. In addition, selected emerging technologies were excluded from the scope of the review. CRITERIA Our audit was based upon standards as set forth in CSU Board of Trustee policies; Office of the Chancellor policies, letters, and directives; campus procedures; and other sound administrative practices. This audit was conducted in conformance with the Institute of Internal Auditors International Standards for the Professional Practice of Internal Auditing. This review emphasized, but was not limited to, compliance with: ICSUAM 8000, Information Security ICSUAM 7000, Identity Management Government Code International Standards Organization 27001, Information Security Management System Standard AUDIT TEAM Senior Director: Mike Caldera Audit Manager: Greg Dove Audit Report Office of Audit and Advisory Services Page 8