DIA Network Device Security Management Performance Audit
|
|
- Rosaline Dennis
- 8 years ago
- Views:
Transcription
1 DIA Network Device Security Management Performance Audit June 2014 Audit Services Division City and County of Denver Dennis J. Gallagher Auditor
2 The Auditor of the City and County of Denver is independently elected by the citizens of Denver. He is responsible for examining and evaluating the operations of City agencies for the purpose of ensuring the proper and efficient use of City resources and providing other audit services and information to City Council, the Mayor and the public to improve all aspects of Denver s government. He also chairs the City s Audit Committee. The Audit Committee is chaired by the Auditor and consists of seven members. The Audit Committee assists the Auditor in his oversight responsibilities of the integrity of the City s finances and operations, including the integrity of the City s financial statements. The Audit Committee is structured in a manner that ensures the independent oversight of City operations, thereby enhancing citizen confidence and avoiding any appearance of a conflict of interest. Audit Committee Dennis Gallagher, Chair Maurice Goodgaine Leslie Mitchell Rudolfo Payan Robert Bishop Jeffrey Hart Timothy O Brien, Vice-Chair Audit Staff Audrey Donovan, Deputy Director, CIA, CRMA, CGAP Robert Pierce, IT Audit Supervisor, CISA, CISSP Shannon Kuhn, Lead IT Auditor, CISA Nicholas Jimroglou, Senior IT Auditor Jacqueline Boline, Senior IT Auditor You can obtain copies of this report by contacting us at: 201 West Colfax Avenue, Department 705 Denver CO, (720) Fax (720) Or download and view an electronic copy by visiting our website at:
3 City and County of Denver 201 West Colfax Avenue, Department 705 Denver, Colorado FAX Dennis J. Gallagher Auditor June 19, 2014 Ms. Kim Day, Manager of Aviation Department of Aviation City and County of Denver Dear Ms. Day: Attached is the Auditor s Office Audit Services Division s report of the audit of DIA Network Device Security Management. The purpose of the audit was to assess network device management and gain assurance that the DIA network is secure, available, and configured to industry standards. The audit found that governance over the administration of network devices can be improved to increase the security and availability of DIA s network. Effective network device management helps minimize the risk of network disruptions that could impact business operations. If you have any questions, please call Kip Memmott, Director of Audit Services, at Sincerely, Dennis J. Gallagher Auditor DJG/sk cc: Honorable Michael Hancock, Mayor Honorable Members of City Council Members of Audit Committee Ms. Cary Kennedy, Deputy Mayor, Chief Financial Officer Ms. Janice Sinden, Chief of Staff Mr. David P. Edinger, Chief Performance Officer Ms. Beth Machann, Controller Mr. Scott Martinez, City Attorney Ms. Janna Young, City Council Executive Staff Director Mr. L. Michael Henry, Staff Director, Board of Ethics Mr. Patrick Heck, Chief Financial Officer, Aviation To promote open, accountable, efficient and effective government by performing impartial reviews and other audit services that provide objective and useful information to improve decision making by management and the people. We will monitor and report on recommendations and progress towards their implementation
4 City and County of Denver Dennis J. Gallagher Auditor 201 West Colfax Avenue, Department 705 Denver, Colorado FAX AUDITOR S REPORT We have completed an audit of network device management configuration and controls at Denver International Airport (DIA). The purpose of the audit was to examine and assess whether network access control devices and hardware were configured to industry standards and vendor recommendations. This performance audit is authorized pursuant to the City and County of Denver Charter, Article V, Part 2, Section 1, General Powers and Duties of Auditor, and was conducted in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. The audit found that network devices were adequately secured, however, process improvements could be made to improve DIA s network security and help ensure network availability. We extend our appreciation to Chris Larivee, Director of Operations, Technologies Division, Denver International Airport, and the personnel who assisted and cooperated with us during the audit. Audit Services Division Kip Memmott, MA, CGAP, CRMA Director of Audit Services To promote open, accountable, efficient and effective government by performing impartial reviews and other audit services that provide objective and useful information to improve decision making by management and the people. We will monitor and report on recommendations and progress towards their implementation
5 DRAF T City and County of Denver Audit Services Division REPORT HIGHLIGHTS DIA Network Device Security Management June 2014 The audit focused on a review of the network infrastructure controls supporting the Denver International Airport (DIA), including network equipment performance and design standards, administration, management, and overall network device security. Background Airports Council International ranks DIA as the eighteenth busiest airport in the world. Managing day to day network operations for a busy airport such as DIA requires a stable and secure network environment. DIA Technologies is responsible for supporting the DIA network including managing hundreds of network devices such as routers, switches, and firewalls. The division also provides network services to merchants and passengers within the airport. Purpose The purpose of the audit was to assess network device management and gain assurance that the DIA network is secure, available, and configured to industry standards. We assessed the administration of network devices and reviewed network device configurations based on DIA and manufacturer standards for network device configuration. We also reviewed the individuals who had access to configure network devices to ensure that they were current employees with access commensurate to job duties. Highlights DIA Technologies should continually update and adhere to their network administration standards to improve the overall security and availability of the DIA network. Our audit highlights that: Firewall rule sets are not consistently backed up Changes to network device configurations may be made that circumvent the formal change management process Administrative access to the management tool used to configure firewalls included individuals who no longer require access Passwords for network devices are not changed within the time frame required by DIA policy DIA Technologies does however appear to have strong controls in the following areas: Well documented network device daily operation procedures Standardized configuration and hardening network device rules Layered internal controls that strengthen network device security For a complete copy of this report, visit Or Contact the Auditor s Office at
6 TABLE OF CONTENTS INTRODUCTION & BACKGROUND 1 Denver International Airport s Data Network 1 Network Devices 1 Defense in Depth 2 SCOPE 5 OBJECTIVE 5 METHODOLOGY 5 FINDING 6 Process Improvements Are Necessary to Further Strengthen DIA Network Device Security 6 RECOMMENDATIONS 8 APPENDIX 9 Glossary of Technical Terminology 9 AGENCY RESPONSE 10
7 INTRODUCTION & BACKGROUND This audit of Denver International Airport s (DIA s) network device security management was performed as a subsequent audit to our DIA Network Security Management Performance Audit published in September The first audit focused on the physical security and environmental controls around storage of network equipment, whereas this audit focused on the internal controls and administration of the network devices themselves. Denver International Airport s Data Network The City and County of Denver operates a large and complex Metropolitan Area Network that supports City services throughout Denver, including the Denver International Airport (DIA). 2 Due to the diverse purposes and physical make-up of the City s networks, some portions of the network are managed by different agencies or departments. This audit focused on the portion of the network managed by the Technologies Department (Technologies) at DIA. DIA Technologies supports the data network infrastructure used by DIA business and security systems, such as, financial accounting, parking fees, access control and alarm monitoring, video surveillance, and emergency response. They also provide network services to some merchants, and facilitate, but do not manage, infrastructure used by other concessionaires, airlines, and Federal agencies, such as the Federal Aviation Administration (FAA) and the Transportation Security Administration (TSA). Network Devices Network devices are hardware components, including routers, switches, and firewalls, that are used to connect computers or other electronic devices to a network and control the flow of data on a network. 3 Device configurations within each network device are designed to distinguish authorized traffic from unauthorized traffic, as well as prevent unauthorized access to or from other networks or the Internet. Network devices can also be configured to allow or prevent certain Internet Protocol (IP) addresses and connection types from accessing the network. 4 In 2013, DIA Technologies provided data network and infrastructure services to more than 140 merchants 5 and 54 million passengers. 6 The DIA network infrastructure A Metropolitan Area Network connects offices distributed throughout the area of a large city. 3 This report contains a number of technical terms, which are described in the Appendix. 4 See additional technical definitions within the Appendix. 5 Denver International Airport Business Center website: accessed 5/8/ DIA, CM Mayor s Budget, pg. 684, accessed 5/8/2014. Page 1
8 supporting the network is stored in more than 150 locations throughout the airport. DIA s network environment has a complex architecture, in which hundreds of components are communicating and exchanging information twenty-four hours a day, seven days a week. Securing a large and complex network such as DIA s involves configuring devices based on agreed-upon hardening standards as well as a sound overall network governance strategy. 7 Defense in Depth One network security approach that is designed to help ensure network availability and manage security risks comes from a military strategy known as defense in depth. 8 A defense-in-depth approach to security spreads out defenses over a large area, rather than putting them all in one place. The concept of defense in depth applied to network security provides layers of security for a network environment so that if any one layer fails, there is another layer of security still in place to prevent unauthorized access. For example, sub-networks can be created within larger networks with their own unique security configurations that go above and beyond the normal network security. Any user or computer accessing the higher risk sub-network must comply with all of the security configurations of the larger network in addition to the security configurations of the subnetwork. This helps achieve the goal that if there is a security vulnerability with one area of the network, it does not lead to business interruption or widespread exposure to vulnerabilities throughout the rest of the network. Defense in Depth: A Layered Security Model Perimeter Network Secure Configuration Settings Monitoring and Blocking Auditing Authorization Authentication Source: Created by Audit Services Division Staff Organizations face both internal and external threats related to network security. As a result, Network Administrators have an enormous responsibility to stay up to date on 7 See additional technical definitions within the Appendix. 8 Ibid. City and County of Denver Page 2
9 emerging security vulnerabilities and attempt to stay ahead of attackers. Some network administration tasks related to security include keeping system software up to date, ensuring high availability, and detecting and responding to vulnerabilities or risks introduced into the environment. Leading industry breach analysis reports published by Verizon and the Ponemon Institute highlight a number of areas as having considerable risk associated with network device security and availability. The Verizon Data Breach Investigations Report (DBIR) is a comprehensive list of information technology threats facing global organizations. The report analyzes commonly observed incident patterns, as well as which industries face the biggest risk in particular areas. 9 Privileged access misuse was reported by the 2014 Verizon DBIR as one of the leading attack patterns for the transportation industry, specifically air transportation. Privileged access is elevated access that allows administrators to manage network devices, systems, applications, and network resources that require more permission than a typical user on a network. Authentication credentials, especially privileged credentials, can easily be exploited, if an employee s access remains active after employment has ended. The Verizon report illustrates how often privileged access was used to commit egregious acts against the global organizations polled by Verizon in As shown in Figure 1, out of 153 total incidents of insider misuse, 88% or 135 were found to be tied to privileged abuse. Figure 1: Top 10 threat action varieties within Insider Misuse for 2013 Embezzlement Unapproved software Theft Unapproved workaround Use of stolen creds Data mishandling misuse Bribery Unapproved hardware Privilege abuse Figure 1: Top 10 threat action varieties within Insider Misuse 0% 20% 40% 60% 80% 100% Source: Created by Audit Services Division Staff Recommended actions for minimizing privileged access misuse include regularly reviewing accounts that have privileged access and disabling network accounts when the account is no longer needed to perform job functions Data Breach Investigations Report, Verizon Website, accessed April 22, 2014, Page 3
10 Research performed by the Ponemon Institute on a sample of sixty U.S.-based organizations found that the three most costly cybercrimes that organizations deal with are denial of service attacks, malicious insiders, and web-based attacks. 10 Some risk associated with all three types of attacks can be mitigated through effective network device security governance. Figure 2 shows the cost associated with different types of cybercrime from 2010 through $250,000 Figure 2: Average annualized cybercrime cost weighted by attack frequency *The FY 2010 sample did not contain a company experiencing a DoS attack. $200,000 $150,000 $100,000 FY 2013 FY 2012 FY 2011 FY 2010 $50,000 $0 Denial of service* Malicious insiders Web-based attacks Source: Created by Audit Services division based on 2013 Ponemon Institute Report Network security and effective management of network devices is critical to protecting the infrastructure of an organization. As demonstrated by Figures 1 and 2, threats related to network attacks are a growing concern to organizations and can be costly. Good practices for ensuring overall network security and availability begin with strong network security governance and include hardening network devices, blocking unauthorized traffic, and validating that changes to network devices are documented and authorized. 10 See additional technical definitions within the Appendix. City and County of Denver Page 4
11 SCOPE This audit focused on the Denver International Airport (DIA) network segment managed by the DIA Technologies division, and excludes the portion of the DIA network that is partitioned to handle credit card payments. 11 In accordance with Generally Accepted Government Auditing Standards (GAGAS) the reader should be aware that some details about information security weaknesses are considered sensitive security information and are not disclosed within this report. The details of all findings have been presented to the DIA Technologies Division Director of Operations. OBJECTIVE The objective of this audit was to evaluate whether network devices are protected and managed according to internal procedural standards, industry best practices, and vendor recommendations to ensure continued and secure operations. METHODOLOGY We used the following methodologies to meet our audit objective: Interviewing personnel on the responsibilities for supporting and managing network devices and firewalls Reviewing DIA policies pertaining to firewall hardening standards Reviewing documentation related to DIA s Information Security Monthly Backup Guide and Information Systems Security Operations Center Guide Evaluating a selected sample of critical network device configuration standards to equipment manufacturer configuration standards 12 Directly observing how DIA Technologies administrators log into network devices to manage and support the devices and firewalls Verifying the list of users who have administrative access to firewalls, switches and routers Determining whether network devices and firewalls have had updates installed Conducting interviews with DIA Technologies personnel to understand the network device security processes 11 See additional technical definitions within the Appendix. 12 Ibid. Page 5
12 Reviewing DIA Technologies organizational charts to determine whether administrative network management access is restricted to the appropriate personnel Performing tests of critical firewall, switch, and router security settings with a configuration analysis tool Interviewing DIA Technologies personnel to verify whether essential network device and firewall duties are being performed FINDING Process Improvements Are Necessary to Further Strengthen DIA Network Device Security The Denver International Airport (DIA) network is composed of hundreds of network devices, which are architected to allow computers and devices to pass data over data connections. Network devices, such as firewalls, routers, and switches, are used as the basic building blocks that connect computers together and restrict network access to authorized individuals only. We found that although DIA does have strong controls in a number of areas, DIA Technologies should continually update and adhere to its network administration standards to improve the overall security and availability of the DIA network. DIA has an effective defense-in-depth approach to securing the airport s network. The risk of any issues found during this audit was mitigated by other compensating controls that were operating effectively. Administrative Access to Configure Firewalls Should Be Further Restricted DIA Technologies uses two methods for restricting access to configure firewalls. Access is restricted with local user accounts on the devices themselves or through a centralized network device administration management server. Auditors tested both the network device administration management server and a central password repository, which contains the local user account credentials, to determine whether access to configure network devices was appropriately restricted. Two former employees and one employee who changed roles in IT Security retained accounts to configure firewalls through the management server. Additional audit work confirmed that compensating controls prevented these individuals from actually modifying firewalls settings. However, had those compensating controls failed as well, it is possible that the individuals could have configured firewalls when they were no longer authorized to do so. Inappropriate access to manage firewalls may result in unauthorized changes, which could impact the security and availability of DIA s network. A prolonged DIA network outage could impact internal DIA operations as well as cause flight information boards to not display or accurately reflect plane arrival and departure information. City and County of Denver Page 6
13 In addition to limiting firewall configuration to authorized users only, DIA further restricts access to the management server tool to explicitly authorized Internet Protocol (IP) addresses. Auditors inspected the IP addresses and determined that one IP address was no longer in use. Invalid IP addresses should be removed from the management tool to reduce the risk of unauthorized device configurations occurring from IP addresses that are no longer authorized. Auditors also reviewed the DIA IT Acceptable Use Policy and determined that the policy requires that passwords on all devices are changed a minimum of every ninety days. Through interviews with network services staff, auditors found that network device passwords had not been changed in accordance with the password expiration requirement outlined in the policy. Passwords that are not changed frequently increase the risk that passwords may be compromised over time. Accordingly, DIA should change passwords for network devices at least every ninety days as defined by the DIA Acceptable Use Policy. We also recommend that DIA Technologies implement a compensating control, such as a periodic password change alert, that is closed following completion of the password changes. Changes to Network Devices Are Not Consistently Monitored to Ensure that They Follow the Formal Change Management Process DIA Technologies has developed a formal change management process to help ensure that changes to network device configurations are documented, reviewed, tested, and approved prior to implementation. 13 The process is in place to require that changes are made in a controlled manner, and risks related to changes impacting DIA operations are limited. Auditors noted that although the formal change process exists, there are no controls in place to prevent an administrator from circumventing the change process. Auditors also noted that DIA Technologies has a process for tracing configuration changes to network devices in the Payment Card Industry (PCI) environment back to documented tickets, thus ensuring device configuration changes followed the formal process. 14 However, Auditor s were told there is no process to ensure that all changes to non PCI network devices have a corresponding change ticket. Monitoring changes and ensuring that they comply with the change management process helps ensure that no unauthorized changes are made. Modifications to devices implemented outside of the change management process may not be appropriately tested and could result in the introduction of security vulnerabilities impacting DIA operations. Emergency Backups for Network Device Configurations Were Not Performed Consistently Network devices at DIA have running configuration files that control who has access to configure the devices as well as what network traffic is allowed to pass through the devices. Backups of network configuration files should be made prior to making any changes to device configurations. If a backup occurs prior to a change being made 13 See additional technical definitions within the Appendix. 14 Ibid. Page 7
14 and that change causes a network outage, the change can be backed out and the prior running configuration can be used reducing the length of the network outage. Auditors reviewed the firewall backup directory which stores device backups to determine whether backups were being performed regularly and found that backups were not performed for firewalls for three months, although changes to the running configuration occurred during that time. Backups should be performed prior to making any configuration change to reduce the risk of prolonged network outages. RECOMMENDATIONS Audit work identified several process improvement recommendations that should be implemented to increase DIA s defense-in-depth posture and improve network availability, helping to ensure that the DIA network is secure and available. 1.1 The Director of Operations for the DIA Technologies division should ensure removal of the accounts for the individuals who are no longer authorized to configure firewalls and implement a periodic review process to ensure that unauthorized accounts are removed timely on an employee s last day or when an employee transfers to a new position. 1.2 The Director of Operations for the DIA Technologies division should ensure removal of the IP address that is no longer in use from the firewall management tool and implement a periodic review process to assess the IP addresses that are allowed to configure firewalls, removing any that are no longer needed. 1.3 The Director of Operations for the DIA Technologies division should ensure that passwords are changed for network devices at least every ninety days as required by the DIA IT Acceptable Use Policy and implement a compensating control such as a recurring notification that alerts administrators that passwords need to be changed. 1.4 The Director of Operations for the DIA Technologies division should ensure changes to network devices are periodically reviewed using a monitoring tool and that the changes correspond with an approved change ticket. 1.5 The Director of Operations for the DIA Technologies division should ensure that firewall backups are performed prior to every configuration change or at a minimum every 30 days. In the event that a previous configuration restoration point is needed to ensure continued operations. City and County of Denver Page 8
15 APPENDIX Glossary of Technical Terminology Change Management A method by which changes made to a computer system are formally defined, evaluated, and approved prior to implementation. Configuration Standards A process for establishing consistency, implementing security requirements, and ensuring systems work as intended when configuration takes place. Denial of service - An interruption in an authorized user s access to a computer network, typically one caused with malicious intent. Firewall - A software or hardware device that enforces security policies for traffic traversing to and from different network segments. Hardening - The process of securing a computer system by reducing its surface of vulnerability. Reducing the surface of vulnerability for network devices includes disabling unnecessary services and removing unnecessary usernames or logins. High Availability - The ability to define, achieve, and sustain target availability objectives across services and/or technologies supported in the network that align with the objectives of the business. Internet Protocol Address A numerical identifier assigned to each machine in a network used to send data to a specific computer. Network Segment Separates networks containing sensitive information from those that do not contain sensitive information. Network Switch Computer hardware that is used to connect devices together on a network. Payment Card Industry (PCI) - Compliance with the PCI DSS is required for all merchants who accept credit cards, online or offline, due to the sensitivity of payment card data and the risks associated with credit card fraud. Router - A networking device that can send (route) data between computer networks. Web based attack - An attack on a website or network that originates from the Internet or World Wide Web. Page 9
16 AGENCY RESPONSE City and County of Denver Page 10
17 Page 11
18 City and County of Denver Page 12
19 Page 13
DIA Network Security Management Follow up Report
DIA Network Security Management Follow up Report March 2015 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of Denver
More informationCitywide Identity Management Follow up Report
Citywide Identity Management Follow up Report July 2015 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of Denver
More informationNetwork Security Management Phases 1 and 2 Follow up Report
Network Security Management Phases 1 and 2 Follow up Report March 2015 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County
More informationCitywide Social Media Usage Follow-up Report
Citywide Social Media Usage Follow-up Report May 2015 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of Denver is
More informationCity Attorney s Office: Litigation and Claims Management Follow-up Report
City Attorney s Office: Litigation and Claims Management Follow-up Report April 2015 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the
More informationThe Department of General Services Contract Administration Follow up Report
The Department of General Services Contract Administration Follow up Report June 2015 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of
More informationDenver 311 Follow up Report
Denver 311 Follow up Report December 2014 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of Denver is independently
More informationFOLLOW-UP REPORT Change Management Practices
FOLLOW-UP REPORT Change Management Practices May 2016 Office of the Auditor Audit Services Division City and County of Denver Timothy M. O Brien, CPA The Auditor of the City and County of Denver is independently
More information911 Data Center Operations Performance Audit
911 Data Center Operations Performance Audit June 2010 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of Denver is
More informationPolice Records Management System IT General Controls Follow up Report
Police Records Management System IT General Controls Follow up Report March 2015 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City
More informationPeopleSoft IT General Controls
PeopleSoft IT General Controls Performance Audit December 2009 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of
More informationAssessor s Office Performance Audit
Assessor s Office Performance Audit June 2012 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of Denver is independently
More informationCitywide Identity Management Performance Audit
Citywide Identity Management Performance Audit March 2014 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of Denver
More informationNetwork Security Management Phase 2 Performance Audit
Network Security Management Phase 2 Performance Audit July 2012 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of
More informationHow To Audit The City Of Denver'S Mobile Device Management Program
Mobile Devices Performance Audit August 2014 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of Denver is independently
More informationNetwork Security Management Phase 1 Performance Audit
Network Security Management Phase 1 Performance Audit March 2012 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of
More informationDenver International Airport Airport Legal Services Section Performance Audit
Denver International Airport Airport Legal Services Section Performance Audit July 2014 Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County
More informationThe Department of General Services Contract Administration Performance Audit
The Department of General Services Contract Administration Performance Audit August 2014 Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County
More informationOffice of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget
Office of the Auditor General Performance Audit Report Statewide UNIX Security Controls Department of Technology, Management, and Budget December 2015 State of Michigan Auditor General Doug A. Ringler,
More informationDenver International Airport Planning and Development Division Performance Audit
Denver International Airport Planning and Development Division Performance Audit June 2013 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor
More informationFixed Assets Management Performance Audit
Fixed Assets Management Performance Audit May 2010 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of Denver is independently
More informationLAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES
LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable
More informationCity Attorney s Office: Litigation and Claims Management Performance Audit
City Attorney s Office: Litigation and Claims Management Performance Audit June 2013 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the
More informationAudit Committee. Audit Staff
The Auditor of the City and County of Denver is independently elected by the citizens of Denver. He is responsible for examining and evaluating the operations of City agencies for the purpose of ensuring
More informationEnterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006
Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,
More informationU.S. Department of Energy Office of Inspector General Office of Audits and Inspections
U.S. Department of Energy Office of Inspector General Office of Audits and Inspections Audit Report The Department's Configuration Management of Non-Financial Systems OAS-M-12-02 February 2012 Department
More informationPolice Records Management System IT General Controls Performance Audit
Police Records Management System IT General Controls Performance Audit December 2012 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the
More informationData Security Incident Response Plan. [Insert Organization Name]
Data Security Incident Response Plan Dated: [Month] & [Year] [Insert Organization Name] 1 Introduction Purpose This data security incident response plan provides the framework to respond to a security
More informationBest Practices for PCI DSS V3.0 Network Security Compliance
Best Practices for PCI DSS V3.0 Network Security Compliance January 2015 www.tufin.com Table of Contents Preparing for PCI DSS V3.0 Audit... 3 Protecting Cardholder Data with PCI DSS... 3 Complying with
More informationHow To Audit The Minnesota Department Of Agriculture Network Security Controls Audit
O L A OFFICE OF THE LEGISLATIVE AUDITOR STATE OF MINNESOTA FINANCIAL AUDIT DIVISION REPORT Department of Agriculture Network Security Controls Information Technology Audit July 1, 2010 Report 10-23 FINANCIAL
More informationU.S. Department of Energy Office of Inspector General Office of Audits & Inspections
U.S. Department of Energy Office of Inspector General Office of Audits & Inspections Audit Report Management of Western Area Power Administration's Cyber Security Program DOE/IG-0873 October 2012 Department
More informationOffice of the Auditor General Performance Audit Report. Statewide Oracle Database Controls Department of Technology, Management, and Budget
Office of the Auditor General Performance Audit Report Statewide Oracle Database Controls Department of Technology, Management, and Budget March 2015 071-0565-14 State of Michigan Auditor General Doug
More informationWorkers Compensation Program Performance Audit
Workers Compensation Program Performance Audit February 2012 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of Denver
More informationDenver International Airport Emergency Preparedness Program Performance Audit
Denver International Airport Emergency Preparedness Program Performance Audit November 2015 Audit Services Division City and County of Denver Timothy M. O Brien, CPA Auditor The Auditor of the City and
More informationMarch 2012 www.tufin.com
SecureTrack Supporting Compliance with PCI DSS 2.0 March 2012 www.tufin.com Table of Contents Introduction... 3 The Importance of Network Security Operations... 3 Supporting PCI DSS with Automated Solutions...
More informationU.S. Department of Energy Office of Inspector General Office of Audits & Inspections. Evaluation Report
U.S. Department of Energy Office of Inspector General Office of Audits & Inspections Evaluation Report The Department's Unclassified Cyber Security Program - 2012 DOE/IG-0877 November 2012 MEMORANDUM FOR
More informationHUMAN RESOURCES MANAGEMENT NETWORK (HRMN) SELF-SERVICE
PERFORMANCE AUDIT OF HUMAN RESOURCES MANAGEMENT NETWORK (HRMN) SELF-SERVICE DEPARTMENT OF CIVIL SERVICE July 2004 ...The auditor general shall conduct post audits of financial transactions and accounts
More informationTop Three POS System Vulnerabilities Identified to Promote Data Security Awareness
CISP BULLETIN Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness November 21, 2006 To support compliance with the Cardholder Information Security Program (CISP), Visa USA
More informationDepartment of Education. Network Security Controls. Information Technology Audit
O L A OFFICE OF THE LEGISLATIVE AUDITOR STATE OF MINNESOTA FINANCIAL AUDIT DIVISION REPORT Department of Education Network Security Controls Information Technology Audit May 5, 2010 Report 10-17 FINANCIAL
More informationDenver 311 Performance Audit
Denver 311 Performance Audit August 2012 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of Denver is independently
More informationDenver International Airport Fleet Management Program Performance Audit
Denver International Airport Fleet Management Program Performance Audit December 2012 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of
More informationREGULATIONS FOR THE SECURITY OF INTERNET BANKING
REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY
More informationMICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL. Doug A. Ringler, C.P.A., C.I.A. AUDITOR GENERAL ENTERPRISE DATA WAREHOUSE
MICHIGAN OFFICE OF THE AUDITOR GENERAL AUDIT REPORT PERFORMANCE AUDIT OF THE ENTERPRISE DATA WAREHOUSE DEPARTMENT OF TECHNOLOGY, MANAGEMENT, AND BUDGET August 2014 Doug A. Ringler, C.P.A., C.I.A. AUDITOR
More informationOFFICE OF THE AUDITOR
OFFICE OF THE AUDITOR DEPARTMENT OF AVIATION INTERNAL CONTROL REVIEW AND CONTRACT COMPLIANCE AUDIT NOVEMBER 2007 Dennis J. Gallagher Auditor Dennis J. Gallagher Auditor Mr. Turner West, Manager Department
More informationTASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices
Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security
More informationVENDOR MANAGEMENT. General Overview
VENDOR MANAGEMENT General Overview With many organizations outsourcing services to other third-party entities, the issue of vendor management has become a noted topic in today s business world. Vendor
More informationCisco Advanced Services for Network Security
Data Sheet Cisco Advanced Services for Network Security IP Communications networking the convergence of data, voice, and video onto a single network offers opportunities for reducing communication costs
More informationMICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL. Doug A. Ringler, CPA, CIA AUDITOR GENERAL DATA SECURITY USING MOBILE DEVICES PERFORMANCE AUDIT OF
MICHIGAN OFFICE OF THE AUDITOR GENERAL AUDIT REPORT PERFORMANCE AUDIT OF DATA SECURITY USING MOBILE DEVICES DEPARTMENT OF TECHNOLOGY, MANAGEMENT, AND BUDGET January 2015 Doug A. Ringler, CPA, CIA AUDITOR
More informationFairWarning Mapping to PCI DSS 3.0, Requirement 10
FairWarning Mapping to PCI DSS 3.0, Requirement 10 Requirement 10: Track and monitor all access to network resources and cardholder data Logging mechanisms and the ability to track user activities are
More informationSRA International Managed Information Systems Internal Audit Report
SRA International Managed Information Systems Internal Audit Report Report #2014-03 June 18, 2014 Table of Contents Executive Summary... 3 Background Information... 4 Background... 4 Audit Objectives...
More informationFor more information on SQL injection, please refer to the Visa Data Security Alert, SQL Injection Attacks, available at www.visa.
Global Partner Management Notice Subject: Visa Data Security Alert Malicious Software and Internet Protocol Addresses Dated: April 10, 2009 Announcement: The protection of account information is a responsibility
More informationIBX Business Network Platform Information Security Controls. 2015-02- 20 Document Classification [Public]
IBX Business Network Platform Information Security Controls 2015-02- 20 Document Classification [Public] Table of Contents 1. General 2 2. Physical Security 2 3. Network Access Control 2 4. Operating System
More informationSTATE OF NORTH CAROLINA
STATE OF NORTH CAROLINA INFORMATION SYSTEMS AUDIT OFFICE OF INFORMATION TECHNOLOGY SERVICES INFORMATION TECHNOLOGY GENERAL CONTROLS OCTOBER 2014 OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA STATE AUDITOR
More informationU.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL
U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL FINAL REPORT: U.S. Election Assistance Commission Compliance with the Requirements of the Federal Information Security Management Act Fiscal
More informationDepartment of Human Services Performance Audit
Department of Human Services Performance Audit October 2013 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of Denver
More informationIs the PCI Data Security Standard Enough?
Is the PCI Data Security Standard Enough? By: Christina M. Freeman ICTN 6870 Advanced Network Security Abstract: This paper will present the researched facts on Payment Card Industry Data Security Standard
More informationSmithsonian Enterprises
Smithsonian Enterprises Audit of the Effectiveness of the Information Security Program Table of Contents I. Introduction... 1 II. Background... 2 III. Results of Audit... 3 Finding #1: Needed Improvement
More informationOffice of Inspector General
DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Improved Security Required for DHS Networks (Redacted) Notice: The Department of Homeland Security, Office of Inspector General, has redacted
More informationensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster
Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)
More informationThe Business Case for Security Information Management
The Essentials Series: Security Information Management The Business Case for Security Information Management sponsored by by Dan Sullivan Th e Business Case for Security Information Management... 1 Un
More informationInfor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security
Technical Paper Plain talk about security When it comes to Cloud deployment, security is top of mind for all concerned. The Infor CloudSuite team uses best-practice protocols and a thorough, continuous
More information<COMPANY> PR11 - Log Review Procedure. Document Reference Date 30th September 2014 Document Status. Final Version 3.
PR11 - Log Review Procedure Document Reference PR11 - Log Review Procedure Date 30th September 2014 Document Status Final Version 3.0 Revision History 1.0 12 January 2010 - Initial release. 1.1 14 September
More informationBasics of Internet Security
Basics of Internet Security Premraj Jeyaprakash About Technowave, Inc. Technowave is a strategic and technical consulting group focused on bringing processes and technology into line with organizational
More informationNetwork & Information Security Policy
Policy Version: 2.1 Approved: 02/20/2015 Effective: 03/02/2015 Table of Contents I. Purpose................... 1 II. Scope.................... 1 III. Roles and Responsibilities............. 1 IV. Risk
More informationNETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS
NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities
More informationNetwork and Security Controls
Network and Security Controls State Of Arizona Office Of The Auditor General Phil Hanus IT Controls Webinar Series Part I Overview of IT Controls and Best Practices Part II Identifying Users and Limiting
More informationRichmond Police Department Police Records Management System (PISTOL) 12 Months ended December 31, 2011
REPORT # 2012-10 AUDIT Of the TABLE OF CONTENTS Executive Summary..... i Comprehensive List of Recommendations. iii Introduction.......... 1 Background........ 2 Conclusion........ 3 Recommendations........
More informationSecurity Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions
Kevin Staggs, Honeywell Process Solutions Table of Contents Introduction...3 Nerc Standards and Implications...3 How to Meet the New Requirements...4 Protecting Your System...4 Cyber Security...5 A Sample
More informationWhite Paper. Information Security -- Network Assessment
Network Assessment White Paper Information Security -- Network Assessment Disclaimer This is one of a series of articles detailing information security procedures as followed by the INFOSEC group of Computer
More informationCMPT 471 Networking II
CMPT 471 Networking II Firewalls Janice Regan, 2006-2013 1 Security When is a computer secure When the data and software on the computer are available on demand only to those people who should have access
More informationBig Data, Big Risk, Big Rewards. Hussein Syed
Big Data, Big Risk, Big Rewards Hussein Syed Discussion Topics Information Security in healthcare Cyber Security Big Data Security Security and Privacy concerns Security and Privacy Governance Big Data
More informationServer Management-Scans & Patches
THE UNIVERSITY OF TEXAS-PAN AMERICAN OFFICE OF AUDITS & CONSULTING SERVICES Server Management-Scans & Patches Report No. 14-11 OFFICE OF INTERNAL AUDITS THE UNIVERSITY OF TEXAS - PAN AMERICAN 1201 West
More informationDelphi Information 3 rd Party Security Requirements Summary. Classified: Public 5/17/2012. Page 1 of 11
Delphi Information 3 rd Party Security Requirements Summary Classified: Public 5/17/2012 Page 1 of 11 Contents Introduction... 3 Summary for All Users... 4 Vendor Assessment Considerations... 7 Page 2
More informationOffice of Inspector General
DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Security Weaknesses Increase Risks to Critical United States Secret Service Database (Redacted) Notice: The Department of Homeland Security,
More informationLarry Wilson Version 1.0 November, 2013. University Cyber-security Program Critical Asset Mapping
Larry Wilson Version 1.0 November, 2013 University Cyber-security Program Critical Asset Mapping Part 3 - Cyber-Security Controls Mapping Cyber-security Controls mapped to Critical Asset Groups CSC Control
More informationFINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE
Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security
More informationBetter secure IT equipment and systems
Chapter 5 Central Services Data Centre Security 1.0 MAIN POINTS The Ministry of Central Services, through its Information Technology Division (ITD), provides information technology (IT) services to government
More informationSecure networks are crucial for IT systems and their
ISSA The Global Voice of Information Security Network Security Architecture By Mariusz Stawowski ISSA member, Poland Chapter Secure networks are crucial for IT systems and their proper operation. Essential
More informationU.S. Department of Energy Office of Inspector General Office of Audits and Inspections
U.S. Department of Energy Office of Inspector General Office of Audits and Inspections Audit Report Management of Los Alamos National Laboratory's Cyber Security Program DOE/IG-0880 February 2013 Department
More informationGuide to Vulnerability Management for Small Companies
University of Illinois at Urbana-Champaign BADM 557 Enterprise IT Governance Guide to Vulnerability Management for Small Companies Andrew Tan Table of Contents Table of Contents... 1 Abstract... 2 1. Introduction...
More informationDepartment of Information Technology Remote Access Audit Final Report. January 2010. promoting efficient & effective local government
Department of Information Technology Remote Access Audit Final Report January 2010 promoting efficient & effective local government Background Remote access is a service provided by the county to the Fairfax
More informationHost Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1
Host Hardening Presented by Douglas Couch & Nathan Heck Security Analysts for ITaP 1 Background National Institute of Standards and Technology Draft Guide to General Server Security SP800-123 Server A
More informationWhat IT Auditors Need to Know About Secure Shell. SSH Communications Security
What IT Auditors Need to Know About Secure Shell SSH Communications Security Agenda Secure Shell Basics Security Risks Compliance Requirements Methods, Tools, Resources What is Secure Shell? A cryptographic
More informationPayment Card Industry Data Security Standard
Symantec Managed Security Services support for IT compliance Solution Overview: Symantec Managed Services Overviewview The (PCI DSS) was developed to facilitate the broad adoption of consistent data security
More informationLog Management How to Develop the Right Strategy for Business and Compliance. Log Management
Log Management How to Develop the Right Strategy for Business and Compliance An Allstream / Dell SecureWorks White Paper 1 Table of contents Executive Summary 1 Current State of Log Monitoring 2 Five Steps
More informationLogRhythm and PCI Compliance
LogRhythm and PCI Compliance The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent
More informationOffice of Inspector General
DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Enhanced Configuration Controls and Management Policies Can Improve USCG Network Security (Redacted) Notice: The Department of Homeland Security,
More informationCloud Computing Governance & Security. Security Risks in the Cloud
Cloud Computing Governance & Security The top ten questions you have to ask Mike Small CEng, FBCS, CITP Fellow Analyst, KuppingerCole This Webinar is supported by Agenda What is the Problem? Ten Cloud
More informationSemantic based Web Application Firewall (SWAF V 1.6) Operations and User Manual. Document Version 1.0
Semantic based Web Application Firewall (SWAF V 1.6) Operations and User Manual Document Version 1.0 Table of Contents 1 SWAF... 4 1.1 SWAF Features... 4 2 Operations and User Manual... 7 2.1 SWAF Administrator
More informationWHITE PAPER. The Need for Wireless Intrusion Prevention in Retail Networks
WHITE PAPER The Need for Wireless Intrusion Prevention in Retail Networks The Need for Wireless Intrusion Prevention in Retail Networks Firewalls and VPNs are well-established perimeter security solutions.
More informationGFI White Paper PCI-DSS compliance and GFI Software products
White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption
More informationAUDIT REPORT 03-11 WEB PORTAL SECURITY REVIEW. 2004 FEBRUARY R. D. MacLEAN CITY AUDITOR
AUDIT REPORT 03-11 WEB PORTAL SECURITY REVIEW 2004 FEBRUARY R. D. MacLEAN CITY AUDITOR Web Portal Security Review Page 2 Audit Report 03-11 Web Portal Security Review INDEX SECTION I EXECUTIVE SUMMARY
More information¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India
CIRCULAR CIR/MRD/DP/13/2015 July 06, 2015 To, All Stock Exchanges, Clearing Corporation and Depositories. Dear Sir / Madam, Subject: Cyber Security and Cyber Resilience framework of Stock Exchanges, Clearing
More informationBendigo and Adelaide Bank Ltd Security Incident Response Procedure
Bendigo and Adelaide Bank Ltd Security Incident Response Procedure Table of Contents 1 Introduction...1 2 Incident Definition...2 3 Incident Classification...2 4 How to Respond to a Security Incident...4
More informationSANS Top 20 Critical Controls for Effective Cyber Defense
WHITEPAPER SANS Top 20 Critical Controls for Cyber Defense SANS Top 20 Critical Controls for Effective Cyber Defense JANUARY 2014 SANS Top 20 Critical Controls for Effective Cyber Defense Summary In a
More informationAchieving Compliance with the PCI Data Security Standard
Achieving Compliance with the PCI Data Security Standard June 2006 By Alex Woda, MBA, CISA, QDSP, QPASP This article describes the history of the Payment Card Industry (PCI) data security standards (DSS),
More informationNew PCI Standards Enhance Security of Cardholder Data
December 2013 New PCI Standards Enhance Security of Cardholder Data By Angela K. Hipsher, CISA, QSA, Jeff A. Palgon, CPA, CISSP, QSA, and Craig D. Sullivan, CPA, CISA, QSA Payment cards a favorite target
More informationOvercoming PCI Compliance Challenges
Overcoming PCI Compliance Challenges Randy Rosenbaum - Security Services Exec. Alert Logic, CPISM Brian Anderson - Product Manager, Security Services, SunGard AS www.sungardas.com Goal: Understand the
More information