Citywide Identity Management Follow up Report

Transcription

1 Citywide Identity Management Follow up Report July 2015 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor

2 The Auditor of the City and County of Denver is independently elected by the citizens of Denver. He is responsible for examining and evaluating the operations of City agencies for the purpose of ensuring the proper and efficient use of City resources and providing other audit services and information to City Council, the Mayor and the public to improve all aspects of Denver s government. He also chairs the City s Audit Committee. The Audit Committee is chaired by the Auditor and consists of seven members. The Audit Committee assists the Auditor in his oversight responsibilities of the integrity of the City s finances and operations, including the integrity of the City s financial statements. The Audit Committee is structured in a manner that ensures the independent oversight of City operations, thereby enhancing citizen confidence and avoiding any appearance of a conflict of interest. Audit Committee Dennis Gallagher, Chair Maurice Goodgaine Leslie Mitchell Rudolfo Payan Robert Bishop Jeffrey Hart Timothy O Brien, Vice Chair Audit Management Kip Memmott, Director, MA, CGAP, CRMA John Carlson, Deputy Director, JD, MBA, CIA, CGAP, CRMA Audit Staff Shannon Kuhn, Audit Supervisor, CISA Nicholas Jimroglou, Lead Auditor, CISA Karin Doughty, Senior IT Auditor, CISA You can obtain copies of this report by contacting us at: Office of the Auditor 201 West Colfax Avenue, Department 705 Denver CO, (720) Fax (720) Or download and view an electronic copy by visiting our website at: Report number A

3 City and County of Denver Dennis J. Gallagher Auditor 201 West Colfax Avenue, Department 705 Denver, Colorado FAX July 1, 2015 Ms. Adrienne Benavidez, Executive Director, General Services Mr. Frank Daidone, Chief Information Officer, Technology Services Ms. Karen Niparko, Executive Director of Human Resources City and County of Denver Re: Audit Follow Up Report Dear Ms. Benavidez, Mr. Daidone, and Ms. Niparko: In keeping with professional auditing standards and the Audit Services Division s policy, as authorized by D.R.M.C , our Division has a responsibility to monitor and follow up on audit recommendations to ensure audit findings are being addressed and to aid us in planning future audits. This report is to inform you that we have completed our follow up effort for the Citywide Identity Management audit issued March 20, Our review determined that General Services and Technology Services have implemented ten of the eleven findings found in the audit report. For your reference, this report includes a Highlights page that provides background and summary information on the original audit and the completed follow up effort. Following the Highlights page is a detailed implementation status update for each recommendation, including General Services disagreement with a recommendation from the original audit. Although we did not update the status of the recommendation that General Services disagreed with, this recommendation is included in the status update section as a reference. This concludes audit follow up work related to this audit. I would like to express our sincere appreciation to each of you and to General Services, Technology Services, and Human Resources personnel who assisted us throughout the audit and follow up process. If you have any questions, please feel free to contact me at or Shannon Kuhn, Internal Audit Supervisor, at Sincerely, KRM/sk Kip Memmott, MA, CGAP, CRMA Director of Audit Services cc: Honorable Michael Hancock, Mayor Honorable Members of City Council Members of Audit Committee To promote open, accountable, efficient and effective government by performing impartial reviews and other audit services that provide objective and useful information to improve decision making by management and the people. We will monitor and report on recommendations and progress towards their implementation.

4 Ms. Cary Kennedy, Deputy Mayor, Chief Financial Officer Ms. Janice Sinden, Chief of Staff Mr. David P. Edinger, Chief Performance Officer Ms. Beth Machann, Controller Mr. Scott Martinez, City Attorney Ms. Janna Young, City Council Executive Staff Director Mr. L. Michael Henry, Executive Director, Board of Ethics To promote open, accountable, efficient and effective government by performing impartial reviews and other audit services that provide objective and useful information to improve decision making by management and the people. We will monitor and report on recommendations and progress towards their implementation.

5 City and County of Denver Office of the Auditor Audit Services Division REPORT HIGHLIGHTS Citywide Identity Management Performance Audit Follow up Report: July 2015 General Services and Technology Services have implemented 100 percent of the recommendations made to them in the March 2014 audit report. Human Resources has not implemented their recommendation. Background Identity management is the task of controlling information about users on computers. This information includes credentials that authenticate the identity of a user, within a system. Information can include user descriptions and actions they are authorized to access and perform. Access to physical spaces can also be handled through identity management when software is the mechanism to grant and revoke building access. Purpose The purpose of the audit was to determine whether physical and logical access control policies are in place and adhered to; personnel with identity management responsibilities are adequately trained; access provisioning and de provisioning is appropriately performed; periodic entitlement reviews are conducted to identify unauthorized access; password parameters align with best practices and the Federal Information Security Management Act; and access is managed in compliance with applicable regulations. Highlights from Original Audit The audit found that improvements need to be made to the City s identity management governance structure for both physical and logical access. We identified active network accounts that were not removed for former employees and contractors who are no longer affiliated with the City. Physical access badges were not disabled for former employees with clearances that allowed access to doors within the Denver Human Services Records Room, Child Welfare Office, 911 Emergency Communications Center, District and City Attorney s Offices, and the City data centers. These and other instances of former employees that retained access to City data and resources have occurred as a result of the City not having an adequate governance process in place to manage all steps in granting and revoking access to facilities and systems. Findings at Follow up General Services and Technology Services have implemented ten of the eleven agreed to findings made in the 2014 audit report. Computer based Security Awareness training was purchased and disseminated to all City employees to raise their awareness of computer security issues. A process was developed to provision and de provision contractor, volunteer and interim workers. A network file monitoring software solution was purchased and implemented to facilitate periodic reviews. Building badge operating procedures have been created, published and all appropriate facilities personnel have been trained on the process. For a complete copy of this report, visit Audit Contact Person: Shannon Kuhn [email protected]

6 Recommendations: Status of Implementation Recommendation Auditee Action Status Finding 1: The City Needs to Improve Governance around Identity Management to Ensure that Access to Facilities and Systems Is Appropriately Restricted 1.1 The Director of Facilities Management should disable active badges for former employees identified within this audit and work with other badging administrators to ensure that any other potentially active accounts for former employees are disabled. 1.2 The Director of Facilities Management should install badge readers on the secured facility identified within the confidential findings provided to Facilities Management. 1.3 The Chief Information Security Officer should update the network and account management policy to reflect the current process for network credential creation and termination. The policy should also be adopted by Technology Services so that individuals responsible for access control understand the logical access requirements and comply with them. A separate process should be developed and implemented for interns, contractors, and volunteers to ensure that network accounts are provisioned and de provisioned consistently. Badges identified in the audit were disabled. The terminated employee PeopleSoft report is received by administrative facilities staff and reviewed to remove badge access within the facilities. No action taken. A network and account standard has been created by the Information Security team and applies to all managers that have users with network accounts. Disagree Page 1 Office of the Auditor

7 Recommendations: Status of Implementation Recommendation Auditee Action Status 1.4 The IT Governance Manager should disable active network accounts for former employees and contractors identified within this audit and ensure that any other active accounts for former employees are disabled. 1.5 The IT Governance Manager should ensure that password and group policy settings align with the City s LAN and Policy. 1.6 The IT Governance Manager should ensure that access to data protected by rules and regulations such as HIPAA and CJIS is periodically monitored and controlled appropriately over time. Technology Services immediately disabled all network accounts identified in this audit and is currently conducting a review of individuals paid through the City s payroll system on a period basis. The Court Information Department also immediately disabled all network accounts identified in this audit, and has implemented improved procedures to address the deprovisioning of user accounts. Technology Services has reviewed the password and group policy settings to ensure that they are in alignment. A software file monitoring tool was purchased, implemented and provided to agencies where sensitive data resides to provide them with the ability to periodically monitor file access. City and County of Denver Page 2

8 Recommendations: Status of Implementation Recommendation Auditee Action Status 1.7 The Chief Information Security Officer and the Director of Facilities Management should work together to develop and implement security awareness training for all City employees, contractors, volunteers, and interns who receive physical or logical access credentials. The format and extent of the security awareness training is at the discretion of Technology Services and Facilities Management; however, these entities should take high risk areas into consideration when developing the program. Please reference the Identity Management Audit Report for suggested high risk areas. Technology Services has purchased and deployed computer based security awareness training from the SANS institute. Employees are ed a link to the training and have 30 days to complete the training, which is tracked and monitored by IT Governance for compliance. Page 3 Office of the Auditor

9 Recommendations: Status of Implementation Recommendation Auditee Action Status 1.8 The Chief Information Security Officer and the Director of Facilities Management should implement periodic entitlement reviews and help facilitate agency access reviews, taking into consideration the following: All accounts should be reviewed on a pre defined basis (monthly, quarterly, or annually) High risk access permissions should be identified, and periodic account reviews should assess the appropriateness of high risk access over time Account reviews should be assigned to a designated system owner with a general understanding of the appropriateness of access Account reviews should incorporate segregation of duties Reviews should be based on system generated access reports 1.9 The Executive Director of Human Resources should work closely with the Chief Information Officer and other agencies to implement a centralized method for tracking contractor, volunteer, and intern (contingent) workers to allow these types of workers to be tracked and thereby have their network access provisioned and de provisioned through an automated tool. Privileged accounts are reviewed by the IT Governance manager and Facilities management on a periodic basis. A contingent worker module has been implemented in Oracle Identity Manager to automate the creation and removal of network accounts for contractors, interns and volunteers. City and County of Denver Page 4

10 Recommendations: Status of Implementation Recommendation Auditee Action Status 1.10 The Executive Director of Human Resources should work closely with the IT Governance Manager and independent IT departments across the City to train hiring managers and supervisors on provisioning and deprovisioning processes, taking into consideration the following when developing the training: A role based approach for access provisioning Avoid mirroring accounts based on job functionality Develop a consistent agreed upon method for physical and logical access provisioning and deprovisioning (e.g., required forms, approvals) Develop a consistent method for handling contractors and other manually provisioned accounts (e.g., account end dating) The Director of Facilities Management should create procedures that define daily badge management processes. Facilities Management should then train all badging administrators on the procedures to ensure that access is consistently provisioned and deprovisioned The Director of Facilities Management should consider centralizing the badge administration process and minimize the number of administrators assigning badge access. Technology Services has provided the Human Resources management with training information on provisioning and de provisioning account access. Badge operating procedures have been incorporated into the employee badge policy for the system. The procedures have been reviewed, approved and published to employees and agencies that independently manage their badge processes. The number of badge administrators have been reviewed and reduced from 8 to 3. Agree/Not implemented Page 5 Office of the Auditor

11 Conclusion We found that General Services and Technology Services have completed all of the recommendations from the March 2014 audit. Specifically, Technology Services has purchased Security Awareness training for all City employees, and has gone beyond the recommendation to purchase modules targeted to employees with specific job responsibilities to further educate them on computer security. Technology Services has revised their policy for and network accounts and created new standards for supervisors on managing employees accounts, as well as the handling of accounts with elevated access. A new process was created to automate accounts for interns, contractors and volunteers. General Services has adequately mitigated the risks identified in the audit by ensuring that badge access is removed in a timely manner. Additionally, General Services limited the number of users with privileged badge access. Human Resources did not complete their portion of the recommendation made in the March 2014 audit. On behalf of the citizens of the City and County of Denver, we thank staff and leadership from General Services and Technology Services for their cooperation during our follow up effort and their dedicated public service. City and County of Denver Page 6