FINAL INTERNAL AUDIT REPORT



Similar documents
FINAL INTERNAL AUDIT REPORT

FINAL INTERNAL AUDIT REPORT. Steve Allen, Managing Director, Finance

Business Continuity Arrangements for Management and Support Activities (IA /F) EXECUTIVE SUMMARY... 3 STATUS OF AGREED ACTIONS...

Voluntary Severance Process (IA /F) Tricia Riley, Director of Human Resources. Audit Conclusion: Audit Closed

INTERIM INTERNAL AUDIT REPORT

FINAL INTERNAL AUDIT REPORT

Management of NEC3 Compensation Events (IA ) Andrew Wolstenholme, Chief Executive. Audit Conclusion: Adequately Controlled and Audit Closed

Transport for London. Minutes of the Audit and Assurance Committee

Agency Temporary Worker Processes (IA /F v1) Tricia Riley, HR Director. Audit Conclusion: Audit Closed

Financial Controls over Payments to Contractors on Major Projects (IA F) Leon Daniels, Managing Director, Surface Transport

Code of Practice for Cyber Security in the Built Environment

3.5 The findings from the review will be reported to the next meeting of the Audit and Assurance Committee.

5 CMDB GOOD PRACTICES

Validating Enterprise Systems: A Practical Guide

Cisco Unified Communications Predeployment, Deployment, and Postdeployment Service Bundle

1 What does the 'Service V model' represent? a) A strategy for the successful completion of all service management projects

ISEB MANAGER S CERTIFICATE IN ITIL INFRASTRUCTURE MANAGEMENT. Guidelines for candidates who are taking the ICT Infrastructure Examination

N e t w o r k E n g i n e e r Position Description

Appendix A-2 Generic Job Titles for respective categories

Mapping the Technical Dependencies of Information Assets

Firewall Administration and Management

Position Description For ICT Support Officer Information, Technology and Communication Department Hobart

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

Migrating to the Cloud. Developing the right Cloud strategy and minimising migration risk with Logicalis Cloud Services

Service Asset & Configuration Management PinkVERIFY

DRAFT Disaster Recovery Policy Template

Free ITIL v.3. Foundation. Exam Sample Paper 1. You have 1 hour to complete all 40 Questions. You must get 26 or more correct to pass

FINRMFS9 Facilitate Business Continuity Planning and disaster recovery for a financial services organisation

FISCAL PLAN RESPONSE TO THE AUDITOR GENERAL

June 2008 Report No An Audit Report on The Department of Information Resources and the Consolidation of the State s Data Centers

Cloud Security checklist Are you really ready for Cloud

Transition Guidelines: Managing legacy data and information. November 2013 v.1.0

3. Ensure the management of information is compliant with legislative requirements to maximise the benefits and minimise risks;

Securing and Auditing Cloud Computing. Jason Alexander Chief Information Security Officer

University of Central Florida Class Specification Administrative and Professional. Information Security Officer

REQUEST FOR MAYORAL DECISION MD405. Title: Disaster Recovery Services

ICT OPERATING SYSTEM SECURITY CONTROLS POLICY

Aberdeen City Council IT Security (Network and perimeter)

CONTENTS. List of Tables List of Figures

ITIL V3 Foundation Certification - Sample Exam 1

Security Controls What Works. Southside Virginia Community College: Security Awareness

EXPLORING THE CAVERN OF DATA GOVERNANCE

Maximize potential with services Efficient managed reconciliation service

SUBJECT: REPLACEMENT OF CORPORATE ELECTRONIC DATA STORAGE, BACKUP AND DISASTER RECOVERY SOLUTIONS

ICT and Information Security Resources

Datacenter Migration Think, Plan, Execute

6422: Implementing and Managing Windows Server 2008 Hyper-V (3 Days)

Department of Public Utilities Customer Information System (BANNER)

Domain 1 The Process of Auditing Information Systems

Internal Audit Report Business Continuity Planning Arrangements

Fujitsu Private Cloud Customer Service Description

Name: Position held: Company Name: Is your organisation ISO27001 accredited:

JOB DESCRIPTION CONTRACTUAL POSITION

Roles & Grades Rate Cards and Applicable SFIA Skills

Business Continuity Policy and Business Continuity Management System

HP Customer Support. Remote Server Management. an Outtasking Solution Outline

Exhibit to Data Center Services Service Component Provider Master Services Agreement

M6422A Implementing and Managing Windows Server 2008 Hyper-V

ANNEXURE A. Service Categories and Descriptions 1. IT Management

DEPARTMENT AGENCY STATEMENT OF OBJECTIVES FOR CLOUD MIGRATION SERVICES: INVENTORY, APPLICATION MAPPING, AND MIGRATION PLANNING MONTH YYYY TEMPLATE

E2E Project Management Process Governance (Electric Capital)

ITIL. Lifecycle. ITIL Intermediate: Continual Service Improvement. Service Strategy. Service Design. Service Transition

Scope The data management framework must support industry best practice processes and provide as a minimum the following functional capability:

THE WALTER AND ELIZA HALL INSTITUTE OF MEDICAL RESEARCH POSITION DESCRIPTION

Service description RFL Virtual Data Centre

ITIL 2011 Lifecycle Roles and Responsibilities UXC Consulting

SCHEDULE 8 Generalist Project Services Framework 2015

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

Microsoft Windows Server 2008: MS-6422 Implementing and Managing Hyper V Virtualization 6422

Evaluation Report. Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review. April 30, 2014 Report Number 14-12

Front Metrics Technologies Pvt. Ltd. Capacity Management Policy, Process & Procedures Document

Position Description

Job Description. Job Title: Network Services Manager. Department: INFORMATION TECHNOLOGY MAIN PURPOSE OF JOB: MAIN DUTIES AND RESPONSIBILITIES:

NORTHERN IRELAND FIRE & RESCUE SERVICE JOB DESCRIPTION

IT Services Management Service Brief

Optimizing the Data Center for Today s Federal Government

Implementing and Managing Windows Server 2008 Hyper-V

Information Security Management System (ISMS) Policy

Bridged Apps: specialise in the deployment of many well known apps, as well as building customer made apps, websites, and SEO.

Master Data Management Enterprise Architecture IT Strategy and Governance

Protecting Official Records as Evidence in the Cloud Environment. Anne Thurston

Optimizing the Data Center for Today s State & Local Government

28400 POLICY IT SECURITY MANAGEMENT

Cloud Computing and Records Management

Transcription:

FINAL INTERNAL AUDIT REPORT Organisation and Management of Firewalls (IA 13 402/F) Steve Allen, Managing Director, Finance Audit Conclusion: Audit Closed 25 February 2015 Issue categories Agreed actions Satisfactorily addressed Partially addressed No longer applicable Not addressed Priority 1 11 11 0 0 0 Priority 2 0 0 0 0 0 Priority 3 0 0 0 0 0

CONTENTS EXECUTIVE SUMMARY... 3 STATUS OF AGREED ACTIONS... 5 APPENDIX 1 DISTRIBUTION LIST... 9 Audit information Version 1 Draft versions issued 1 Draft report issued 18 February 2015 Audit Manager Emilija Antevska Director of Internal Audit Clive Walker Page 2

EXECUTIVE SUMMARY Objective The objective of this audit was to provide assurance that the firewall strategies and policies, and related governance arrangements that have been implemented to manage and control TfL firewall architectures, are cost effective, efficient and fit for purpose. Scope The audit focused on the control environment in relation to the following key risk areas: Firewall strategy and associated firewall governance structures; Design of current firewall architectures; Approach and key processes involved in establishing and managing the firewall policies and procedures; Approach in the development, deployment and management of firewall products and services; Approach in defining and managing firewall resilience, capacity and performance management; and Approach in securing defined firewall configurations. Summary of findings Our Interim Internal Audit Report dated 17 June 2014 entitled Organisation and Management of Firewalls outlined that all firewall related service requests for changes to be implemented by Fujitsu should be accompanied by an assessment performed by the IM service delivery and IM security teams to confirm their validity. Fujitsu s service technicians and solution architect then implement the firewall changes within defined business hours following the IM change management process. We identified eight priority 1 issues as follows: The cost-effectiveness of the enhanced firewall service had been undermined by the lack of a defined process to identify, manage and monitor the firewall changes that increase the annual charge paid by TfL to Fujitsu; The roles and responsibilities for IM in-house activities that support the delivery of the enhanced firewall services by Fujitsu had not been defined, assigned and enforced; Page 3

Formal IM guidance to cover critical aspects of managing firewalls was not available, including firewall strategy and roadmap, IT architecture and technology standards, firewall security and configuration standards, firewall monitoring, and firewall patch management policy; A complete and accurate record of firewall assets owned by TfL had not been maintained; A structured process to monitor firewall performance and proactively manage network capacity had not been implemented; End-of-life firewalls used for securing critical services had remained in use without plans for their decommissioning and replacement, potentially due to a lack of an agreed standardised end-of-life approach with Fujitsu; Forty percent of Fujitsu users with sensitive access to TfL firewall management consoles had not been security cleared as required by the Agreement; and There were no formal TfL disaster recovery plans that cover the testing of TfL firewalls or their backups to ensure a successful recovery in the event of a disaster. We have completed a follow up and confirmed that management has implemented all the actions agreed in respect of these findings. This audit is now closed. Page 4

STATUS OF AGREED ACTIONS Ref Agreed action Owner and due date Status Priority 1 actions 1. Review the firewall change process to ensure it is fit for purpose and implement changes to address the risk noted above. 2. Define a responsibility assignment matrix (RACI) for key stakeholders within IM relating to the management of IM controlled firewalls on the TfL network that includes, amongst others, activities relating to the end-of-life of firewalls. The RACI can then be used by the decision tree outlined in action 3. 3. Produce a firewall policy to include the discussion of lifecycle and firewall decision tree and approve for IM use. 29 August 2014 29 August 2014 Michele Hanson 28 November 2014 The IM Enhanced Firewall Service - Fujitsu work instruction has been reviewed to clearly specify a requirement that Fujitsu informs IM when the threshold for firewall changes is reached and obtains approval from TfL for any additional changes. All firewall changes are reported in Fujitsu s periodic service report. A matrix defining the responsibilities of key IM stakeholders relating to the management of IM controlled firewalls on the TfL network has been defined. A high level policy defining the implementation, operation and management of devices providing network based firewall Page 5

Ref Agreed action Owner and due date Status functionality for TfL has been drafted and approved for use by IM management. 4. Under instruction from IM Service Management Fujitsu are to create an inventory of firewall assets and work with Infrastructure Services to populate the CMDB with key configuration information. 5. IM to ensure that a documented process is in place for regular reconciliation of firewall changes within the CMDB. 6. IM to produce firewall specific guidance to dovetail into the Capacity Management process currently being developed by Service Management. 7. Develop a process for proactive management of firewalls to encapsulate: Service provider reporting on the age of firewalls; and Using the firewall decision tree 28 November 2014 29 August 2014 28 November 2014 28 November 2014 An inventory of firewall assets is maintained by Fujitsu and submitted every period to TfL IM Infrastructure Services to populate the CMDB. The process and responsibilities involved in reconciling the changes to TfL firewalls has been documented in a work instruction. The TfL IM Component Capacity Management guidance note specifies the requirement for capacity management of hardware infrastructure components, including firewalls. A TfL Security Review meeting is held between Fujitsu, TfL IM Information Security and TfL IM Service Management every period that covers, among other topics, proactive management of firewalls. Page 6

Ref Agreed action Owner and due date Status produced in action 3 to determine the need to replace the firewalls at end-oflife. 8. IM will produce a list of internal and external IM roles they recommend to be security screened or vetted and submit these requirements to HR. 9. The Information Security Gap Analysis proposal will make provision for people specific controls that include the screening of staff, contractors and third parties. This proposal will address a recommended single approach that speaks to the criteria for security clearances across TfL. Recommendations will comply with legal and regulatory requirements, and in accordance with best practice, will be provided to HR in relation to the perceived risks in due course. 10. Review the current IM Services Disaster Recovery arrangements. Complete Michele Hanson 30 September 2014 Rebecca Bissell Complete The Information Security Gap Analysis proposal makes provision for people specific controls that include the screening of staff, contractors and third parties. As above under action 8. The TfL IM Disaster Recovery Strategy was reviewed in April 2014. Page 7

Ref Agreed action Owner and due date Status 11. Produce a Disaster Recovery Plan Template in line with the DR Strategy, proposed documentation requirements, test & audit plans Neville Hinchliffe Complete A Disaster Recovery Plan Template has been produced in line with the above strategy. Page 8

APPENDIX 1 Distribution list This report was sent to Steve Allen, Managing Director, Finance, by Clive Walker, Director of Internal Audit, and copied to: Steve Townsend Trevor Jordan Matthew Griffin Rebecca Bissell Michele Hanson Paul Boulton Neville Hinchliffe Larry Botheras Loretta Donoghue Wayne Fitzgerald Philip Hewson Andrea Fourie Nigel Blore Andrea Clarke Andrew Pollins Howard Carter Robert Brent Chief Information Officer IM Head of IM Projects Delivery IMSS Lead Development Manager IM Head of Business Relationship Management IM Chief Information Security Officer IMSS Lead Development Manager Interim IM Head of Service Management IM Resilience and Business Continuity IM Infrastructure Manager IM Service Design and Assurance Manager IM Senior Quality, Assurance and Risk Analyst Head of Commercial ICT as Key Risk Representative Head of Group Insurance Director of TfL Legal Interim Chief Finance Officer General Counsel KPMG Page 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information