IT CONTROL ENVIRONMENT ASSESSMENT AND RECOMMENDATIONS REPORT



Similar documents
Systems Support - Extended

Internal Audit Charter and operating standards

Chapter 7 Business Continuity and Risk Management

CASSOWARY COAST REGIONAL COUNCIL POLICY ENTERPRISE RISK MANAGEMENT

LINCOLNSHIRE POLICE Policy Document

Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013

Audit Committee Charter. St Andrew s Insurance (Australia) Pty Ltd St Andrew s Life Insurance Pty Ltd St Andrew s Australia Services Pty Ltd

Security Services. Service Description Version Effective Date: 07/01/2012. Purpose. Overview

Christchurch Polytechnic Institute of Technology Access Control Security Standard

AUDIT AND RISK COMMITTEE TERMS OF REFERENCE

Service Level Agreement (SLA) Hosted Products. Netop Business Solutions A/S

Gravesham Borough Council

CHANGE MANAGEMENT STANDARD

CMS Eligibility Requirements Checklist for MSSP ACO Participation

ENTERPRISE RISK MANAGEMENT ENTERPRISE RISK MANAGEMENT POLICY

Business Continuity Management Policy

POLICY 1390 Information Technology Continuity of Business Planning Issued: June 4, 2009 Revised: June 12, 2014

SaaS Listing CA Cloud Service Management

Audit Committee Charter

E-Business Strategies For a Cmpany s Bard

Corporate Standards for data quality and the collation of data for external presentation

Service Level Agreement

Change Management Process For [Project Name]

GUIDANCE FOR BUSINESS ASSOCIATES

FINANCE SCRUTINY SUB-COMMITTEE

Change Management Process

COPIES-F.Y.I., INC. Policies and Procedures Data Security Policy

BIBH Duty Statements and Governance chart reviewed and approved April BIBH Executive Governance & Management Arrangements

IT CHANGE MANAGEMENT POLICY

How To Write An Ehsms Training, Awareness And Competency Procedure

This report provides Members with an update on of the financial performance of the Corporation s managed IS service contract with Agilisys Ltd.

Oracle Cloud Enterprise Hosting and Delivery Policies

Personal Data Security Breach Management Policy

RATIONALE TERMS OF REFERENCE FOR THE QUALITY COMMITTEE UNDER THE EXCELLENT CARE FOR ALL ACT. Authority

HIPAA HITECH ACT Compliance, Review and Training Services

Request for Resume (RFR) CATS II Master Contract. All Master Contract Provisions Apply

Business Continuity Management Systems Foundation Training Course

17 Construction environmental management plan (CEMP)

UNIVERSITY INCIDENT PLANNING COMMITTEE TERMS OF REFERENCE

Risk Management Policy AGL Energy Limited

Information Services Hosting Arrangements

Version Date Comments / Changes 1.0 January 2015 Initial Policy Released

General Records Authority 33. Accredited Training

UNIVERSITY OF CALIFORNIA MERCED PERFORMANCE MANAGEMENT GUIDELINES

Professional Leaders/Specialists

SECTION J QUALITY ASSURANCE AND IMPROVEMENT PROGRAM

IT Help Desk Service Level Expectations Revised: 01/09/2012

Service Level Agreement Distributed Hosting and Distributed Database Hosting

Unified Communications

Nuance Healthcare Services Project Delivery Methodology

PENETRATION TEST OF THE INDIAN HEALTH SERVICE S COMPUTER NETWORK

Health and Safety Training and Supervision

PROTIVITI FLASH REPORT

TITLE: RECORDS AND INFORMATION MANAGEMENT POLICY

INFRASTRUCTURE TECHNICAL LEAD

BLUE RIDGE COMMUNITY AND TECHNICAL COLLEGE BOARD OF GOVERNORS

OFFICIAL JOB SPECIFICATION. Network Services Analyst. Network Services Team Manager

SERVICE DESK TEAM LEADER

Draft for consultation

MSB FINANCIAL CORP. MILLINGTON BANK AUDIT COMMITTEE CHARTER

Malpractice and Maladministration Policy

Symantec User Authentication Service Level Agreement

Database Services - Extended

Improved Data Center Power Consumption and Streamlining Management in Windows Server 2008 R2 with SP1

Finance, Performance and Risk Committee 2014/2015

KERRY ROGERS, DIRECTOR OF CORPORATE SERVICES/COMPANY SECRETARY

NSW Government. Software Asset Management Standard. Version 1.0. October 2014

A96 CALA Policy on the use of Computers in Accredited Laboratories Revision 1.5 August 4, 2015

Customer Support & Software Enhancements Policy

Army DCIPS Employee Self-Report of Accomplishments Overview Revised July 2012

University of Texas at Dallas Policy for Accepting Credit Card and Electronic Payments

IT Account and Access Procedure

Waitemata District Health Board, 15 Shea Terrace, Takapuna

Office of the Superintendent of Financial Institutions. Internal Audit Report. Human Resources Performance Management.

Template on written coordination and cooperation arrangements of the supervisory college established for the <XY> Group/<A> Institution

Heythrop College Disciplinary Procedure for Support Staff

POLISH STANDARDS ON HEALTH AND SAFETY AS A TOOL FOR IMPLEMENTING REQUIREMENTS OF THE EUROPEAN DIRECTIVES INTO THE PRACTICE OF ENTERPRISES

Business Plan

ITIL Release Control & Validation (RCV) Certification Program - 5 Days

nbn is committed to identifying hazards, preventing workplace accidents and minimising dangerous health safety and environment incidents.

State of Wisconsin. File Server Service Service Offering Definition

POSITION DESCRIPTION. Classification Higher Education Worker, Level 7. Responsible to. I.T Manager. The Position

Data Warehouse Scope Recommendations

Service Level Agreement

Software and Hardware Change Management Policy for CDes Computer Labs

State of Wisconsin DET Dedicated Virtual Host Services Offering Definition

HEALTH INFORMATION EXCHANGE GRANTS CRITERIA

Data Protection Act Data security breach management

Environment Protection Authority

TrustED Briefing Series:

Communal Property Institution Capacity Assessment Tool

Planning & Delivering Safe Work Railway Contractors Certificate Non Training Services v1.2. Keith Miller & Rebecca Pears

GENERAL MOTORS COMPANY AUDIT COMMITTEE CHARTER. Most Recently Amended: December 8, 2015

FY 2014 Senior Level (SL) and Scientific or Professional (ST) Performance Appraisal System Opening Guidance

Chief Finance and Operations Officer IfM Education and Consultancy Services (IfM ECS)

Document Management Versioning Strategy

S&T IT Change Management Policy and Procedure

AHI. Foreign Pre-Approval Inspections (PAIs) Points to Consider

Transcription:

Chairpersn and Subcmmittee Members AUDIT AND RISK SUBCOMMITTEE 6 AUGUST 2015 Meeting Status: Public Purpse f Reprt: Fr Infrmatin IT CONTROL ENVIRONMENT ASSESSMENT AND RECOMMENDATIONS REPORT PURPOSE OF REPORT 1 This reprt prvides a summary f Ernst & Yung s Infrmatin Technlgy Cntrl Envirnment Assessment and Recmmendatins reprt dated 7 January 2015 and prvides an update f prgress against the actin plan frmulated t address the matters raised. DELEGATION 2 The & Risk Subcmmittee has delegatin authrity t cnsider this reprt under the fllwing delegatin in the Gvernance Structure, Sectin C.3.7 Internal Reprting 7.4 T review the prcesses fr ensuring the cmpleteness and quality f financial and peratinal infrmatin, including perfrmance measures, being prvided t Cuncil. BACKGROUND 3 In accrdance with New Zealand ing Standards, Ernst & Yung has reviewed the current peratins f the Cuncil s Infrmatin Technlgy General Cntrls (ITGC) envirnment and cnsidered the aspects significant t the audit f Cuncil s 2015-35 LTP and the 2014/15 annual reprt. 4 With the assistance f external cntractrs (t prvide specialist advice) a frmal wrk prgramme was established t address these findings and assciated implicatins and this was tabled at the Subcmmittee meeting f 5 May. 5 Respnsibility fr the implementatin f the ITGC prgramme f wrk and its delivery has nw been brught within the Cuncil and will be delivered internally. Issues and Optins Issues Cntext f IT General Cntrl Envirnment Findings 6 Ernst & Yung has identified five issues that are cnsidered apprpriate fr review by the Senir Leadership Team. Fur f the issued identified were classified as high risk and the remaining ne was classified as lw risk. The classificatin f issues is defined as fllws: High Risk These recmmendatins relate t a serius weakness which expses the rganisatin t a material extent in terms f the achievement f departmental bjectives, financial results r therwise impair KCDC s reputatin. Immediate crrective actin is required. Page 1 f 9

Lw Risk A weakness which des nt seriusly detract frm the system f internal cntrl and/r peratinal effectiveness/efficiency but which shuld nevertheless be addressed by management. Summary f IT General Cntrl Envirnment Findings 7 Ernst & Yung s cntrl findings, recmmendatins and Cuncil s respnses theret are discussed belw. 8 Change management Observatin (High risk) We were prvided with the change management prcess dcument dated February 2011. This dcument describes the prcess t be fllwed fr the different IT change types (nrmal, standard and emergency) within Cuncil. The Change Cntrl Prcess specifies that change cntrl must ensure that the change is: Recrded Authrised Planned and Implemented Reviewed Evaluated and Priritised Tested and Dcumented. There are tw tls t capture changes; Manage Engine fr general IT Changes and NCS Service Request mdule fr MagiQ LTP and Budgeting mdule changes. We nted that althugh the change prcess is dcumented, it is nt always fllwed, all changes are nt dcumented/frmally reviewed/tested and captured. Recmmendatin Management shuld cnsider: Revisiting Change Management cntrl prcess dcumentatin and updating it with current KCDC practices. Enfrcing the use f the Change Management Plicy t ensure that all changes are apprpriately; authrised, tested, apprved, mnitred and evidence dcumented. Optimising use f existing change management tls t ensure that all changes are adequately captured. Using a versin management tl t ensure that KCDC cntrls and mnitrs all changes in prductin envirnment. Reviewing f system generated list f changes within the existing Change Advisry Bard prcess. Page 2 f 9

Cuncil s Respnse Cuncil agrees with the recmmendatin and ntes the significance f the implicatins utlined. Cuncil is actively wrking n the practical implementatin f sund change management prcesses acrss the rganisatin with the bjective f mitigating the risks identified. Current Status An updated Change Cntrl Prcess initiated within the ICT team (see the Change Management dcument attached as Appendix 1). ManageEngine Service Desk applicatin, identified as Change Management repsitry with cmprehensive wrkflw and reprting has been implemented as part f the system audit. Changes are authrised by the Change Advisry Bard (CAB) which cmprises the ICT Manager, the Service Desk Team Leader, the Infrmatin Technlgy Team Lead and ther business representatives. The CAB reviews change requests n a weekly basis 9 User access management prcesses Observatin (High risk) KCDC currently has n dcumented and apprved user access management prcess. T manage user access, a new user frm is cmpleted by the respnsible manager which is submitted t help desk fr access prvisining. We were advised that cntractr s access was set with a pre-determined Active Directry with a terminatin date. Hwever terminated users were ften nt remved frm the systems in a timely manner. This appears t be the result f the timeliness f the emplyees departure being cmmunicated t Help Desk. Peridic user access reviews d nt take place. The current business applicatin users are restricted t a limited number in the implementatin phase. We understand this is expected t increase as the MagiQ mdules g live. Page 3 f 9

Recmmendatin KCDC shuld cnsider: Implementing a cmmn user access management prcess. This prcess shuld be dcumented and include the access request, mdificatin, remval, and review prcesses. Ensuring apprpriate ntificatin is prvided t Business units and the Service Desk frm HR fr terminated emplyees t ensure that access t systems is remved in a timely manner. Frmalising a user access review prcess s that it is managed thrugh a centralised lcatin t ensure all reviews are cmpleted. Implementing regular review f user accunts t ensure that access is nly granted t users with a need t access a system. Ensuring that the individuals that mnitr and review these accunts and assciated activities shuld nt be administratrs within these systems. Cuncil s Respnse Current Status Cuncil agrees with the recmmendatins. Cuncil is currently engaged in a review f the user management prcesses in place with the bjective f develping and implementing suitable prcesses t ensure ptimal management f the IT infrastructure system. A user access management prcess has been initiated (see Access Management Prcess attached as Appendix 3). Management f User Access assigned t Service Desk Team Leader. Six-mnthly review f current access permissins fr the NCS Chamelen MagiQ system distributed t Line Managers n with requested changes requiring f the Mdule System Owner apprval. 10 Segregatin f duties Observatin (High risk) We bserved that cnflicting rles and respnsibilities are nt clearly defined. Segregatin f incmpatible duties shuld be present t avid cnflict f duties with respect t: Change Management rles: Request/apprve prgramme develpment r prgramme change Prgramme the develpment r change Mve prgrammes in and ut f prductin Mnitr prgramme develpment and changes. Page 4 f 9

Lgical Access granting rles: Requesting access, apprving access, setting up access, and mnitring access vilatins/vilatin attempts Perfrming rights f a privileged user and mnitring use f a privileged user. As MagiQ NCS is recently being implemented IT and Business user access levels, access granting prcess and develper access t prductin envirnment is nt frmally defined. We have been infrmed that currently the number f applicatin users is 5 with a target f 50 t 60 users after full transitin. As initial implementatin effrts wind dwn and end user numbers eventually increase segregatin f duties needs t head fr a mre secure and slid state. Recmmendatin KCDC shuld cnsider enfrcing segregatin f duties: Bth rganizatinally and lgically, t ensure that different individuals / system resurces perfrm access requests, access apprval, access prvisining, mnitring access vilatins fr bth IT privileged and Business end users. Ensuring different individuals perfrm privileged user access reviews, mnitring f privileged accunts and mnitring system generated list f changes in prductin envirnment. Where this is nt pssible, Kapiti Cast District Cuncil shuld cnsider restricting access t the prductin envirnment n an as required basis and peridically review all access. Different individuals / system resurces perfrm change requests, change apprval, mve prgrammes in and ut f prductin and mnitr changes as well as restricting develper access t prductin envirnment. Use f a versin management tl t ensure that KCDC cntrls and mnitrs all changes in prductin envirnment. Cuncil s Respnse Current Status Cuncil agrees with the recmmendatin. The prcess fr identifying and authrising duties is currently being reviewed as part f the verall ITGC systems review and apprpriate implementatin will be actined as a pririty. Segregatin f Duties is a lgical utcme f the ther prcesses initiated as part f this audit respnse: Upgrade t Crprate System (Magiq Enterprise) t be cmpleted in Q2 f the 2015/16 Financial year. This prvides imprved granularity f user rles within the applicatin. Page 5 f 9

Change Prcesses (identified abve) has allcated Change rles assigned, with Change Champin empwered t versee all change. N change is implemented unless it ges thrugh the Change Management Prcess, r is a dcumented exceptin. Review f General system security settings (see belw) has led t the implementatin f a prgramme t remve access t generic and unassigned lgins and administratr accunts. Management f Segregatin f duties assigned t ICT Infrastructure Team Leader. 11 General system security settings Observatin (High risk) Recmmendatin Our IT audit prcedures include understanding and assessing infrmatin security at an rganisatinal level. We nted that whilst sme basic security settings have been defined at a system level (e.g. netwrk passwrd plicy), KCDC has n frmal infrmatin security guidelines in place. These are imprtant t set the tne n hw prcesses are managed in a cntrlled and secure manner. Infrmatin Security describes activities that relate t the prtectin f infrmatin (financial and peratinal infrmatin prduced, distributed, retained) and infrmatin infrastructure assets (perating systems, access cntrl mechanisms, databases, applicatins) against the risks f lss, misuse, disclsure r damage. It is imprtant that management has a cmmn understanding f infrmatin security risks and ptential implicatins t the Cuncil. Infrmatin security guidelines at a minimum shuld cver: Access cntrl including physical and remte access, Passwrd Settings, lgs n perating systems and databases, Cnfiguratin baselines fr hardware (firewalls, servers, perating systems and databases) Security Patching, Incident and Prblem Management, AntiVirus. We recmmend New Zealand Infrmatin Security Manual (NZISM), updated in Nvember 2014 t be cnsidered as a baseline fr IT security practices. Definite way f adding structure is t create infrmatin security guidelines in cnsultatin with the business t ensure the guidelines are relevant t the business as well as IT. These plicies shuld then be reviewed and apprved at least annually t make any necessary adjustments as a result f IT envirnment changes. Page 6 f 9

Cuncil s Respnse Cuncil agrees with the recmmendatins and plans are underway t engage an external cnsultant t cnduct a wide ranging audit including a general IT architecture review. The recmmendatins arising frm these audits will prvide detailed infrmatin n bth ICT Strategy and general IT security and will frm the basis f the implementatin fr imprvements as a pririty item. Current Status A cmprehensive wrk plan f updates and imprvements t systems and security has been created. As the majrity f these changes affect prductin systems and services, such updates are scheduled in apprpriate windws and it is anticipated that all the wrk will be cmpleted by the end f Q2 in the 2015/16 financial year. General system security settings assigned t the Infrastructure Team Leader. 12 Backup peratins Observatin (Lw risk) KCDC has n backup plicy r disaster recvery plicy which detailed the prcess including means, frequency and retentin perid fr backups. Current practice is t assign backup and batch peratins respnsibilities by way f individual emplyee jb descriptin. Management advised that a draft prcedure exist fr SLA s that shuld help in defining what the business requires frm IT Disaster Recvery management. Hwever, the draft prcedure has nt been updated t reflect KCDC s current peratinal and regulatry needs and is nt apprved and adpted by Cuncil. We als nted that actins taken t reslve backup issues are nt recrded and therefre we were unable t determine that crrective actin had been taken fr failed backups. N frmalised prcess with regards t testing f backups exists. We understand that backups are tested n demand by the business t restre data. Hwever, backups are nt tested n a systematic r predefined basis which increases the risk f failing t restre data if required. Recmmendatin Management shuld cnsider: Reviewing current backup peratins and apprving back-up retentin perids as part f the backup plicy that is being develped. Business and system wners, in cnsultatin with IT, shuld authrise and define the retentin perids t ensure that these are practical and apprpriate. Retaining backup lgs fr all applicatins and recrding crrective actins using the centralised incident management prcedures. Page 7 f 9

Cuncil s Respnse Current Status Implementing activities designed t perfrm regular testing f DLT tapes stred ffsite at EOC center, ensuring that critical data can be restred as and when it is required. Perfrming Disaster Recvery testing ffsite DR site using data synced by Rsync Tl. Cuncil agrees with the bservatin. Current back up peratins are in place, hwever these prcesses are being reviewed alng with the wide ranging audit and general IT architecture review. A cmprehensive revisin f the Back-up and Disaster Recvery plan is t be develped in Q2 f the 2015/16 Financial year. This is t align with the ICT Strategy and the prgramme f wrk designed t imprve district wide cnnectivity fr Cuncil services: An audit f current back-up tls and applicatins has been cmpleted. Request fr Infrmatin is in draft fr a cmprehensive, cuncil wide system mnitring tl. Management f Back-up Operatins assigned t Infrastructure Team Leader. Overall Prgress f Wrk Prgramme t Address IT General Cntrl Envirnment Findings 13 It is anticipated that the implementatin f the wrk prgramme will take 3-6 mnths, at the end f which all f the Cntrl Findings will be reslved. It shuld be nted that while Ernst & Yung s findings relate nly t the Cuncil s 2014/15 Annual Reprt and 2015/35 Lng Term Plan, the frmal wrk prgramme being implemented t address the findings has been adapted t encmpass all aspects f Cuncil s peratins. 14 Furthermre, t address all aspects f the findings necessarily requires significant perids f dwn time t variusly diagnse, implement and test Cuncil s ICT systems. 15 In the secnd quarter f the 2015/16 financial year, Ernst & Yung will be engaged t review the Cuncil s prgress against its findings t ensure that prgress is being made and that the significant risks highlighted are being apprpriately managed. CONSIDERATIONS Plicy cnsideratins 16 The implementatin f the wrk prgramme has resulted in the creatin f tw new crprate plicies: IT Change Management Plicy System Access Permissins Plicy. Page 8 f 9

17 The plicies will becme perative fllwing the apprval f the Senir Leadership Team. Legal cnsideratins 18 There are n legal cnsideratins. Financial cnsideratins 19 The csts relating t the matters utlined in this reprt will be cvered within the current Annual Plan budget. Tāngata whenua cnsideratins 20 There n tāngata whenua cnsideratins. SIGNIFICANCE AND ENGAGEMENT Degree f significance 21 This matter has a lw level f significance under Cuncil plicy. Cnsultatin already undertaken 22 Due t the nature f the decisin being made, n cnsultatin prcess is required t be undertaken. Engagement planning 23 An engagement plan is nt needed t implement this decisin. Publicity 24 There are n publicity issues t be cnsidered at this stage. RECOMMENDATIONS 25 That the & Risk Subcmmittee ntes the prgress f the frmal wrk prgramme that is being implemented t address the issues raised by Ernst & Yung in its Reprt n IT Cntrl Envirnment Assessment and Recmmendatins. 26 That the & Risk Subcmmittee ntes that in the secnd quarter f the current financial year, Ernst & Yung will review the Cuncil s prgress against its recmmendatins. Reprt prepared by Apprved fr submissin Apprved fr submissin Mark de Haast Stephen McArthur Wayne Maxwell Financial Cntrller Grup Manager Strategy & Grup Manager Crprate Planning Services Appendix 1 - Change Management dcument Appendix 2 - Access Management Prcess Page 9 f 9

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information