Chairpersn and Subcmmittee Members AUDIT AND RISK SUBCOMMITTEE 6 AUGUST 2015 Meeting Status: Public Purpse f Reprt: Fr Infrmatin IT CONTROL ENVIRONMENT ASSESSMENT AND RECOMMENDATIONS REPORT PURPOSE OF REPORT 1 This reprt prvides a summary f Ernst & Yung s Infrmatin Technlgy Cntrl Envirnment Assessment and Recmmendatins reprt dated 7 January 2015 and prvides an update f prgress against the actin plan frmulated t address the matters raised. DELEGATION 2 The & Risk Subcmmittee has delegatin authrity t cnsider this reprt under the fllwing delegatin in the Gvernance Structure, Sectin C.3.7 Internal Reprting 7.4 T review the prcesses fr ensuring the cmpleteness and quality f financial and peratinal infrmatin, including perfrmance measures, being prvided t Cuncil. BACKGROUND 3 In accrdance with New Zealand ing Standards, Ernst & Yung has reviewed the current peratins f the Cuncil s Infrmatin Technlgy General Cntrls (ITGC) envirnment and cnsidered the aspects significant t the audit f Cuncil s 2015-35 LTP and the 2014/15 annual reprt. 4 With the assistance f external cntractrs (t prvide specialist advice) a frmal wrk prgramme was established t address these findings and assciated implicatins and this was tabled at the Subcmmittee meeting f 5 May. 5 Respnsibility fr the implementatin f the ITGC prgramme f wrk and its delivery has nw been brught within the Cuncil and will be delivered internally. Issues and Optins Issues Cntext f IT General Cntrl Envirnment Findings 6 Ernst & Yung has identified five issues that are cnsidered apprpriate fr review by the Senir Leadership Team. Fur f the issued identified were classified as high risk and the remaining ne was classified as lw risk. The classificatin f issues is defined as fllws: High Risk These recmmendatins relate t a serius weakness which expses the rganisatin t a material extent in terms f the achievement f departmental bjectives, financial results r therwise impair KCDC s reputatin. Immediate crrective actin is required. Page 1 f 9
Lw Risk A weakness which des nt seriusly detract frm the system f internal cntrl and/r peratinal effectiveness/efficiency but which shuld nevertheless be addressed by management. Summary f IT General Cntrl Envirnment Findings 7 Ernst & Yung s cntrl findings, recmmendatins and Cuncil s respnses theret are discussed belw. 8 Change management Observatin (High risk) We were prvided with the change management prcess dcument dated February 2011. This dcument describes the prcess t be fllwed fr the different IT change types (nrmal, standard and emergency) within Cuncil. The Change Cntrl Prcess specifies that change cntrl must ensure that the change is: Recrded Authrised Planned and Implemented Reviewed Evaluated and Priritised Tested and Dcumented. There are tw tls t capture changes; Manage Engine fr general IT Changes and NCS Service Request mdule fr MagiQ LTP and Budgeting mdule changes. We nted that althugh the change prcess is dcumented, it is nt always fllwed, all changes are nt dcumented/frmally reviewed/tested and captured. Recmmendatin Management shuld cnsider: Revisiting Change Management cntrl prcess dcumentatin and updating it with current KCDC practices. Enfrcing the use f the Change Management Plicy t ensure that all changes are apprpriately; authrised, tested, apprved, mnitred and evidence dcumented. Optimising use f existing change management tls t ensure that all changes are adequately captured. Using a versin management tl t ensure that KCDC cntrls and mnitrs all changes in prductin envirnment. Reviewing f system generated list f changes within the existing Change Advisry Bard prcess. Page 2 f 9
Cuncil s Respnse Cuncil agrees with the recmmendatin and ntes the significance f the implicatins utlined. Cuncil is actively wrking n the practical implementatin f sund change management prcesses acrss the rganisatin with the bjective f mitigating the risks identified. Current Status An updated Change Cntrl Prcess initiated within the ICT team (see the Change Management dcument attached as Appendix 1). ManageEngine Service Desk applicatin, identified as Change Management repsitry with cmprehensive wrkflw and reprting has been implemented as part f the system audit. Changes are authrised by the Change Advisry Bard (CAB) which cmprises the ICT Manager, the Service Desk Team Leader, the Infrmatin Technlgy Team Lead and ther business representatives. The CAB reviews change requests n a weekly basis 9 User access management prcesses Observatin (High risk) KCDC currently has n dcumented and apprved user access management prcess. T manage user access, a new user frm is cmpleted by the respnsible manager which is submitted t help desk fr access prvisining. We were advised that cntractr s access was set with a pre-determined Active Directry with a terminatin date. Hwever terminated users were ften nt remved frm the systems in a timely manner. This appears t be the result f the timeliness f the emplyees departure being cmmunicated t Help Desk. Peridic user access reviews d nt take place. The current business applicatin users are restricted t a limited number in the implementatin phase. We understand this is expected t increase as the MagiQ mdules g live. Page 3 f 9
Recmmendatin KCDC shuld cnsider: Implementing a cmmn user access management prcess. This prcess shuld be dcumented and include the access request, mdificatin, remval, and review prcesses. Ensuring apprpriate ntificatin is prvided t Business units and the Service Desk frm HR fr terminated emplyees t ensure that access t systems is remved in a timely manner. Frmalising a user access review prcess s that it is managed thrugh a centralised lcatin t ensure all reviews are cmpleted. Implementing regular review f user accunts t ensure that access is nly granted t users with a need t access a system. Ensuring that the individuals that mnitr and review these accunts and assciated activities shuld nt be administratrs within these systems. Cuncil s Respnse Current Status Cuncil agrees with the recmmendatins. Cuncil is currently engaged in a review f the user management prcesses in place with the bjective f develping and implementing suitable prcesses t ensure ptimal management f the IT infrastructure system. A user access management prcess has been initiated (see Access Management Prcess attached as Appendix 3). Management f User Access assigned t Service Desk Team Leader. Six-mnthly review f current access permissins fr the NCS Chamelen MagiQ system distributed t Line Managers n with requested changes requiring f the Mdule System Owner apprval. 10 Segregatin f duties Observatin (High risk) We bserved that cnflicting rles and respnsibilities are nt clearly defined. Segregatin f incmpatible duties shuld be present t avid cnflict f duties with respect t: Change Management rles: Request/apprve prgramme develpment r prgramme change Prgramme the develpment r change Mve prgrammes in and ut f prductin Mnitr prgramme develpment and changes. Page 4 f 9
Lgical Access granting rles: Requesting access, apprving access, setting up access, and mnitring access vilatins/vilatin attempts Perfrming rights f a privileged user and mnitring use f a privileged user. As MagiQ NCS is recently being implemented IT and Business user access levels, access granting prcess and develper access t prductin envirnment is nt frmally defined. We have been infrmed that currently the number f applicatin users is 5 with a target f 50 t 60 users after full transitin. As initial implementatin effrts wind dwn and end user numbers eventually increase segregatin f duties needs t head fr a mre secure and slid state. Recmmendatin KCDC shuld cnsider enfrcing segregatin f duties: Bth rganizatinally and lgically, t ensure that different individuals / system resurces perfrm access requests, access apprval, access prvisining, mnitring access vilatins fr bth IT privileged and Business end users. Ensuring different individuals perfrm privileged user access reviews, mnitring f privileged accunts and mnitring system generated list f changes in prductin envirnment. Where this is nt pssible, Kapiti Cast District Cuncil shuld cnsider restricting access t the prductin envirnment n an as required basis and peridically review all access. Different individuals / system resurces perfrm change requests, change apprval, mve prgrammes in and ut f prductin and mnitr changes as well as restricting develper access t prductin envirnment. Use f a versin management tl t ensure that KCDC cntrls and mnitrs all changes in prductin envirnment. Cuncil s Respnse Current Status Cuncil agrees with the recmmendatin. The prcess fr identifying and authrising duties is currently being reviewed as part f the verall ITGC systems review and apprpriate implementatin will be actined as a pririty. Segregatin f Duties is a lgical utcme f the ther prcesses initiated as part f this audit respnse: Upgrade t Crprate System (Magiq Enterprise) t be cmpleted in Q2 f the 2015/16 Financial year. This prvides imprved granularity f user rles within the applicatin. Page 5 f 9
Change Prcesses (identified abve) has allcated Change rles assigned, with Change Champin empwered t versee all change. N change is implemented unless it ges thrugh the Change Management Prcess, r is a dcumented exceptin. Review f General system security settings (see belw) has led t the implementatin f a prgramme t remve access t generic and unassigned lgins and administratr accunts. Management f Segregatin f duties assigned t ICT Infrastructure Team Leader. 11 General system security settings Observatin (High risk) Recmmendatin Our IT audit prcedures include understanding and assessing infrmatin security at an rganisatinal level. We nted that whilst sme basic security settings have been defined at a system level (e.g. netwrk passwrd plicy), KCDC has n frmal infrmatin security guidelines in place. These are imprtant t set the tne n hw prcesses are managed in a cntrlled and secure manner. Infrmatin Security describes activities that relate t the prtectin f infrmatin (financial and peratinal infrmatin prduced, distributed, retained) and infrmatin infrastructure assets (perating systems, access cntrl mechanisms, databases, applicatins) against the risks f lss, misuse, disclsure r damage. It is imprtant that management has a cmmn understanding f infrmatin security risks and ptential implicatins t the Cuncil. Infrmatin security guidelines at a minimum shuld cver: Access cntrl including physical and remte access, Passwrd Settings, lgs n perating systems and databases, Cnfiguratin baselines fr hardware (firewalls, servers, perating systems and databases) Security Patching, Incident and Prblem Management, AntiVirus. We recmmend New Zealand Infrmatin Security Manual (NZISM), updated in Nvember 2014 t be cnsidered as a baseline fr IT security practices. Definite way f adding structure is t create infrmatin security guidelines in cnsultatin with the business t ensure the guidelines are relevant t the business as well as IT. These plicies shuld then be reviewed and apprved at least annually t make any necessary adjustments as a result f IT envirnment changes. Page 6 f 9
Cuncil s Respnse Cuncil agrees with the recmmendatins and plans are underway t engage an external cnsultant t cnduct a wide ranging audit including a general IT architecture review. The recmmendatins arising frm these audits will prvide detailed infrmatin n bth ICT Strategy and general IT security and will frm the basis f the implementatin fr imprvements as a pririty item. Current Status A cmprehensive wrk plan f updates and imprvements t systems and security has been created. As the majrity f these changes affect prductin systems and services, such updates are scheduled in apprpriate windws and it is anticipated that all the wrk will be cmpleted by the end f Q2 in the 2015/16 financial year. General system security settings assigned t the Infrastructure Team Leader. 12 Backup peratins Observatin (Lw risk) KCDC has n backup plicy r disaster recvery plicy which detailed the prcess including means, frequency and retentin perid fr backups. Current practice is t assign backup and batch peratins respnsibilities by way f individual emplyee jb descriptin. Management advised that a draft prcedure exist fr SLA s that shuld help in defining what the business requires frm IT Disaster Recvery management. Hwever, the draft prcedure has nt been updated t reflect KCDC s current peratinal and regulatry needs and is nt apprved and adpted by Cuncil. We als nted that actins taken t reslve backup issues are nt recrded and therefre we were unable t determine that crrective actin had been taken fr failed backups. N frmalised prcess with regards t testing f backups exists. We understand that backups are tested n demand by the business t restre data. Hwever, backups are nt tested n a systematic r predefined basis which increases the risk f failing t restre data if required. Recmmendatin Management shuld cnsider: Reviewing current backup peratins and apprving back-up retentin perids as part f the backup plicy that is being develped. Business and system wners, in cnsultatin with IT, shuld authrise and define the retentin perids t ensure that these are practical and apprpriate. Retaining backup lgs fr all applicatins and recrding crrective actins using the centralised incident management prcedures. Page 7 f 9
Cuncil s Respnse Current Status Implementing activities designed t perfrm regular testing f DLT tapes stred ffsite at EOC center, ensuring that critical data can be restred as and when it is required. Perfrming Disaster Recvery testing ffsite DR site using data synced by Rsync Tl. Cuncil agrees with the bservatin. Current back up peratins are in place, hwever these prcesses are being reviewed alng with the wide ranging audit and general IT architecture review. A cmprehensive revisin f the Back-up and Disaster Recvery plan is t be develped in Q2 f the 2015/16 Financial year. This is t align with the ICT Strategy and the prgramme f wrk designed t imprve district wide cnnectivity fr Cuncil services: An audit f current back-up tls and applicatins has been cmpleted. Request fr Infrmatin is in draft fr a cmprehensive, cuncil wide system mnitring tl. Management f Back-up Operatins assigned t Infrastructure Team Leader. Overall Prgress f Wrk Prgramme t Address IT General Cntrl Envirnment Findings 13 It is anticipated that the implementatin f the wrk prgramme will take 3-6 mnths, at the end f which all f the Cntrl Findings will be reslved. It shuld be nted that while Ernst & Yung s findings relate nly t the Cuncil s 2014/15 Annual Reprt and 2015/35 Lng Term Plan, the frmal wrk prgramme being implemented t address the findings has been adapted t encmpass all aspects f Cuncil s peratins. 14 Furthermre, t address all aspects f the findings necessarily requires significant perids f dwn time t variusly diagnse, implement and test Cuncil s ICT systems. 15 In the secnd quarter f the 2015/16 financial year, Ernst & Yung will be engaged t review the Cuncil s prgress against its findings t ensure that prgress is being made and that the significant risks highlighted are being apprpriately managed. CONSIDERATIONS Plicy cnsideratins 16 The implementatin f the wrk prgramme has resulted in the creatin f tw new crprate plicies: IT Change Management Plicy System Access Permissins Plicy. Page 8 f 9
17 The plicies will becme perative fllwing the apprval f the Senir Leadership Team. Legal cnsideratins 18 There are n legal cnsideratins. Financial cnsideratins 19 The csts relating t the matters utlined in this reprt will be cvered within the current Annual Plan budget. Tāngata whenua cnsideratins 20 There n tāngata whenua cnsideratins. SIGNIFICANCE AND ENGAGEMENT Degree f significance 21 This matter has a lw level f significance under Cuncil plicy. Cnsultatin already undertaken 22 Due t the nature f the decisin being made, n cnsultatin prcess is required t be undertaken. Engagement planning 23 An engagement plan is nt needed t implement this decisin. Publicity 24 There are n publicity issues t be cnsidered at this stage. RECOMMENDATIONS 25 That the & Risk Subcmmittee ntes the prgress f the frmal wrk prgramme that is being implemented t address the issues raised by Ernst & Yung in its Reprt n IT Cntrl Envirnment Assessment and Recmmendatins. 26 That the & Risk Subcmmittee ntes that in the secnd quarter f the current financial year, Ernst & Yung will review the Cuncil s prgress against its recmmendatins. Reprt prepared by Apprved fr submissin Apprved fr submissin Mark de Haast Stephen McArthur Wayne Maxwell Financial Cntrller Grup Manager Strategy & Grup Manager Crprate Planning Services Appendix 1 - Change Management dcument Appendix 2 - Access Management Prcess Page 9 f 9