FINAL. Internal Audit Report. Data Centre Operations and Security



Similar documents
How To Write An Audit And Governance Committee Report On An Itd Plan

FINAL Internal Audit Report. IT Disaster Recovery

Final. Internal Audit Report. Creditors System

FINAL. Internal Audit Report. Employees Travel and Subsistence Expenses 2014/15

SUBJECT: REPLACEMENT OF CORPORATE ELECTRONIC DATA STORAGE, BACKUP AND DISASTER RECOVERY SOLUTIONS

Summary of Information Technology General Control Environment Findings for the year ended 30 June 2015

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

Network Security Policy

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)

Appendix 6c. Final Internal Audit Report Disaster Recovery Planning. June Report 6c Page 1 of 15

Rotherham CCG Network Security Policy V2.0

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October Document Author(s) Collette McQueen

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

SOUTH LAKELAND DISTRICT COUNCIL INTERNAL AUDIT FINAL REPORT IT IT Backup, Recovery and Disaster Recovery Planning

ULH-IM&T-ISP06. Information Governance Board

IT REVIEW OF THE DISASTER RECOVERY ARRANGEMENTS

Joint Audit Report for South Lakeland District Council. & Eden District Council

JOB DESCRIPTION CONTRACTUAL POSITION

Dacorum Borough Council Final Internal Audit Report. IT Business Continuity and Disaster Recovery

Mike Casey Director of IT

University of Sunderland Business Assurance Information Security Policy

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

IM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction Policy Statement Purpose...

Balancing and Settlement Code BSC PROCEDURE BSCP537. QUALIFICATION PROCESS FOR SVA PARTIES, SVA PARTY AGENTS AND CVA MOAs

IT Assurance - Business Continuity and Disaster Recovery

How To Audit Health And Care Professions Council Security Arrangements

How To Protect Decd Information From Harm

Interim Audit Report. Borough of Broxbourne Audit 2010/11

Aberdeen City Council IT Security (Network and perimeter)

Data Quality Strategy 2006/2008

Service Children s Education

Birkenhead Sixth Form College IT Disaster Recovery Plan

How To Ensure Network Security

Auditing in an Automated Environment: Appendix C: Computer Operations

It s the Business! Business continuity considerations for all organisations

Policy Document. IT Infrastructure Security Policy

Physical Security Policy

2.1 To define the backup strategy for systems and data within the Cape Winelands District Municipality (CWDM).

RECORDKEEPING MATURITY MODEL

Recommendations which have been implemented have been removed from this report. The original numbering of recommendations has been retained.

Aberdeen City Council IT Disaster Recovery

Five Star Occupational Health and Safety Audit Specification document 2013

Disaster Recovery and Business Continuity Plan

Information Security Incident Management Policy September 2013

Internal Audit Progress Report Performance and Overview Committee (19 th August 2015) Cheshire Fire Authority

1 Purpose Scope Roles and Responsibilities Physical & Environmental Security Access Control to the Network...

How To Protect School Data From Harm

NORTH HAMPSHIRE CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY MANAGEMENT POLICY AND PLAN (COR/017/V1.00)

Network Security Policy

911 Data Center Operations Performance Audit

INTERNAL AUDIT 2008/09 INFORMATION TECHNOLOGY (BUSINESS CONTINUITY)

Policy Document. Communications and Operation Management Policy

Nine Steps to Smart Security for Small Businesses

APPENDIX 7. ICT Disaster Recovery Plan

Internal Audit Report Business Continuity Planning Arrangements

Ohio Supercomputer Center

AUDIT GUIDELINES FOR SCHOOL DISASTER RECOVERY PLANNING

Operational Risk Publication Date: May Operational Risk... 3

Appendix 1C. DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA PAYROLL CONTROL FRAMEWORK

Audit and Governance Committee Report. 4 July quarter. Internal audit activity report. one 2011/2012 1/2012. Purpose of Report. Report No.

Lauren Hamill, Information Governance Officer. Version Release Author/Reviewer Date Changes (Please identify page no.) 1.0 L.

Avon & Somerset Police Authority

Information Services IT Security Policies B. Business continuity management and planning

Information Governance Policy (incorporating IM&T Security)

RECORDS MANAGEMENT RECORDS MANAGEMENT SERVICES. Cost-Effective, Legally Defensible Records Management

Internal Audit Monitoring Report. Audit Report status Assurance. Payroll Final Limited

University of Liverpool

Internal Audit Strategic and Annual Plans 2015/16

NETWORK SECURITY POLICY

Service Level Agreement: Support Services (Version 3.0)

San Francisco Chapter. Information Systems Operations

Karen Winter Service Manager Schools and Traded Services

Business Continuity Planning and Disaster Recovery Planning

Internal Audit Final Report Strategic Finance Accounts Receivable March 2014

Hong Kong Baptist University

Summary of Technical Information Security for Information Systems and Services Managed by NUIT (Newcastle University IT Service)

Network & Information Security Policy

Transcription:

FINAL Internal Audit Report Data Centre Operations and Security Document Details: Reference: Report nos from monitoring spreadsheet/2013.14 Senior Manager, Internal Audit & Assurance: ext. 6567 Engagement Manager: Auditor: Date: 17 September 2014 This report is not for reproduction publication or disclosure by any means to unauthorised persons. Page 1

1. EXECUTIVE SUMMARY 1.1 INTRODUCTION As part of the 2014/15 Internal Audit Plan an audit of the Data centre operations and security was carried out. The objective of this review is to evaluate the security of the data centre, in particular the following areas: data centre policies and procedures are defined, documented, and communicated for all key functions; Council systems are secured to prevent unauthorised access (including 3rd party access); access to the data centre is monitored and reviewed, and access rights are periodically reviewed; data is backed up from servers held at the civic data centre; data transferred off site is secured at all times and appropriate controls are in place to monitor the location of the data; environmental controls are present to protect the servers from fire, electrical and water damage; capacity for the data centre is adequate for the server rooms equipment and storage needs; environmental equipment is routinely maintained in line with manufacturer recommended schedules; and backup electricity supplies are in place to ensure systems and services are not affected in the event of a power outage. 1.2 OVERALL OPINION The overall opinion of this review is significant assurance. There are some areas that are appropriately managed and in line with acceptable good practice, including: A computer room policy has been developed and is reviewed on an annual basis; Backup schedules are in place and failed backups are monitored and actioned by ICT staff; An offsite location is used for storage of backup tapes; and Storage capacity for the data centre is considered adequate based on the plans of ICT. However, we also identified a number of areas that require improvement, and have thus led to the limited assurance rating: Failure to test restores of critical applications regularly; Lack of documented back up policy and procedures; Excessive computer room access; A lack of regular review of the computer room access; Page 2

Lack of formalised computer room training as required by the computer room policy; Lack of a visitors register in the computer room, as required by the computer room policy; Lack of a fire suppression system; and The backup process is inefficient due to the increase of data over the last five years. Recommendations 7 and 8 are included for completeness. Management have agreed a response to these recommendations in the Disaster Recovery audit report. These recommendations have not influence the overall opinion. Overall Audit Opinion Full assurance Full assurance that the system of internal control meets the organisation s objectives and controls are consistently applied. Significant assurance Limited assurance No assurance Significant assurance that there is a generally sound system of control designed to meet the organisation s objectives. However, some weaknesses in the design or inconsistent application of controls put the achievement of some objectives at some risk. Limited assurance as weaknesses in the design or inconsistent application of controls put the achievement of the organisation s objectives at risk in some of the areas reviewed. No assurance can be given on the system of internal control as weaknesses in the design and/or operation of key control could result or have resulted in failure(s) to achieve the organisation s objectives in the area(s) reviewed. Page 3

2. SUMMARY OF CONCLUSIONS 2.1 The conclusion for each control objective evaluated as part of this audit was as follows: Control Objective Assurance Full Significant Limited None CO1: data centre policies and procedures are defined, documented, and communicated for all key functions; CO2: Council systems are secured to prevent unauthorised access (including 3rd party access); CO3: access to the data centre is monitored and reviewed, and access rights are periodically reviewed; CO4: data is backed up from servers held at the data centre; CO5: data transferred off site is secured at all times and appropriate controls are in place to monitor the location of the data; CO6: environmental controls are present to protect the servers from fire, electrical and water damage; CO7: capacity for the data centre is adequate for the server rooms equipment and storage needs CO8: environmental equipment is routinely maintained in line with manufacturer recommended schedules CO9: backup electricity supplies are in place to ensure systems and services are not affected in the event of a power outage 2.2 The recommendations arising from the review are ranked according to their level of priority as detailed at the end of the report within the detailed audit findings. Recommendations are also colour coded according to their level of priority with the highest priorities highlighted in red, medium priorities in amber and lower priorities in green. In addition, the detailed audit findings include columns for the management response, the responsible officer and the time scale for implementation of all agreed recommendations. 2.3 Where high recommendations are made within this report it would be expected that they should be implemented within three months from the date of the report to ensure that the major areas of risk have either been resolved or that mitigating controls have been put in place and that medium and low recommendations will be implemented within six and nine months respectively. Page 4

3. LIMITATIONS REGARDING THE SCOPE OF THE AUDIT The scope of our work will be limited to those areas outlined above. 4. ACKNOWLEDGEMENTS Audit would like to thank all involved for their assistance during this review. Page 5

5. DETAILED AUDIT FINDINGS Ref. Priority Findings Risk Arising/ Consequence CO1: Policies and Procedures 1 Low Lack of Backup Policy and Procedures On inspection of the Computer room policy, it was noted that the document does not contain any details on the backup policy and procedure. We accept that the off-site backup storage arrangements are detailed in the IT Disaster Recovery document. In the absence of a documented backup policy and procedure, there is an increased risk that backups are not performed in line with ICT s requirements. This may result in the loss of data, interruption of ICT services and operational difficulties. Recommendation Management Response Responsibility and Timescale We recommend that the Computer Room policy is expanded to include the backup cycle, backup transit and storage arrangements. The Computer Room Policy and description of the data back-up and restore service are given in two separate documents. These can be combined, giving the back-up and restore weight by placing it into policy. Service Operations Manager, End November 2014. Recommendation Implemented (Officer & Date) CO2: Access to the data centre 2 High Excessive access to Computer Room On inspection of the access list dated 14 August 2014, we noted that there are a total of 65 access cards that provide staff access to the County Hall computer room. Examples of these include the following: 20 temporary passes held by Reception; Senior Internal Auditor; Unauthorised/inappro priate physical access to the computer room may result in accidental or malicious damage to ICT equipment resulting in loss of data, interruption of ICT services and operational difficulties. The access to all computer rooms should be restricted to and other who require access to perform their responsibilities. The access list should be reviewed by management on a regular basis to ensure that the access granted is valid. Proof of the review should be maintained. The current security group used within the Door Access Control System (Net2) to cover the computer rooms is also shared with other duty staff requiring access 'all hours, all doors'. This is inappropriate, as some staff will require open access to most areas, but not the computer areas. S&CA have already arranged with Facilities to create a Technical Services manager, end November 2014.

Ref. Priority Findings Risk Arising/ Consequence Audit assistant Two members of the applications team; One staff member from Adult Services & Health; One staff member from Children s Services; Six temporary contractors; and One leaver who has not yet been removed. We accept that part of the issues arises due to Reception issuing an all hours all doors pass, that is out of the control of ICT. Recommendation Management Response Responsibility and Timescale dedicated access group for Computer rooms. This will be used for appropriate staff who require access to the computer rooms only. Access to the computer rooms will be removed from the 'all hours, all doors' group. Recommendation Implemented (Officer & Date) 3 Medium Computer Room Access Logging The computer room policy states that access to the central computer rooms must be logged. For regular staff this can be via the automated Access Control System, for other staff, this must be via an electronic or manual booking system administered centrally. The 'booking system' should Unauthorised/inappro priate physical access to the computer room may result in accidental or malicious damage to ICT equipment resulting in loss of data, interruption of ICT services and operational difficulties. Where non authorised staff require access to the computer room, they should be accompanied by a member of the ICT team and their access logged (utilising an access log form). The log should be reviewed by Management on a regular basis (monthly), to identify any unauthorised access. Agreed, S&CA will create a manual logging process that can be used to record access for individuals that do not have access right to the computer room within their own responsibility. Will record Date/time Who requires access Reason for access Technical Services manager, end November 2014.

Ref. Priority Findings Risk Arising/ Consequence show name of the person accessing the computer room, data and time from and until, reason for access and detail of work to be carried out. We noted that there is no booking system in place for visitors. Recommendation Management Response Responsibility and Timescale Recommendation Implemented (Officer & Date) 4 Low Computer Room Training The computer room policy states that access is granted once users have received training. There is currently no proof of the training. We understand that the training is currently verbal and there is an intention for ICT to implement an online training course going forward. A lack of training may result in staff not understanding the controls appropriate for the computer room. This may result in accidental or malicious damage to ICT equipment resulting in loss of data, interruption of ICT services and operational difficulties. A formalised training programme should be developed, that includes details of the policies and procedures staff must follow, guidance on escalation and roles and responsibilities. Evidence of a formal training record should be maintained. S&CA are working in conjunction with Development and Training to derive an on-line Computer Room Access course to be completed by staff before being allowed access to the computer rooms. Service Operations Manager, and Development and Training End December 2014. CO3: Management review of data centre access 5 Medium Access List Reviews Access list reviews are performed on an ad-hoc basis. The last review was performed in February 2014. We noted that there are many users on the access list that should not have access to the computer room. See CO2 Unauthorised/inappro priate physical access to the computer room may result in accidental or malicious damage to IT equipment resulting in loss of data, interruption of IT services and operational difficulties. We recommend that computer room access lists are reviewed more formally on a regular basis, and proof of review is retained. As a minimum the recommended guidance is every 3 months. Agreed, this is good practice and will be scheduled within the team. Service Operations Manager, End November 2014.

Ref. Priority Findings Risk Arising/ Consequence above for details. In addition there is no evidence of the access review. Recommendation Management Response Responsibility and Timescale Recommendation Implemented (Officer & Date) CO4: Data is backed up 6 Medium New Backup System Netbackup, the backup system currently in use by the Council, was implemented five years ago. Since the implementation, there has been a 12% annual growth of the data that requires backup. The backup process has thus become very slow and inefficient. We understand that a budget for the implementation of a new backup system has already been approved and will form part of the commissioning process. In the event that a disaster occurs and data is not appropriately backed up, inability to recover the data may result in critical business functions not being recovered in a timely, accurate and controlled fashion. This could result in the loss of data, interruption of ICT services and operational difficulties Implement a backup system that is scalable and therefore can cope with the level of data growth within the Council. This system should cope with the demands of Council and projected changes to occur. The review of the back-up process will be done by HP as the new Service Provider, in conjunction with S&CA, to achieve a solution that will be strategic for the needs of the Council and in line with HP support model going forward Service Operations Manager, September 2015. 7 High Key System restores We noted that restores for key systems (SAP and Framework i) are not performed on a regular basis, and no restore documentation is retained. Refer to IT Disaster Management should develop a policy on how often restores will be performed and retain all supporting documentation Refer to IT Disaster Refer to IT Disaster Recovery report Refer to IT Disaster Refer to IT Disaster Recovery

Ref. Priority Findings Risk Arising/ Consequence report, section CO4: What testing is performed to validate IT Disaster Recovery, how the outcomes are reported and corrective actions implemented, issue 5. Recommendation Management Response Responsibility and Timescale Recommendation Implemented (Officer & Date) CO6: Environmental controls are present to protect the servers 8 High Fire suppression system Refer to IT Disaster There is no fire suppression system in place. Refer to IT Disaster Refer to IT Disaster Refer to IT Disaster Recovery report Refer to IT Disaster For more details, refer to IT Disaster, section CO3: Whether inclusion of end-to-end recovery processes and the identification of interfaces between dependent and feeder systems are understood within the ITDR Plan(s), issue 3. Key to Priorities: High Medium Low This is essential to provide satisfactory control of serious risk(s) This is important to provide satisfactory control of risk This will improve internal control

Limitations relating to the Internal Auditor's work The matters raised in this report are limited to those that came to our attention, from the relevant sample selected, during the course of our audit and to the extent that every system is subject to inherent weaknesses such as human error or the deliberate circumvention of controls. Our assessment of the controls which are developed and maintained by management is also limited to the time of the audit work and cannot take account of future changes in the control environment.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information