Performance Audit of the San Diego Convention Center s Information Technology Infrastructure JULY 2012



Similar documents
Performance Audit of the San Diego Convention Center s HR Systems AUGUST 2014

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

Attachment A. Identification of Risks/Cybersecurity Governance

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

whitepaper Ten Essential Steps for Achieving Continuous Compliance: A Complete Strategy for Compliance

State of Oregon. State of Oregon 1

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

Best Practices for PCI DSS V3.0 Network Security Compliance

Managed Services. Business Intelligence Solutions

OFFICE OF AUDITS & ADVISORY SERVICES SHAREPOINT SECURITY AUDIT FINAL REPORT

5 Reasons Your Business Needs Network Monitoring

Audit of NRC s Network Security Operations Center

PREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date:

Security aspects of e-tailing. Chapter 7

Security for NG9-1-1 SYSTEMS

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Data Management Policies. Sage ERP Online

Office of the Auditor General Performance Audit Report. Statewide Oracle Database Controls Department of Technology, Management, and Budget

Evaluation Report. Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review. April 30, 2014 Report Number 14-12

BKDconnect Security Overview

OCIE CYBERSECURITY INITIATIVE

INCIDENT RESPONSE CHECKLIST

Prepared by: OIC OF SOUTH FLORIDA. May 2013

Cloud Computing Governance & Security. Security Risks in the Cloud

Office of Inspector General

SANS Institute First Five Quick Wins

CounselorMax and ORS Managed Hosting RFP 15-NW-0016

Fiscal Year 2014 Federal Information Security Management Act Report: Status of EPA s Computer Security Program

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL

Information and Communication Technology. Firewall Policy

Ohio Supercomputer Center

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii

Security and Control Issues within Relational Databases

10 Steps to Establishing an Effective Retention Policy

Information Technology Services

Information Technology Branch Access Control Technical Standard

PeopleSoft IT General Controls

Attachment E. RFP Requirements: Mandatory Requirements: Vendor must respond with Yes or No. A No response will render the vendor nonresponsive.

A Database Security Management White Paper: Securing the Information Business Relies On. November 2004

Small Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m.

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Guidance for Industry Computerized Systems Used in Clinical Investigations

Hardware Inventory Management Greater Boston District

Summary of CIP Version 5 Standards

FINAL May Guideline on Security Systems for Safeguarding Customer Information

CYBER SECURITY POLICY For Managers of Drinking Water Systems

¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India

Projectplace: A Secure Project Collaboration Solution

Sample Employee Agreement for Business Use of Employee-Owned Personal Computing Devices (Including Wearables 1 )

IBX Business Network Platform Information Security Controls Document Classification [Public]

Application Security in the Software Development Lifecycle

FEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB Cyber Risk Management Guidance. Purpose

Department of Public Utilities Customer Information System (BANNER)

Seven Practical Steps to Delivering More Secure Software. January 2011

PC Proactive Solutions Technical View

Corporate Leadership Council Metrics

Securing Oracle E-Business Suite in the Cloud

Altius IT Policy Collection Compliance and Standards Matrix

Information and Communication Technology. Patch Management Policy

June 2008 Report No An Audit Report on The Department of Information Resources and the Consolidation of the State s Data Centers

Complying with the Federal Information Security Management Act. Parallels with Sarbanes-Oxley Compliance

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections. Evaluation Report

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Next. CDS 2015 Survey Module 7 Information Security Survey Errata

Remote Infrastructure Support Services & Managed IT Services

Information Technology Security Review April 16, 2012

Attaining HIPAA Compliance with Retina Vulnerability Assessment Technology

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

Next. CDS 2015 Survey Module 7 Information Security Survey Errata

Version: Page 1 of 5

Firewall Change Management

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

For more information on how to build a HIPAA-compliant wireless network with Lutrum, please contact us today!

Tailored Technologies LLC

Austin Fire Department Worker Safety Audit

Table of Contents Cicero, Inc. All rights protected and reserved.

Southern Law Center Law Center Policy #IT0004. Title: Policy

Namibia Internal Audit Survey

The Firewall Audit Checklist Six Best Practices for Simplifying Firewall Compliance and Risk Mitigation

Foundstone ERS remediation System

SRA International Managed Information Systems Internal Audit Report

Transcription:

Performance Audit of the San Diego Convention Center s Information Technology Infrastructure JULY 2012 Audit Report Office of the City Auditor City of San Diego

This Page Intentionally Left Blank

July 19, 2012 Carol Wallace, President and Chief Executive Officer San Diego Convention Center Transmitted herewith is an audit report on the San Diego Convention Center s IT Infrastructure. We have completed this report as requested by the Convention Center. This report is presented in accordance with City Charter Section 39.2. Management s response to the report is presented on page 8. We would like to thank the Convention Center s staff for their assistance and cooperation during this audit. All of their valuable time and efforts spent providing us information is greatly appreciated. The audit staff responsible for this audit report are Stephen Gomez, Toufic Tabshouri, and Chris Constantin. Respectfully submitted, Eduardo Luna City Auditor cc: City of San Diego Audit Committee Members OFFICE OF THE CITY AUDITOR 1010 SECOND AVENUE, SUITE 1400 SAN DIEGO, CA 92101 PHONE (619) 533-3165 FAX (619) 533-3036 TO REPORT FRAUD, WASTE, OR ABUSE, CALL OUR FRAUD HOTLINE (866) 809-3500

This Page Intentionally Left Blank

Table of Contents Introduction 1 Objectives, Scope, and Methodology 2 Audit Results 3 SDCC Has Reduced Internal IT Risks Through Outsourcing 3 Conclusion 7 Management s Comments 8

This Page Intentionally Left Blank

Introduction The City Auditor s Office (OCA) conducted a performance audit of the San Diego Convention Center s (SDCC) information technology network infrastructure. We performed this audit at the request of SDCC and in accordance with the terms of a Service Level Agreement with SDCC. This audit was the first of four potential audits identified by a high-level risk assessment that we had previously performed for SDCC. The purpose of this audit was to evaluate some of the primary risk areas in SDCC s information technology (IT) environment. Those risk areas are: 1. IT infrastructure operations and security; 2. The financial system; 3. The outsourced human resources system contract; and 4. The management of IT system implementations; specifically, the implementation of the customer relationship management system. OCA-13-002 Page 1

Objectives, Scope, and Methodology Our main audit objective was to identify security and operational risks to SDCC s IT infrastructure. We performed a risk assessment of SDCC s IT environment, including a high-level review of the main applications, operating systems, and network infrastructure. We performed a more detailed assessment SDCC s infrastructure security and operations. We reviewed SDCC s IT infrastructure as of June 14, 2012. We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. OCA-13-002 Page 2

Audit Results SDCC Has Reduced Internal IT Risks Through Outsourcing Our audit did not have any significant findings, but we noted several opportunities for improving IT controls and enhancing IT security. We evaluated existing IT practices at SDCC against established professional guidelines for IT management. 1 The main reason why we did not find any significant issues is that SDCC has pursued a strategy of outsourcing its high-risk IT functions, including its human resources system and the IT maintenance and support for its financial system. While SDCC has lowered its in-house risks through outsourcing, we identified some minor issues that SDCC management should address to further improve network security regarding IT documentation, segregation of duties, and network activity logs. SDCC Has Limited Governing Documentation for Information Technology Security Policy We noted several opportunities for creating or improving existing IT documentation. Documentation of policies is important for several reasons. The first is that documentation serves to preserve institutional knowledge, which is crucial in the event of employee turnover. The second reason is that policy review and approval by management educates management on information technology issues and provides them an opportunity to shape the policies. Lastly, having formal policies facilitates the enforcement of good security practices across the organization. The Information Systems Department (IS Department) has created a security policy, but this policy is not dated and has not been formally approved by SDCC management. Professional guidance on IT policies recommends that policies be approved by management and dated. Dating policies is important in order to facilitate tracking effective policy dates, changes, and revisions. Furthermore a review of the record of changes provides insight into the frequency at which policies are being 1 Most of our audit criteria were derived from Control Objectives for Information and Related Technologies (COBIT), which is a framework for IT governance and management published by the Information Systems Audit and Control Association (ISACA). OCA-13-002 Page 3

updated to meet the changing needs of an organization. This is particularly important in information technology, where change is constant. Security Strategy SDCC does not have a documented security strategy. Professional guidance recommends the creation of a security strategy to insure that threats to information have been identified, that risks have been evaluated, and that the organization has either accepted these risks or taken measures to prevent or mitigate them. Key Daily Operations For the same reasons of knowledge management mentioned earlier, all required tasks pertaining to the daily IT operations of SDCC should be documented. Examples of these tasks include the activities of the network engineer, such as monitoring network traffic, ensuring backup runs are performed, updating and patching servers and desktops, reviewing network logs, and trending issues and problems to identify common causes. Server States Although SDCC servers are now virtualized, 2 the information technology function should still provide documentation on the state of key servers such as the ones that operate the financial system and store nightly backups. Such information includes a listing of all the software that is installed on the server, special or specific configuration settings, and the services (such as programs that run in the background) that run on it. Server state documentation entails an allow list showing which services are permitted to run and which are run. This documentation is important to enable verification that a server is configured correctly and not running unauthorized programs. Additional Segregation of Information Technology Functions Can Enhance Controls Segregation of duties is an important control principle that reduces the likelihood that a single employee can hijack critical processes and make changes without approval or detection. Small IS Departments normally find it difficult to implement checks by segregating high-risk employee duties, because they do not have not enough employees to share the work. The SDCC IS Department employs one senior network engineer who 2 Virtualization is a trend in information technology management that utilizes software to present the appearance of discrete pieces of hardware to computer users. In reality, there is no separate physical hardware component. Virtualization is popular because it reduces hardware purchase costs facilitates management of various IT processes. OCA-13-002 Page 4

supervises two junior staffers, all of whom have the same level of access to SDCC systems. The Department has taken steps to mitigate risk by outsourcing critical functions such as IT support for SDCC s financial system. However, the Department should take additional measures and implement compensating controls and alerts. For example, backup of network activity is currently performed by the network engineer. To improve controls, periodic testing and restoration of the backups should be performed by one of the junior employees to ensure the backup systems work. The IS Department should document all critical processes such as backup, server updates, security monitoring, and then attempt to assign responsibility for each process to more than one employee. Full segregation of duties is not a realistic goal, since employees in small departments are cross trained and need access to perform the duties of other employees who are on leave or otherwise unavailable. In such cases, however, critical or high risk activities should be logged in a secure location and reviewed by the IS Director on a regular basis. Network Activity Logs Operate At Default Settings The logging of network activity at SDCC has been left at default server settings, and the retention period for logs is at the default setting as well. Professional guidance indicates that logging should be tailored to environmental risks in order to capture important events and minimize the amount of data that is logged. Minimizing logged data is important because large log files are difficult to review and consequently less likely to be reviewed. Logging activities can be further divided into security and troubleshooting logs, based on the particular activity or event. Examples of events that should be logged are remote access logins (especially outside normal business hours) and logins to the financial system. The logs should include enough information to be useful for security analysis, containing information such as the user who logged in, systems accessed, and core activities while accessing these systems. In addition, log files should be stored in a restricted location. Where possible, Segregation of Duties should be enforced for the access to the logs, where the IT personnel responsible for performing certain high risk activities should not monitor that activity or have the ability to modify the logs. At this time, all IT OCA-13-002 Page 5

employees have access to the activity logs, which are stored locally and appear to be geared more for troubleshooting than for security. In addition to establishing the optimal logging activity for SDCC, the logs should be reviewed on a regular basis and the appropriate monitoring reports should be created. If a log is not monitored or used, it should not be activated as it is only consuming resources without a benefit. Monitoring activities is an important element of network security to insure that highrisk events are reviewed by the appropriate IT personnel. OCA-13-002 Page 6

Conclusion We would like to thank SDCC and the IS Department staff for their help on this audit; we could not have conducted our audit in such a short timeframe without their assistance. Our suggestions for improvement involve documenting current practices and enhancing certain control and monitoring activities. Implementing those suggestions will improve the security of network operations, and bring SDCC practices in line with professional guidelines. We look forward to working with you in the future. OCA-13-002 Page 7

Management s Comments The San Diego Convention Center Corporation s management would like to thank the City Auditors for their thorough audit of our information systems technology infrastructure. We are certainly pleased that the audit did not have any significant findings. Based on the auditor s recommendations, the Information Systems (IS) department will take to opportunity to make enhancements in the following areas. Information Technology documentation for the security policy, security strategy, and daily operations will be enhanced in order to preserve institutional knowledge. Regarding server state, since Microsoft Windows Server 2008 R2 is based on least access roles. We only install the role or roles necessary for an application or service to operate correctly and we currently separate applications by assigning them to a unique virtual server. We have created a server and application list which will be used as a baseline. We can then compare any new services or applications to the baseline and ensure that any changes are identifiable. Additional Segregation of Information Technology Functions has been achieved due to a recent staffing change that allowed the IS department to segregate the information technology functions. Network Activity Logs Operating at Default Settings: The network activity logs produced by the Microsoft 2008 R2 operating system although set at its default level are appropriate for the high level of post event activity that the IS department has deemed necessary in order to investigate server issues. The logs will continue to be monitored on a daily basis by the network engineer and all critical or high risk activities will continue to be reviewed by the IS Director. Again thank you and we look forward to working with you again in the future. OCA-13-002 Page 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information