DIA Network Security Management Follow up Report



Similar documents
Citywide Identity Management Follow up Report

Denver 311 Follow up Report

Police Records Management System IT General Controls Follow up Report

DIA Network Device Security Management Performance Audit

Assessor s Office Performance Audit

911 Data Center Operations Performance Audit

PeopleSoft IT General Controls

Citywide Identity Management Performance Audit

Fixed Assets Management Performance Audit

Network Security Management Phase 1 Performance Audit

Denver International Airport Planning and Development Division Performance Audit

Network Security Management Phase 2 Performance Audit

Denver 311 Performance Audit

Police Records Management System IT General Controls Performance Audit

City Attorney s Office: Litigation and Claims Management Performance Audit

Denver International Airport Facility Management Performance Audit

Office of Emergency Management and Homeland Security Performance Audit

OFFICE OF THE AUDITOR

City Vehicle Fleet Management Performance Audit

Denver International Airport Environmental Programs Management Performance Audit

Career Service Authority Recruiting Process Performance Audit

OFFICE OF THE AUDITOR

Austin Fire Department Worker Safety Audit

Network Security Assessment

Audit Follow-Up. The City s Parking Program (Report #0622, Issued September 8, 2006) As of September 30, Summary. Report #0806 January 11, 2008

Procure to Pay Process Audit

CITY UNIVERSITY OF HONG KONG Physical Access Security Standard

City of West Palm Beach Internal Audit Department

EXECUTIVE SUMMARY Audit of information and communications technology governance and security management in MINUSTAH

Denver Sheriff Department Jail Operations Performance Audit

AV Parking System Review

in The Institute of Internal Auditor's

Inspection, Testing and Maintenance

MANAGEMENT AUDIT REPORT ACCOUNTS PAYABLE

Sample Invitation letter

STATEMENT OF JOHN E. MCCOY II DEPUTY ASSISTANT INSPECTOR GENERAL FOR AUDITS U.S. DEPARTMENT OF HOMELAND SECURITY BEFORE THE

Security Overview. A guide to data security at AIMES Data Centres. TEL: enquiries@aimes.

Department of Education. Network Security Controls. Information Technology Audit

INTERNAL AUDIT DIVISION CLERK OF THE CIRCUIT COURT

Information Security Awareness Training

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

May 2012 Report No

Version No: 2 Date: 27 July Data Quality Policy. Assistant Chief Executive. Planning & Performance. Data Quality Policy

The listed examples of work are not intended to be all-inclusive. They may be modified with additions, deletions, or changes as necessary.

National Automated Clearing House Association (NACHA) Rules echecks

Information Technology Security Procedures

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

Retention & Destruction

Transcription:

DIA Network Security Management Follow up Report March 2015 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor

The Auditor of the City and County of Denver is independently elected by the citizens of Denver. He is responsible for examining and evaluating the operations of City agencies for the purpose of ensuring the proper and efficient use of City resources and providing other audit services and information to City Council, the Mayor and the public to improve all aspects of Denver s government. He also chairs the City s Audit Committee. The Audit Committee is chaired by the Auditor and consists of seven members. The Audit Committee assists the Auditor in his oversight responsibilities of the integrity of the City s finances and operations, including the integrity of the City s financial statements. The Audit Committee is structured in a manner that ensures the independent oversight of City operations, thereby enhancing citizen confidence and avoiding any appearance of a conflict of interest. Audit Committee Dennis Gallagher, Chair Maurice Goodgaine Leslie Mitchell Rudolfo Payan Robert Bishop Jeffrey Hart Timothy O Brien, Vice Chair Audit Management Kip Memmott, Director, MA, CGAP, CRMA John Carlson, Deputy Director, JD, MBA, CIA, CGAP, CRMA Audrey Donovan, Deputy Director, CIA, CGAP, CRMA Audit Staff Shannon Kuhn, IT Audit Supervisor, CISA Nicholas Jimroglou, Lead IT Auditor, CISA Jakki Boline, Senior IT Auditor Karin Doughty, Senior IT Auditor, CISA You can obtain copies of this report by contacting us at: Office of the Auditor 201 West Colfax Avenue, Department 705 Denver CO, 80202 (720) 913 5000 Fax (720) 913 5247

Or download and view an electronic copy by visiting our website at: www.denvergov.org/auditor Report number A2012 015

City and County of Denver 201 West Colfax Avenue, Department 705 Denver, Colorado 80202 720-913-5000 FAX 720-913-5247 www.denvergov.org/auditor Dennis J. Gallagher Auditor Ms. Kim Day, Chief Executive Officer Department of Aviation City and County of Denver Re: DIA Network Security Management Audit Follow Up Report Dear Ms. Day: March 16, 2015 In keeping with professional auditing standards and the Audit Services Division s policy, as authorized by D.R.M.C. 20 276, our Division has a responsibility to monitor and follow up on audit recommendations to ensure audit findings are being addressed and to aid us in planning future audits. This report is to inform you that we have completed our follow up effort for the DIA Network Security Management audit issued September 19, 2013. Our review determined that DIA Technologies has implemented sixteen of the seventeen recommendations made in the audit report. For your reference, this report includes a Highlights page that provides background and summary information on the original audit and the completed follow up effort. Following the Highlights page is a detailed implementation status update for each recommendation. With regard to the one recommendation that was not implemented, we determined that it would have been completed if not for the dependence on other departments to review, approve, and install the door configuration. This concludes audit follow up work related to this audit. I would like to express our sincere appreciation to you and to the DIA Technologies personnel who assisted us throughout the audit and follow up process. If you have any questions, please feel free to contact me at 720 913 5027 or Shannon Kuhn, IT Audit Supervisor, at 720 913 5159. Sincerely, KRM/sk Kip Memmott, MA, CGAP, CRMA Director of Audit Services cc: Honorable Michael Hancock, Mayor Honorable Members of City Council Members of Audit Committee Ms. Cary Kennedy, Deputy Mayor, Chief Financial Officer To promote open, accountable, efficient and effective government by performing impartial reviews and other audit services that provide objective and useful information to improve decision making by management and the people. We will monitor and report on recommendations and progress towards their implementation.

Ms. Janice Sinden, Chief of Staff Mr. David P. Edinger, Chief Performance Officer Ms. Beth Machann, Controller Mr. Scott Martinez, City Attorney Ms. Janna Young, City Council Executive Staff Director Mr. L. Michael Henry, Staff Director, Board of Ethics Mr. Robert Kastelitz, Deputy Manager of Aviation and Chief Information Officer Mr. Chris Larivee, Director of Operations, Technologies To promote open, accountable, efficient and effective government by performing impartial reviews and other audit services that provide objective and useful information to improve decision making by management and the people. We will monitor and report on recommendations and progress towards their implementation.

City and County of Denver Office of the Auditor Audit Services Division REPORT HIGHLIGHTS DIA Network Security Management Follow up Report: March 2015 Denver International Airport has implemented sixteen of the seventeen recommendations made in the 2013 audit report. Background The DIA network is physically large and has equipment housed in over 190 locations both on and off the airport property. The Technologies department at Denver International Airport (DIA Technologies) supports the data network infrastructure used by DIA business and security systems. DIA Technologies also provides network services to concessionaires who purchase internet access from DIA but does not manage infrastructure used by other concessionaires, airlines, and federal agencies, such as the Transportation Security Administration (TSA). Purpose The purpose of the audit was to test whether information security policies are adequate; personnel are experienced, qualified, and trained; network equipment is physically protected from unauthorized access; environmental controls protect the safety of both equipment and personnel; network inventories are accurate; malware protection is effective; and equipment rooms are compliant with DIA physical security standards. Highlights from Original Audit The audit found three areas where controls needed improvement and five areas where controls were well designed. Improvements were recommended in the areas of physical access controls; environmental controls related to fire, health, and safety; and information and physical security policy. Specifically: 1. In 70 percent of the sites we tested, door locks were not working, equipment areas were not adequately isolated from public access, or management was not monitoring room access. 2. We found that nearly all equipment rooms were non compliant with the DIA physical security standards in at least one area, ranging from a lack of current fire inspections to unhealthy environmental conditions. 3. We found several areas where policies and standards needed to be expanded, updated, and enforced. Audit tests demonstrated that DIA Technologies has exceptional controls in the following five areas: An excellent information security awareness training program Highly effective anti malware prevention controls Good network equipment inventory controls An improved information security management system Appropriate staffing to support a strong network security administration function Findings at Follow up DIA Technologies has completed all of the recommendations made in the 2013 audit report, with the exception of a physical device that still needs to be installed to isolate a data center door from the public. For a complete copy of this report, visit www.denvergov.org/auditor Audit Contact Person: Shannon Kuhn 720.913.5159 Shannon.kuhn@denvergov.org

Recommendations: Status of Implementation Recommendation Auditee Action Status Finding 1: Physical Access Controls Are Ineffective for Some Network Equipment Areas 1.1 DIA Technologies should adopt a process whereby personnel working in network equipment rooms confirm that door locks are working properly and report malfunctioning door locks for repair or, alternatively conduct routine security checks of all rooms to ensure that network equipment areas are secured. DIA Technologies worked with Airport Security to develop a process with contract security staff (HSS) wherein door locks for network equipment rooms are regularly checked to ensure security and functionality of door locking mechanisms. Additionally, DIA Technologies ensured that all DIA Technologies personnel with access to network equipment rooms are properly trained on ensuring the security of network equipment areas. 1.2 Provide isolation from public access to network equipment areas by securing equipment in a locked rack or cabinet in sites where the building door is routinely propped open for business purposes 1.3 Provide isolation from public access to network equipment rooms by installing an internal cage second door in sites that currently have doors that open to publicly accessible spaces. 1.4 Provide isolation from public access by repairing and installing card reader access on the existing doors that lead to a data center. DIA Technologies procured and installed securable network device cabinets for all areas that lack appropriate isolation from the public. DIA Technologies disagreed with the recommendation of installing a cage to act as a second door. However, they installed a perimeter fence to provide isolation from the public. DIA Technologies is planning to update the door configuration on door leading to a data center by March 31, 2015, as part of a data center re life effort. Agree/Not Page 1 Office of the Auditor

Recommendations: Status of Implementation Recommendation Auditee Action Status 1.5 Develop and regularly review a report for the data center that lists individuals with access rights and another report to show who has recently accessed the room. DIA Technologies is reviewing the access lists for the data center by periodically requesting printed reports from DIA Operations Security, which show every badge access in and out of five primary DIA data center facilities. From those reports a list is compared to a database of every person, with company information, who used a badge to access any of those facilities. An additional query shows which companies have access rights to DIA data centers and how many employees actually used badges to access them. Every failed badge attempt is documented and reviewed to consider whether it indicates an attempted unauthorized access. Finding 2: Environmental Controls Are Inadequate for Some Network Equipment Areas 2.1 Environmental controls are inadequate for some network equipment areas. Conduct routine inspections of all equipment areas to ensure compliance with the DIA Technologies Physical Security Standard for Information Systems and Data Networks and have the areas cleaned as necessary. The DIA Technologies Data Center Governance Committee updated the Physical Security Standard to include provisions for cleanliness. City and County of Denver Page 2

Recommendations: Status of Implementation Recommendation Auditee Action Status 2.2 Have all automatic and portable fire suppression equipment inspected annually. 2.3 Evaluate any differences between the DIA standard, building codes, and the National Fire Protection Association Standard for the Fire Protection of Information Technology Equipment (NFPA 75) and adjust the DIA standard if necessary; supply rooms with missing equipment, such as portable fire extinguishers and manual pull fire alarms; and make construction and door corrections. 2.4 Remove the flammable material (paper) from the equipment room's cable raceway. 2.5 In the building with rodent and insect infestations, seal the foundation and walls and install a door sweep to prevent future infestations. The DIA Technologies Data Center Governance Committee put a process in place to enforce the Physical Security Standard, including provisions for ensuring engagement of the appropriate fire equipment inspection authorities to conduct inspections at recommended intervals. DIA Technologies has checked to ensure fire suppression equipment is serviceable in the five primary data centers. The DIA Technologies Data Center Governance Committee currently evaluates departures from standards and, based on timing of available funds, prioritizes construction corrections. DIA Technologies has removed the material from the network equipment room. A work order for this effort was put in for AIM in 2013 to address the location of the infestation. Audit reinspected the building and found that all evidence of insect and rodent infestation was removed. Page 3 Office of the Auditor

Recommendations: Status of Implementation Recommendation Auditee Action Status 2.6 Install uninterruptible power supplies as necessary. The DIA Technologies Data Center Governance Committee has established standards for the application of uninterruptible power supplies in network equipment areas. Audit revisited the network rooms and confirmed that uninterruptible power supplies were present, which indicates that the standards are being followed Finding 3: Some Security Policies and Standards Are Incomplete and Outdated and Security Policy Administration Needs Improvement 3.1 Enforce the annual requirement for employees and contractors to review and acknowledge important policies such as the IT User Agreement and the Remote Access User Agreement by either adding them to the automated information security awareness training program or by developing an alternative process. 3.2 Develop and implement the missing security policies discussed with the auditors. DIA Technologies has incorporated the essential portions of the IT User Agreement and Remote Access User Agreement into the annual information security awareness training program. DIA Technologies has performed a gap analysis against the ISO 27000 series of standards, which has identified policy and procedure gaps including and in addition to those discussed with the auditors. DIA Technologies will implement a program that integrates with the DIA Policy Management Program to ensure that policies or procedures will be created where gaps are found. Due to a change in the handling of a communication protocol, DIA opted to not create one of the policies discussed with auditors. City and County of Denver Page 4

Recommendations: Status of Implementation Recommendation Auditee Action Status 3.3 Ensure that all important security policies have management s review and approval. 3.4 Ensure that all critical policies are reviewed and updated annually. 3.5 Update the DIA Technologies Physical Security Standard for Information Systems and Data Networks to address all the areas where network equipment is installed. 3.6 Examine and resolve the reasons why the antivirus software did not prevent our test from introducing pseudo malware onto the network. DIA Technologies management has begun to review all security policies annually. DIA Technologies management now reviews of all critical policies annually. DIA Technologies Physical Security Standard was updated to include all areas where network equipment is housed. DIA Technologies has upgraded the environment to a more robust antivirus solution to address this issue. Page 5 Office of the Auditor

Conclusion DIA Technologies has made marked improvements to update and enforce existing Information and physical security policies. Further, progress has been made to enhance environmental controls where network equipment is housed, such as performing regular maintenance of rooms for cleanliness and inspections of existing fire suppression systems. We are confident that all recommendations would have been fully implemented if DIA Technologies did not have to rely on other departments for the purchase of a device to physically secure a door. DIA Technologies personnel have noted that the final open recommendation will be completed March 31, 2015. As a result, we conclude our follow up effort related to the performance audit of DIA Network Security Management. On behalf of the citizens of the City and County of Denver, we thank staff and leadership from DIA Technologies for their cooperation during our follow up effort and their dedicated public service. City and County of Denver Page 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information