PROJECT SUMMARY OBSERVATIONS, RECOMMENDATIONS, AND RESPONSES



Similar documents
How To Audit The Mint'S Information Technology

Texas A&M University: Review of Student Recruitment and Admissions PROJECT SUMMARY. Summary of Management s Response

STATE OF NORTH CAROLINA

Server Management-Scans & Patches

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

OBSERVATION, RECOMMENDATION, AND RESPONSE

Office of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget

Department of Education. Network Security Controls. Information Technology Audit

Department of Public Utilities Customer Information System (BANNER)

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING

Computer Classroom Security Standard

Human ResourcesHuman Resources - Project Overview

SMITHSONIAN INSTITUTION

Information Technology Governance

Kennebec Valley Community College Information Technology Department Service Level Agreement

ISAAC Risk Assessment Training

Information Security Operational Procedures

How To Audit The Minnesota Department Of Agriculture Network Security Controls Audit

Securing the Service Desk in the Cloud

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

Appendix 1c. DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA REVIEW OF NETWORK/INTERNET SECURITY

How To Control Vcloud Air From A Microsoft Vcloud (Vcloud)

University Systems Desktop Support Service Level Commitment

Domain 1 The Process of Auditing Information Systems

Specific observations and recommendations that were discussed with campus management are presented in detail below.

NYSED DATA DASHBOARD SOLUTIONS RFP ATTACHMENT 6.4 MAINTENANCE AND SUPPORT SERVICES

Texas A&M University - Commerce: Review of Faculty Human Resources Processes PROJECT SUMMARY. Summary of Significant Results

THE UNIVERSITY OF TEXAS-PAN AMERICAN OFFICE OF AUDITS & CONSULTING SERVICES LAPTOP ENCRYPTION. Report No

Computer Security Incident Response Team

Managed Security Services SLA Document. Response and Resolution Times

Information Security Awareness Training

OSU INSTITUTE OF TECHNOLOGY POLICY & PROCEDURES

PREMIER SUPPORT STANDARD SERVICES BRONZE SILVER GOLD

SERVICES BRONZE SILVER GOLD PLATINUM. On-Site emergency response time 3 Hours 3 Hours 1-2 Hours 1 Hour or Less

Supplier Information Security Addendum for GE Restricted Data

University of Oregon Information Technology Risk Assessment. December 2, 2015

Network Assessment. Prepared For: Prospect Or Customer Prepared By: Your Company Name

Indiana University of Pennsylvania Information Assurance Guidelines. Approved by the Technology Utilities Council 27-SEP-2002

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

October 10, Report on Web Applications #13-205

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

IT Strategic Plan INFRASTRUCTURE PROPERTIES AND PLANNING

Overall Conclusion. Summary of Significant Results. Patient Billings and Collections at the Family Medicine Clinic

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections

Presented By: Bryan Miller CCIE, CISSP

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

THE UNIVERSITY OF TEXAS-PAN AMERICAN OFFICE OF AUDITS & CONSULTING SERVICES PHYSICAL SECURITY. Report No

Credit Cards and Oracle: How to Comply with PCI DSS. Stephen Kost Integrigy Corporation Session #600

Wright State University Information Security

Index .700 FORMS - SAMPLE INCIDENT RESPONSE FORM.995 HISTORY

MSP Service Matrix. Servers

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

Network Security Management Phases 1 and 2 Follow up Report

DESKTOP SUPPORT SERVICE LEVEL AGREEMENT

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

CENG Information Technology Services University of North Texas

Current Environment Assessment Specification. Single Sign On Customer Relation Management Workstation Support

How To Use Adobe Software For A Business

STATE OF ARIZONA Department of Revenue

SRA International Managed Information Systems Internal Audit Report

Client Security Risk Assessment Questionnaire

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

ROSS PHILO EXECUTIVE VICE PRESIDENT AND CHIEF INFORMATION OFFICER

Information Technology General Controls And Best Practices

Ohio Supercomputer Center

Computer Security Incident Response Team

Agenda. Agenda. Security Testing: The Easiest Part of PCI Certification. Core Security Technologies September 6, 2007

Information Security

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

Major IT Projects: Continue Expanding Oversight and Strengthen Accountability

DIVISION OF INFORMATION SECURITY (DIS)

GOVERNANCE AND MANAGEMENT OF CITY WIRELESS TECHNOLOGY NEEDS IMPROVEMENT MARCH 12, 2010

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

Office of the Auditor General Performance Audit Report. Statewide Oracle Database Controls Department of Technology, Management, and Budget

Office of Inspector General

SCOPE OF SERVICE Hosted Cloud Storage Service: Scope of Service

University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009

Ellucian Cloud Services. Joe Street Cloud Services, Sr. Solution Consultant

O L A. Department of Employee Relations Department of Finance SEMA4 Information Technology Audit OFFICE OF THE LEGISLATIVE AUDITOR STATE OF MINNESOTA

Aberdeen City Council IT Security (Network and perimeter)

Business Continuity Management Review

TEXAS AGRILIFE SERVER MANAGEMENT PROGRAM

Central Agency for Information Technology

Better secure IT equipment and systems

In Brief. Smithsonian Institution Office of the Inspector General. Smithsonian Institution Information Security Program

¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India

SCOPE: Role Descriptions/Job Profiles

Project Charter and Scope Statement

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Goals. Understanding security testing

Reducing the cost and complexity of endpoint management

2008 NASCIO Award Submission. Utilizing PCI Compliance to Improve Enterprise Risk Management

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

New River Community College. Information Technology Policy and Procedure Manual

Best Practices for Building a Security Operations Center

Director, IT Security District Office Kern Community College District JOB DESCRIPTION

AUDIT REPORT WEB PORTAL SECURITY REVIEW FEBRUARY R. D. MacLEAN CITY AUDITOR

PCI DATA SECURITY STANDARD OVERVIEW

R345, Information Technology Resource Security 1

Transcription:

PROJECT SUMMARY Overview Information technology (IT) processes and controls within Computing and Information Services (CIS) at Texas A&M University provide reasonable assurance that resources are used in compliance with laws, policies, regulations, and rules. The Open Access Lab unit maintained efficient and effective processes for deployment and imaging of student lab workstations and monitoring of lab utilization through real time CIS units included in review: Information Technology Solutions & Support Open Access Labs Supercomputing Network and Information Security Support Services (Help Desk Central) statistics. Opportunities for improvement were identified in the areas of logical security and operation of the centralized help desk. CIS is responsible for providing computing resources, services, and support to Texas A&M University, as well as other members of the A&M System. CIS operates as a university service center with a budget of approximately $30 million and 206 full-time employees. OBSERVATIONS, RECOMMENDATIONS, AND RESPONSES 1. Logical Security Observation Logical security should be improved to better protect IT resources. Improvements in logical security controls are needed to increase the university s overall IT Logical Security security. Limited weak logical security practices Logical security consists of software safeguards for an entity s information systems including were noted in the areas of user IDs, passwords, anti-virus protection, password management, operating system patch updates, encryption, software patch updates, and workstation security mechanisms. These measures are to ensure that only authorized and pre-logon banner users are able to perform actions or access use. Logical security was information in a network or a workstation. reviewed for systems Third Quarter for Fiscal Year 2013 Page 1

1. Logical Security (cont.) administered by three CIS units: Information Technology Solutions and Support (ITSS); Open Access Labs (OAL); and Supercomputing. These systems included UNIX/ Linux and Windows operating systems and databases. For the ITSS and OAL Linux systems tested, at least three weak default password settings were in place for local accounts. While users are assigned to groups through which password settings are normally assigned, university-required password settings should also be in place for any accounts set up locally on the machines. This also applies to the supercomputing environment. Password controls also need to be strengthened on the other systems tested including an ITSS Oracle database default profile, four ITSS Windows servers, and the OAL domains. Patch management deficiencies were noted on various systems including some systems that were running unsupported versions. Three of the 12 (25%) ITSS Windows servers selected had a patching gap that exceeded 90 days, two of which were due to a changeover in personnel. Two of the three OAL Linux servers tested were running older, unsupported versions of the operating system. Both are in the process of being replaced with a different operating platform. One of the two OAL databases tested was found to be unsupported due to a missing service pack. Additionally, 22 of 69 (32%) Apple OS X systems tested on the OAL domain were not using the latest updated version. Management has delayed updating to the latest version due to compatibility issues with currently used software. Texas Administrative Code (TAC) 202.75 compliant pre-logon banners were not found in place for three of the four ITSS Linux servers, all three OAL Linux servers, and the supercomputing systems. TAC 202.70, Security Standards Policy, states that information resources are strategic and vital assets that must be available and protected commensurate with the asset s value. While the university has extensive rules and procedures in place, these were not always followed in the instances noted above. Failure to follow strong logical security practices can lead to confidential files or systems being compromised and possible disruption of critical services. Recommendation Implement password controls that, at a minimum, comply with university standard administrative procedures and guidelines. Page 2 Third Quarter for Fiscal Year 2013

1. Logical Security (cont.) Periodically review systems and accounts for compliance with password standards and guidelines. Patch servers, workstations and databases to the current versions and implement continuous patch management and monitoring processes. Implement a pre-logon banner in compliance with TAC 202.75 for all systems and include this requirement in server hardening checklists. Management s Response OAL has implemented or is in the process of implementing the following: Password controls now meet or exceed university policy. To assist with future enforcement, a Windows password policy will be implemented at the domain level for greater control. For Linux installations, a checklist will be used that includes changing password policies. Systems will be periodically reviewed for compliance. System patches are current. The Apple OS is not the most current version due to compatibility issues with required software. We continue to work with the vendor to determine a solution. We anticipate having this resolved by September 2013. For continuous patch management, all the OAL servers are now under the same team that checks for updates and patches to software on a regular basis with various corresponding tools and websites. For Linux, this will include reviews as part of the scheduled monthly updates process. Successful implementation of updates will be monitored and documented through a ticketing process. Pre-logon banners are in place. For all future server installations, a server installation checklist will be used that includes adding a pre-logon banner. Target Implementation Date for OAL: September 2013. ITSS has implemented or is in the process of implementing the following: Password controls now meet or exceed university policy. To assist with future enforcement, a Windows password policy will be implemented at the domain level for greater control. For Linux installations, a checklist will be used that includes Third Quarter for Fiscal Year 2013 Page 3

1. Logical Security (cont.) changing password policies. reviewed for compliance. Systems will be periodically System patches are current. For continuous patch management, ITSS will begin using the same or equivalent tools and processes OAL uses. Pre-logon banners are in place. For all future server installations, a server installation checklist will be used and verified that includes adding a pre-logon banner. Target Implementation Date for ITSS: September 2013. Supercomputing, which utilizes Linux, has completed or is in the process of completing the following: Implementation of password controls in accordance with university guidelines is expected to be completed by the end of September 2013. Compliance with requirements will be periodically monitored. System patches are current. Patch management procedures will be reviewed for continued performance. Pre-logon banners have been put in place according to university and state regulations. Compliance with requirements will be periodically monitored. Target Implementation Date for Supercomputing: September 2013. 2. Help Desk Central Observation Improvements are needed in the operations of the central IT help desk. Help Desk Central does not have the necessary processes and tools to ensure achievement of customer service level baselines and operational goals and objectives. For example, the CIS 2011-2015 strategic plan goal to increase the number of trouble calls that are resolved by the first person answering the phone cannot be tracked with Help Desk Central is operated by CIS and provides 24/7 IT support for Texas A&M students, faculty and staff for any IT-related issue. current software tools. In addition, other measures of customer service levels are not tracked such as user satisfaction per incident or the number of resolutions per minute of time. Page 4 Third Quarter for Fiscal Year 2013

2. Help Desk Central (cont.) The operation of CIS Help Desk Central was recently moved to a different unit under CIS and a new manager was appointed. They are aware of these issues and are working on solutions. The main challenge is that the software tools supporting Help Desk Central operations do not provide a wide-range of needed functions. Customer inquiries originate via telephone, walk-in traffic, and email. Each origination point is supported by a different system: Keystone for email, Nortel ACD for phone calls, and a medical check-in system is used for walk-in traffic. The tools are outdated and have been extended beyond their capabilities. For incoming call routing, there is a lack of defined escalation procedures to route incidents to appropriate personnel for remediation. As the importance of help desk services has grown worldwide, standard IT service management practices have been developed to improve help desk services. EDUCAUSE, a nonprofit association whose mission is to advance higher education through the use of information technology, has noted that IT service management practices have been adopted to some extent by over three-quarters of the universities surveyed. CIS management is looking to utilize IT service management practices to help meet their stated goals and improve overall performance. Without adequate processes and tools in place, Help Desk Central may not be able to meet its customers needs in the most effective and efficient manner possible. Recommendation Develop and implement appropriate IT service management practices including the development of goals to measure service levels in the areas of user satisfaction, first contact resolution and other relevant measures. Establish a life cycle approach, including funding requirements, to maintain software applications that support Help Desk Central operations. This would include migration paths to alternative software tools to replace Keystone, Nortel ACD, and the medical walk-in system. Establish criteria for incident escalation procedures across service level tiers. Management s Response A Customer Support Working Group (CSWG) has been established from areas supported by Help Desk Central (HDC). Among the deliverables defined for this group are the following: Third Quarter for Fiscal Year 2013 Page 5

2. Help Desk Central (cont.) Change management and service transition recommendations. Incident escalation procedures. Incident and service request life cycle recommendations, including service level goals. Service and support ownership recommendations at each stage of the life cycle. Comprehensive set of requirements for a new ticketing solution to be selected at the conclusion of the group s commission. In addition to the CSWG, HDC management is working with Telecommunications to evaluate a new call center solution. Infrastructure staff is independently evaluating industry standard call center solutions as well, to mitigate the risk of slow progress with campus solutions. HDC is also evaluating niche alternatives to the medical check-in system for walk-ins. In the meantime, the business process has been modified to capture more detailed information. Recommendations from the CSWG are expected by the end of January 2014. A final decision and implementation plan will be determined by March 2014 with final implementation completed by September 2014. Page 6 Third Quarter for Fiscal Year 2013

BASIS OF REVIEW Objective and Scope Criteria The objective of the audit was to review the processes and controls in place within Computing & Information Services (CIS) to determine if information technology resources are used in compliance with laws, policies, regulations and rules. The review of CIS focused on logical security general controls administered by three departments within CIS: Information Technology Solutions & Support, Open Access Labs, and Supercomputing. Other general control areas reviewed in selected departments included network security scanning, central help desk operations, and physical security at the open access labs and network closets. The audit period focused primarily on activities from September 1, 2011 through February 28, 2013. Fieldwork was conducted from November 2012 through March 2013. Our audit was based upon standards as set forth in the System Policy and Regulation Manual of the Texas A&M University System; Texas Administrative Code; Texas Information Resources Management Act; Texas A&M University Standard Administrative Procedures; and other sound administrative practices. This audit was conducted in conformance with the Institute of Internal Auditors International Standards for the Professional Practice of Internal Auditing. Additionally, we conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Background CIS is one of seven departments under the Vice President and Associate Provost for Information Technology and is responsible for providing computing resources, services and support to Texas A&M University students, faculty and staff, as well as other members of The Texas A&M University System. There are six units within CIS: Information Technology Solutions and Support; IT Infrastructure and Third Quarter for Fiscal Year 2013 Page 7

Operation; Networking and Information Security; Open Access Labs; Support Services; and Supercomputing. CIS operates as a university service center with a budget of approximately $30 million, not including student access fees, and has approximately 206 fulltime employees. AUDIT TEAM INFORMATION Dick Dinan, CPA, Director David Maggard, CISA, Audit Manager Paul Wiggins, CISSP Bill Williams, CISA DISTRIBUTION LIST Dr. R. Bowen Loftin, President Dr. Karan Watson, Provost and Executive Vice President for Academic Affairs Ms. B.J. Crain, Vice President for Finance and Chief Financial Officer Dr. Rodney McClendon, Vice President for Administration Dr. Pierce Cantrell, Vice President and Associate Provost for Information Technology Dr. Pete Marchbanks, Executive Director Computing and Information Services Mr. Charley B. Clark, Associate Vice President for University Risk and Compliance Page 8 Third Quarter for Fiscal Year 2013

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information