AUDIT AND RISK MANAGEMENT SUBCOMMITTEE 17 JUNE 2013



Similar documents
Protecting Official Records as Evidence in the Cloud Environment. Anne Thurston

National Certificate in Business Administration and Computing (Level 3)

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

Audit Follow-Up. Active Directory. Status As of February 28, Summary. Report #1508 April 20, 2015

BOARD OF DIRECTORS PAPER COVER SHEET. Meeting date: 22 February Title: Information Security Policy

AGENDA ITEM: SUMMARY. Author/Responsible Officer: John Worts, ICT Team Leader

Internal Audit Report Business Continuity Planning Arrangements

Qualification details

Argyll and Bute Council

Annex 1. Business Continuity Management Policy

Our consultancy team will provide guidance throughout the process helping you to produce the necessary documentation and raise staff awareness.

I will cover. Cyber Security and other recent performance audits. Report # 8 Why this audit? Background. Audit objective.

POLICY. 1) Business Continuity Management 2) Disaster Recovery 3) Critical Incident Management 4) Risk Management

Trust Board Report. Review of the effectiveness of the IM&T Committee

POSITION DESCRIPTION. Organisation profile. Our vision. Our values. Position title Procurement Specialist Job band G

Aberdeen City Council IT Disaster Recovery

TECHNICAL SECURITY AND DATA BACKUP POLICY

1.1 An initial request to enter into a contractual arrangement may be initiated by either Massey University or another party (Other Party).

IT Checklist. for Small Business INFORMATION TECHNOLOGY & MANAGEMENT INTRODUCTION CHECKLIST

Department of Public Utilities Customer Information System (BANNER)

Glasgow Life Risk Management & Business Continuity Planning. Final Report

IT Data Security Policy

Cleveland Police. Data protection audit report. Executive summary November 2014

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session One

NETWORK SERVICES WITH SOME CREDIT UNIONS PROCESSING 800,000 TRANSACTIONS ANNUALLY AND MOVING OVER 500 MILLION, SYSTEM UPTIME IS CRITICAL.

MANAGEMENT OF USER ACCOUNTS AND PASSWORD POLICY AUGUST Version 2.0

AUDIT REPORT WEB PORTAL SECURITY REVIEW FEBRUARY R. D. MacLEAN CITY AUDITOR

Appendix 1c. DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA REVIEW OF INTERNET- BASED NETWORK SECURITY

Information Security Policy

Chief Information Officer

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

INFORMATION GOVERNANCE POLICY

ICT OPERATING SYSTEM SECURITY CONTROLS POLICY

Policy Document. Communications and Operation Management Policy

How To Ensure The C.E.A.S.A

Accreditation of qualifications for registration as an oral health practitioner

Policy on the Security of Informational Assets

XIT CLOUD SOLUTIONS LIMITED

Appendix 1c. DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA REVIEW OF NETWORK/INTERNET SECURITY

SOFTWARE LICENSING POLICY

Business Continuity Business Continuity Management Policy

Management Standards for Information Security Measures for the Central Government Computer Systems

INFORMATION GOVERNANCE POLICY: DATA BACKUP, RESTORE & FILE STORAGE HANDLING

IT Risk Assessment Action Plan. South Staffordshire District Council Audit 2010/11

Implementation of Internal Audit Recommendations: Summary of Progress Report by Head of Finance

ROLE DESCRIPTION. Location: National Office Wellington Delegation level: N/A. Role of Tertiary Education Commission (Te Amorangi Matauranga Matua)

National Certificate in Business Administration and Computing (Level 3) Level 3

IM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction Policy Statement Purpose...

Attachment N CPIC Vendor Resiliency Business Continuity Planning Questionnaire

Introduction to Cyber Security / Information Security

COMCARE BUSINESS CONTINUITY MANAGEMENT

Policy on Business Continuity

Prisoner Programmes and Projectives in New Zealand

Cyber Security Issues - Brief Business Report

Corporate Affairs Overview and Scrutiny Committee

RUTGERS POLICY. Section Title: Legacy UMDNJ policies associated with Information Technology

INFORMATION GOVERNANCE POLICY

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT

Policy Title: HIPAA Security Awareness and Training

Summary of Information Technology General Control Environment Findings for the year ended 30 June 2015

REVIEW OF AUDITOR-GENERAL S REPORT NO. 10 OF 2015: FINANCIAL AUDITS S TANDING C OMMITTEE ON P UBLIC A CCOUNTS REPORT 26 APRIL 2016

IT Data Backup Policy

Newcastle University Information Security Procedures Version 3

PARKES SHIRE COUNCIL BUSINESS CONTINUITY POLICY

Business Continuity Business Impact Analysis arrangements

IT change management policy

SUMMARY OF AUDIT FINDINGS

COMMERCIALISM INTEGRITY STEWARDSHIP. Security Breach and Weakness Policy & Guidance

Help Administration (top right) > User Management > Add User Delete

Rotherham CCG Network Security Policy V2.0

NHS Commissioning Board: Information governance policy

Decision on adequate information system management. (Official Gazette 37/2010)

Privacy and Cloud Computing for Australian Government Agencies

1 Purpose Scope Roles and Responsibilities Physical & Environmental Security Access Control to the Network...

ICT, INTERNET AND GOOD PRACTICE POLICY

Completed. Document Name. NERC CIP Requirements CIP-002 Critical Cyber Asset Identification R1 Critical Asset Identifaction Method

VMIA Business Continuity Initiatives

CHAPTER 1: BUSINESS CONTINUITY MANAGEMENT STRATEGY AND POLICY

Aberdeen City Council IT Security (Network and perimeter)

Course 6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Dacorum Borough Council Final Internal Audit Report. IT Business Continuity and Disaster Recovery

Hosted Exchange. Security Overview. Learn More: Call us at

Ref: Issue Raised Recommendation Priority Management Response Implementation Network and ABS E-Financials 1. Account security settings

Access Control Policy

Guideline for Services

Bedfordshire Fire and Rescue Authority Corporate Services Policy and Challenge Group 9 September 2014 Item No. 6

IS INFORMATION SECURITY POLICY

Business Continuity Policy and Business Continuity Management System

CentralNic Privacy Policy Last Updated: July 31, 2012 Page 1 of 12. CentralNic. Version 1.0. July 31,

Reducing the Cyber Risk in 10 Critical Areas

Mike Casey Director of IT

Attachment #2. BUSINESS CONTINUITY PLAN Plan Development Guidelines

Office of Education Technology (OET) Security Best Practices Guideline for Districts

Information Security Policy

How To Write A Health Care Security Rule For A University

Purpose of Report To present a revised corporate risk register as at May 2013

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October Document Author(s) Collette McQueen

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING

National Certificate in Public Sector Services (Client/Customer Service) (Level 3)

Transcription:

AUDIT AND RISK MANAGEMENT SUBCOMMITTEE 17 JUNE 2013 REPORT 1 (1215/52/01/1M) PROGRESS AGAINST AUDIT NEW ZEALAND RECOMMENDATIONS 1. Purpose of report The purpose of this report is to present the Audit New Zealand s Report to Council to the Subcommittee. This report contains audit recommendations from Audit New Zealand related to the 2011/12 audit as well as progress against recommendations made in prior years. 2. Recommendations Officers recommend that the Audit and Risk Management Subcommittee: 1. Receive the information 2. Note the progress made in implementing the Audit New Zealand recommendations attached in Appendix 1. 3. Summary of improvements in recommendations since the last report Refer to Appendix 1 for the current status of all outstanding audit recommendations. Contact Officer: Nicky Blacker, Manager, Financial Accounting

SUPPORTING INFORMATION 1) Strategic fit / Strategic outcome This project supports Activity 1.1 Governance, Information and Engagement, specifically 1.1.1 City Governance and Engagement. As per the Annual Plan, City Governance and Engagement includes all those activities that make the Council accountable to the people of Wellington and ensure the smooth running of the city. That includes all meetings of the Council and its committees and subcommittees. 2) LTP/Annual Plan reference and long term financial impact The report has no specific Annual Plan reference. There is no long term financial impact arising from the report. 3) Treaty of Waitangi considerations There are no specific Treaty of Waitangi considerations. 4) Decision-making There are no significant decisions required by the paper. 5) Consultation a) General consultation There are no parties significantly affected by this paper. b) Consultation with Maori Maori are not significantly affected by this paper. 6) Legal implications This report has no specific legal implications. 7) Consistency with existing policy This report is consistent with existing policy.

Summary of recommendations and their current status Overarching IT security policy and disaster recovery Recommendation date: 2007/08 Recommendations Management response Jun 2013 Audit New Zealand Comments Mar 2013 IT Security Policy COMPLETED Council does not have one overarching IS/IT Security Policy. This potentially allows unauthorised access to systems and/or fraudulent, malicious or unintended transactions to be posted. The proposed IT Policy and guides have been reviewed and approved by Manager Risk and Assurance December 2012, and Director approval was given by Greg Orchard on 28 August 2012. They are now Audit New Zealand has sighted approved IS Security Framework and Security Policies. As at February 2013, the implementation of the password policies to all server and desktop equipment is still in progress. ready for general release and were published on the Council Intranet in January 2013. Audit recommended that Council develop and implement an IS/IT Security Policy as an overall statement of the importance of security to the organisation. Internal audit also picked up some issues and these were implemented as noted below. 1. Enforce the password reset timeframes as stipulated in the Guidelines. There must be valid business reasons for any exceptions required to this rule. These should be documented and approved by relevant management. This was actioned on Wednesday 13 March and all those people identified as not having a valid reason for no password expiry have now been set to expire like normal users

Business Continuity and Disaster Recovery We recommend that Business Continuity Plans be finalised and tested as planned. The results should be documented and communicated to all affected staff so that improvements to procedures can be made. Business Continuity and IT Disaster Recovery plans are now well developed, and tests of these plans are to be carried out this year. and are required to change their password every 90 days. 2. Ensure password lengths are system enforced to comply with the Guidelines. This was approved by the Change Advisory Board and has been enforced effective from 20 March 2013 JULY/SEPTEMBER QUARTER The intention was to carry out an IT Disaster Recovery (DR) test in August 2012. On the morning of 27 June a power surge took down all the council's computer systems. The directors on the Business Continuity Plan (BCP) steering group met early to activate the BCP. There was an independent inquiry into the BCP process as a result of a power failure which caused an IT Outage which focused on the response to the incident. This report was presented to the BCP steering group and the recommendations acted upon. Given that this incident necessitated the initiation of the BCP, and lessons learned will be incorporated into DR and BCP planning, it was decided not to run another DR test. We have selected a partner for the hosting The project to move the datacentre is underway and DR Planning will be incorporated into that. A project Manager has been appointed to look at Business Continuity Planning.

Management of generic and powerful user accounts When generic accounts are used they should be restricted to specific use situations and reduced to read only access wherever possible to prevent changes being made without accountability. For powerful users there is a higher risk of malicious or accidental changes having significant impacts on systems. These users should be known and adequately monitored. IT and business application owners should develop a process to document the current generic and powerful accounts within their network domain and various applications. This should include an assessment to determine the extent of their access and whether they are still required. of the Council s computer centre and the project will be completed July 2013. The DR computer centre needs to be relocated prior to November 2013 and a prerequisite is a review of the BCP. COMPLETED Generic accounts for unknown business units have been disabled on the network. If we are not contacted with objections to the disabling of the accounts is raised over the next 3 to 6 months the accounts will be deleted. Generic accounts are reviewed as part of the normal deletion process on a continuous basis. 108 generic accounts have been deleted in the last 6 months. A further 100 accounts have been moved into the "Mark for deletion" container. Creation of generic accounts is discouraged but sometimes unavoidable We understand that 3 monthly reviews of generic and powerful accounts have been performed but are not a complete review of all generic accounts. IT Management is currently investigating their findings on some generic accounts with unknown business units. Decisions will still need to be made as to whether these accounts will be kept or deleted. Responsibility: Stephanie Mardell, Gerard Paver and Miles Dunkin

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information