CA-02-10 Page 1 of Report City Manager's Office TO: Audit Committee SUBJECT: Summary of Audit Results - General Computer Controls Audit Report Number: CA-02-10 File Number(s): 430-03-ITS Report Date: January 15, 2010 Ward(s) Affected: 1 2 3 4 5 6 All Date to Committee: February 9, 2010 Date to Council: February 22, 2010 Recommendation: For information only Purpose: Address goal, action or initiative in strategic plan Establish new or revised policy or service standard Respond to legislation Respond to staff direction Address other area of responsibility Considering reports from the City Manager and the City Auditor identifying audit issues and the steps taken to resolve them including the adequacy of the management responses to audit concerns Reference to Strategic Plan: N/A Executive Summary: Overall Audit Rating – FAIR (details of ratings are located on page 9 of this report) The existence of a business strategy is a key component of IT Governance and support general computer controls. ITS management and staff demonstrated a sound knowledge and understanding of their responsibilities. Key issues include a need for: Enhanced restriction and monitoring of key administrative userids for specific network and applications Segregation of duties for promotion of application changes between development and production environments
Transcript
CA-02-10 Page 1 of Report
City Manager's Office TO: Audit Committee
SUBJECT: Summary of Audit Results - General Computer Controls Audit
Report Date: January 15, 2010 Ward(s) Affected: 1 2 3 4 5 6 All
Date to Committee: February 9, 2010 Date to Council: February 22, 2010
Recommendation: For information only
Purpose: Address goal, action or initiative in strategic plan
Establish new or revised policy or service standard
Respond to legislation
Respond to staff direction
Address other area of responsibility
Considering reports from the City Manager and the City Auditor identifying audit issues and the steps taken to resolve them including the adequacy of the management responses to audit concerns
Reference to Strategic Plan:
N/A
Executive Summary: Overall Audit Rating – FAIR (details of ratings are located on page 9 of this report) The existence of a business strategy is a key component of IT Governance and support general computer controls. ITS management and staff demonstrated a sound knowledge and understanding of their responsibilities. Key issues include a need for:
Enhanced restriction and monitoring of key administrative userids for specific network and applications
Segregation of duties for promotion of application changes between development and production environments
CA-02-10 Page 2 of Report
Standard operating procedures for three key areas of computer operations
Enhanced automation to support help desk activities including ticket monitoring and creation of a knowledge base.
Improved reporting to support userid cancellation and/or suspension.
Regular review of user access to critical applications.
Enhancement of specific logical security parameters for Windows Active Directory in alignment with industry-recommended minimum security settings.
Compliance with the City’s password policy for two specific applications and administrator ID password changes.
Documentation of approved lists of staff with authority to enter data center.
Improved environmental security controls in a specific data center (outside the control of ITS)
Regular monitoring of server logs
Background: The audit of General Computer Controls was included in the 2009 Audit Work Plan given the pervasive nature of these controls in support of underlying applications.
Discussion:
• Summary of the number and severity of the findings:
Category
Total Number of Findings
Number of Findings Considered…
High (red)
Medium (yellow)
Low (green)
Governance 3 0 3 0
Segregation of Duties 1 1 0 0
Logical Access Controls 8 2 6 0
Physical & Environmental Controls 3 0 2 1
Operations 2 0 1 1
Total 17 3 12 2
Key Issues (details are located on page 10 of this report) 1. Use of key administrative userids for specific network and applications is not
effectively restricted and monitored.
CA-02-10 Page 3 of Report
2. Segregation of duties to promote software changes from the development environment to the production environment is not maintained for a specific application.
3. Standard operating procedures:
Are not documented for three key areas of computer operations: data classification, help desk operations and incident management.
While documented for specific areas, require more attention to details (e.g. establishment of ownership, updates to date of last review, etc.)
4. Help desk ticket monitoring is a manually intensive process drawing on limited ITS
resources to effectively prioritize and resolve incidents. Also, the existing system does not support the development of a knowledge base to support future incident resolution. ITS have identified the need for an automated help desk ticketing system in its 2009 - 2011 business strategy.
5. Formal processes for approving security protocol changes (e.g. password configuration, etc.) are not in place.
6. The control mechanism to cancel users is weakened by the lack of regular reporting of staff who are on leave of absence (for any reason) or are no longer in the employ of the City (for any reason).
7. Review of user access to critical applications is not performed on a regular basis.
8. Current settings of specific logical security parameters for Windows Active Directory
are not in alignment with industry-recommended minimum security settings.
9. Password configurations of two specific applications and administrator ID password changes are not in compliance with the City’s password policy.
10. Approved lists of staff with authority to enter data centers are not on file. 11. A data center (outside the control of ITS) is not practising effective environmental
security controls (e.g. water and humidity monitoring, air conditioning temperature control, etc.)
12. Regular monitoring of server logs is not performed. This activity requires a significant draw on limited ITS resources.
Financial Matters:
Engagement of External Resources
• Deloitte & Touche performed the audit • Total cost = $34,950 • Sourced from current budget of the Office of the City
Auditor
CA-02-10 Page 4 of Report
City Auditor’s Time
14 hours allocated to planning and reporting phases
Communication Matters:
• Audit closing meeting conducted on October 29, 2009.
Provided opportunity for discussion between ITS management, Deloitte & Touche Auditors and the City Auditor
• Management provided their comments and responses to findings and recommendations as located on page 13 in this report and in the confidential appendix reported separately.
• Final report issued to management on January 14, 2010.
Conclusion:
Management and staff continue to demonstrate their commitment and diligence to enhanced information security and effective computer operations as indicated in their management action plans. I would like to thank the management and staff of Information Technology Services, Fire Department and Traffic Services for the cooperation and support extended during this audit.
Respectfully submitted, Sheila M. Jones, MBA, CIA, CCSA, CFE City Auditor 905-335-7600 ext. 7872
Approvals: *required
*Department Head
City Treasurer General Manager City Manager
Appendices: A. Audit Report – General Computer Controls
Distribution: Randy Bennett, Manager Infrastructure & Operations Christine Swenor, Director ITS Shayne Mintz, Fire Chief Donna Shepherd, Director Transit & Traffic cc: Kim Phillips, General Manager Corporate Services Nancy Shea Nicol, City Solicitor Roman Martiuk, City Manager Prepared by: Sheila M. Jones, CIA, CFE City Auditor
CA-02-10 Page 7 of Report
Purpose This report documents the findings and recommendations of the audit of General Computer Controls. Introduction and Background Information Technology Services (ITS) are responsible for the acquisition, implementation and management of corporate technology to support City operations. IT controls are fundamental to the reliability and integrity of the information processed by the automated systems on which most organizations are dependent for the business and financial transactions.1 General computer controls are:
Pervasive controls in the overall computer environment that support the integrity of data and information in underlying applications
applied to entire information systems and all software applications which reside on the systems
One area of IT controls.
General computer controls include:
Information security
Computer operations
Change management
Organization & management.
Audit Objectives & Scope This review assessed the adequacy of the following general computer controls:
Information security and
Computer operations. Methodology The audit has been conducted in accordance with generally accepted auditing standards. The audit was conducted by Deloitte & Touche on behalf of the Office of the City Auditor. The conclusions reached in this report are based upon information available at the time. Inherent Risk Profile The management of ITS is responsible for implementing controls that mitigate the following risks (risks before application of controls) in information security and computer operations:
1 IT Control Assessment in the Context of CEO/CFO Certification. CICA. Information Technology Advisory Committee. 2004.
CA-02-10 Page 8 of Report
Risk Category
Inherent Risk
Rating Potential loss due to…
Information Security – Technology
High • Hacking damage • Spreading computer virus • Theft of information
Systems Failures High • Data loss • Viruses • Hardware/software failure • Power outage/disruption • System maintenance failure
Telecommunication or Utilities Failure
High • Telecommunication failure
Unauthorized Activity High • Destroying, falsifying records • Transaction type unauthorized
Performance & Responsibility
Medium • Inaccurate/incomplete job evaluation/mandates
• Non-existent or inaccurate operating policies and procedures
Disasters and Other Events
Medium • Natural Disaster: fire (natural origin), flood (natural origin)
• Non-Natural Disaster: flood (non-natural origin), power shortage
• Wilful Damage and Human Losses from external sources: arson, sabotage and vandalism
Efficiency Low • Unnecessary activities and tasks
Legend: High – significant/large/critical impact on City operations, financial results and/or image Medium – moderate/modest/sensitive impact on City operations financial results and/or image Low – insignificant/little/subtle impact on City operations, financial results and/or image
Role of ITS Management ITS Management is responsible for designing internal controls to mitigate the inherent risks noted above and to meet the following objectives:
Safeguarding of assets (including reputation)
Compliance with laws, regulations and corporate policies
Reliability and integrity of financial and operational information
Efficiency and effectiveness of operations. Overall Audit Rating – FAIR
CA-02-10 Page 9 of Report
Legend: Overall Audit Rating
Rating Description
Excellent (Green)
• No internal control weaknesses noted. • Good adherence to laws, regulations, and policies. • Good control environment. • Operations are considered efficient and effective.
Good (Yellow)
• Several low and/or one or two medium findings. • Minor contraventions of policies and procedures with compensating controls in place. • No violation of laws. • Minor opportunities for improvement in efficiency and effectiveness.
Fair (Orange)
• Many medium findings and/or one or two high findings. • Several contraventions to policy. • Minor violations of regulations/laws with minimal impact to City. • Moderate opportunities for improvement in efficiency and effectiveness.
Weak (Red)
• Several high findings and some medium and/or low findings • Controls weak in one or more areas. • Noncompliance with policies put the City at risk. • Violation of law/regulation put the City at risk. • Substantial opportunities for improvement. • Operations are considered consistently inefficient and/or ineffective
This conclusion is only applicable to the function/area of this audit. It reflects the professional judgment of the Office of the City Auditor based on a comparison of situations as they existed at the time against audit criteria as identified in the scope of the audit. This conclusion is intended to provide reasonable assurance regarding internal controls. There are inherent limitations in any controls, including the possibility of human error and the circumvention or overriding of controls. Accordingly, even effective controls may provide only reasonable assurance with respect to City operations. Summary of Audit Findings & Severity (Measure of Residual Risk)
Category
Total Number
of Findings
Number of Findings Considered…
High (red)
Medium (yellow)
Low (green)
Governance 3 0 3 0
Segregation of Duties 1 1 0 0
Logical Access Controls 8 2 6 0
Physical & Environmental Controls 3 0 2 1
Operations 2 0 1 1
Total 17 3 12 2
Legend: Audit Finding Severity Scale
Severity Details
High (Red)
• Key control does not exist, is poorly designed or is not operating as intended • Serious non-compliance to policy or regulation • May result in immediate or material loss/misuse of assets, legal/regulatory action, material
financial statement misstatements, etc. • Indicates a serious business control weakness/deficiency requiring immediate action
Medium (Yellow)
• Key controls are partially in place and/or are operating only somewhat effectively • Some non-compliance to policy or regulation • May negatively affect the efficiency and effectiveness of operations and/or financial reporting
CA-02-10 Page 10 of Report
accuracy. • Indicates a business control concern requiring near-term action be taken
Low (Green)
• Key controls are in place, but procedures and/or operations could be enhanced. • Minor non-compliance to policy or regulation • May result in minor impact to operations. • Indicates a business control improvement opportunity for which longer-term action may be
acceptable
Nominal • Housekeeping
Refer to Appendix 1 and Confidential Appendix 2 for details of the audit findings and recommendations. Overall Comments • ITS has a documented and approved Business Strategy that includes, among other
key areas, an increased emphasis on security to ensure adequate protection of corporate IT assets and continued legislative compliance. The existence of a business strategy is a key component of IT Governance.
• ITS management and staff demonstrated a sound knowledge and understanding of their responsibilities and acknowledge their continued support for enhancements and improvements in general computer controls.
Key Issues and Recommendations The overall rating of FAIR for General Computer Controls – Information Security & Computer Operations is the result of the following key issues: 1. Use of key administrative userids for specific network and applications is not
effectively restricted and monitored. Access control and monitoring activity of users are required to ensure activity is authorized and data is protected.
2. Segregation of duties to promote software changes from the development environment to the production environment is not maintained for a specific application.
Enforced segregation of duties decreases the risk of unauthorized changes being promoted to a production environment.
3. Standard operating procedures:
Are not documented for three key areas of computer operations: data classification, help desk operations and incident management.
While documented for specific areas, require more attention to details (e.g. establishment of ownership, updates to date of last review, etc.)
Documented procedures support management and staff in the consistent performance of activities.
CA-02-10 Page 11 of Report
4. Help desk ticket monitoring is a manually intensive process drawing on limited ITS resources to effectively prioritize and resolve incidents. Also, the existing system does not support the development of a knowledge base to support future incident resolution. ITS have identified the need for an automated help desk ticketing system in its 2009 - 2011 business strategy. Automated help desk solutions support effective incident reporting and tracking, improved customer service through the use of a knowledgebase of resolution information, and enhanced management reporting of incidents and resolution.
5. Formal processes for approving security protocol changes (e.g. password configuration, etc.) are not in place. Approvals of changes in security protocols minimize the risk of unauthorized changes that may compromise data integrity.
6. The control mechanism to cancel users is weakened by the lack of regular reporting
of staff who are on leave of absence (for any reason) or are no longer in the employ of the City (for any reason). Termination of user access is a key control in mitigating the risk of unauthorized use.
7. Review of user access to critical applications is not performed on a regular basis.
While ITS has little to no control over granting user access to certain applications, ITS can provide guidance to departments on access control and can design and implement corporate controls assist in managing the risk of unauthorized access and changes.
8. Current settings of specific logical security parameters for Windows Active Directory
are not in alignment with industry-recommended minimum security settings. Strong account policy settings decrease the potential for unauthorized access and misuse of information resources.
9. Password configurations of two specific applications and administrator ID password
changes are not in compliance with the City’s password policy. Strong password policy compliance decreases the risk of unauthorized access and misuse of data maintained within the application.
10. Approved lists of staff with authority to enter data centers are not on file.
Approved lists of staff with data centre access rights and privileges strengthen the overall physical and logical security of systems. ITS has control over access to its own data center, but not those data centers in other areas. ITS can provide
CA-02-10 Page 12 of Report
guidance to departments on access control to assist in managing the risk of unauthorized access.
11. A data center (outside the control of ITS) is not practising effective environmental
security controls (e.g. water and humidity monitoring, air conditioning temperature control, etc.) Effective environmental controls decrease the risk of loss or damage of data or equipment.
12. Regular monitoring of server logs is not performed. This activity requires a significant draw on limited ITS resources. Timely review of activity logs reduces the risk of loss due to unauthorized access or activity.
Closing Comments Management and staff continue to demonstrate their commitment and diligence to enhanced information security and effective computer operations as indicated in their management action plans. I would like to thank the management and staff of Information Technology Services, Fire Department and Traffic Services for the cooperation and support extended during this audit. Management Comments
Appendices: 1. Details of Audit Findings and Recommendations 2. Confidential Details of Audit Findings and
Recommendations
In addition to the Management responses included in the Appendices, the importance of the IT Business Strategy should be emphasized. A number of initiatives were established as part of that strategy to improve IT management processes. The ability to make progress towards these initiatives will contribute to the overall effectiveness and reliability of general computer controls.
CA-02-10 Page 13 of Report
Appendix 1 – Details of Audit Findings and Recommendations
No.
Audit Finding Risk Category
& Severity Rating
Recommendations Management Action Plan
1. Policy and Standard Operating Procedures – Operations & Security Internal Audit noted the following during testing of Standard Operating Procedures (SOPs):
1. SOPs are not documented in the following areas:
a. Data Classification (e.g. sensitive, confidential, etc.);
b. Help Desk Operations; and c. Incident Management (also
identified as part of the IT Business Strategy goal to enhance the process in accordance with ITIL guidance).
2. Two of seven SOPs sampled
did not have a reference number;
3. Four of seven SOPs sampled
did not identify the date of last management review/update;
4. One of seven SOPs sampled
Information Security –
Technology
Systems Failures
Telecommun-
ication or Utilities Failure
Unauthorized
Activity
Medium (Yellow)
Management should document and update policies and procedures as required to ensure consistent ITS Operational and Security Practices.
Policies should include a
policy number and the date of last review and authorization / approval.
A document owner should
be assigned in order to ensure that changes to procedures are documented in a timely manner.
Management should
ensure that there is appropriate communication and training of staff on new policies and changes to existing policies.
Comment Limited staff resources and staff changes have affected the ability to create and maintain Standard Operating Procedures. Procedure for data classification should be led by the Clerks Department in collaboration with ITS. Action Plan Existing SOP’s will be updated as recommended. Communications will be issued to ITS on the updated SOP’s. SOP’s for Help Desk Operations and Incident Management will be developed as part of the IT Service Management Project in 2010. ITS will address information security procedures
CA-02-10 Page 14 of Report
No.
Audit Finding Risk Category
& Severity Rating
Recommendations Management Action Plan
was not reviewed on a timely basis;
5. Six of seven SOPs sampled
were not assigned a responsible document owner;
6. There is no formal process to
communicate policy updates and changes to staff.
7. Corporate IT policy does not
address encryption requirements. ITS does have procedures in place should encryption be required.
Lack of SOPs for key processes increases the risk of activities being performed in a manner that is inconsistent with management’s intentions. Without periodic management review of SOPs, there is a risk that procedural changes to information security management and ITS operational practices may not be documented. There is also a risk that users may reference out-dated
subsequent to data classification (e.g., from an implementation perspective). ITS will conduct a review of the corporate IT Security Policy. Responsibility: Manager of IT Infrastructure & Operations Target Date: December 2010 – for all activities to be completed. Activities will be incorporated into workplans throughout the year.
CA-02-10 Page 15 of Report
No.
Audit Finding Risk Category
& Severity Rating
Recommendations Management Action Plan
versions of policies and procedures, potentially resulting in critical security breaches and operational failures. Through discussion with the ITS Manager Infrastructure and Operations, Internal Audit noted that although the policies and procedures above have not been documented, the ITS department is taking steps towards implementing standardized security practices in the areas of data encryption, data classification on existing databases, data center environmental controls and firewall and web-server log monitoring.
2. Help Desk Ticket Monitoring The ITS department currently uses a Microsoft Outlook based, central email account to track and monitor the status of help desk requests submitted by users. Through testing, Internal Audit noted that help desk tickets were not sequentially numbered, did not contain an issue severity rating and
Efficiency
Medium (Yellow)
Management should perform an assessment of the current help desk ticketing function and build requirements to automate the help desk ticketing process.
Management should
utilize the results of this assessment to evaluate
Comment: Management has identified the need for an automated help desk ticketing solution in the IT Business Strategy. Action Plan: A help desk ticketing solution will be implemented as part of the IT Service Management project in
CA-02-10 Page 16 of Report
No.
Audit Finding Risk Category
& Severity Rating
Recommendations Management Action Plan
a central dashboard was not in place to provide statistics on the current help desk ticket population. The current process to track and monitor the status of outstanding tickets requires excessive manual intervention by the Team Leaders. Management has also identified the inability to generate statistics related to help desk calls received and problems resolved in the ‘2009-2011 IT Business Strategy’, and has identified the need to implement an automated help desk ticketing solution.
and select a vendor to implement an automated robust help desk ticketing solution.
2010 Responsibility: Manager of IT Infrastructure & Operations Target Date: June 2010
3. Changes in Security Protocols Establishing or changing security protocol (e.g., for password configuration) requires a formal assessment of categories and severity of security changes and documented approval by authorized individuals. ITS Management has not conducted this formal assessment. Through discussions with the ITS Manager of Infrastructure and
Information Security –
Technology
Unauthorized Activity
Medium (Yellow)
Management should establish a formal process to track, monitor and document all approvals to changes in security protocol.
Management should also establish a formal process identifying the necessary security approvals that should be obtained based on the severity of the
Comment: Any changes to security protocol are discussed and heavily scrutinized prior to implementation. Action Plan: ITS will establish a formal process for security protocol changes which will identify classifications for security changes (e.g., business impact, financial impact)
CA-02-10 Page 17 of Report
No.
Audit Finding Risk Category
& Severity Rating
Recommendations Management Action Plan
Operations, Internal Audit noted that a formal process has not been implemented for obtaining approval to make security changes within the ITS department. There is a risk that unauthorized changes to system security configurations may compromise data integrity and potentially result in legal liability.
security changes. and the levels of approval required. Responsibility: Manager, IT Infrastructure & Operations Target Date: June 2010
4. Terminated User Access – Windows Active Directory (WINAD) The current process requiring Human Resources and/or the employee’s Functional Manager to notify IT in the event of employee termination is not operating effectively. During testing of terminated users against the current WINAD user listing, IA noted four (4) terminated users with active WINAD accounts. These accounts were not terminated on the date of employee departure.
Performance &
Responsibility
Information Security -
Technology
Unauthorized Activity
Medium (Yellow)
Management should review and remove active IDs of employees who are no longer with the City.
ITS Management should continue to ensure that IDs of employees who have left the organization are disabled promptly. The process to ensure that employee departures are communicated to the IT department should be reviewed to determine the cause of the gaps identified, and the process revised and included in
Comment: Management has removed the 4 terminated users. ITS has a process in place to disable user accounts once informed that an employee is no longer with the City. Action Plan: ITS will work with Human Resources to develop a process to inform ITS of employee terminations. This will be implemented by senior management (SMT) and applied across the
CA-02-10 Page 18 of Report
No.
Audit Finding Risk Category
& Severity Rating
Recommendations Management Action Plan
Accounts that remain active after an employee has left the organization increase the risk of unauthorized access to the City’s information assets.
the employee exit procedures.
organization. Responsibility: Manager IT Infrastructure & Operations and Human Resources Administrator Target Date: March 2010
5.
Data Center Review – All Data Centers It was noted during the review of access to the data centers that a listing of personnel authorized to have access to the data centers is not maintained. It was also noted that there is no formal process for ITS management to track and monitor individuals with access to the data centers. There is an increased risk of data loss pr physical harm to equipment as a result of unauthorized individuals with access to the data center. Currently the process of pass card administration to provide user access to the Traffic and IT data
Disasters and Other Events
Telecommun-
ication or Utilities Failures
Medium (Yellow)
For IT staff, ITS Management should maintain an updated list of authorized users for access the data centers.
A periodic review of IT users with access to all data centers should be reconciled against the list of authorized IT users. Unauthorized access should be removed immediately.
ITS provide advice and counsel to Traffic and Fire Departments regarding appropriate and effective access controls to data center facilities and
Comment: ITS maintains a list of staff who have access to the main data center in City Hall. This list is reviewed on a regular basis. ITS does not currently administer access to the Traffic and Fire data centers. Action Plan: ITS will work with Traffic and Fire to establish access protocols and to ensure periodic access reviews are performed. Responsibility: Manager IT Infrastructure
CA-02-10 Page 19 of Report
No.
Audit Finding Risk Category
& Severity Rating
Recommendations Management Action Plan
centers is managed through Facilities Management. Fire Department staff administers user access to the fire department data center.
equipment. and Operations Target Date: March 2010
6. Back-up Tape Restoration During testing, Internal Audit noted that management did not maintain documentation and/or evidence to confirm that database restores were completed successfully. Through discussions with the ITS Manager of Infrastructure and Operations, Internal Audit noted that the Disaster Recovery Plan (DRP) in development includes specific instructions to perform testing of tape readability as part of the annual DRP testing process. Lack of testing of tape readability and backup restoration as part of an annual DRP testing process increases the risk of data loss due to tape corruption. The ITS Manager of Infrastructure and Operations has noted that
Efficiency
Low (Green)
Management should ensure that backup restorations are performed, at least annually, as part of the DRP testing process and documented evidence maintained to support the testing effort.
Comment: Reliance on, or requirement for, tape-based recovery will be mitigated when full data replication to the disaster recovery site is implemented. Action Plan: Management will develop a strategy to test tape readability for critical systems on an annual basis Responsibility: Manager IT Infrastructure and Operations Target Date: May 2010
CA-02-10 Page 20 of Report
No.
Audit Finding Risk Category
& Severity Rating
Recommendations Management Action Plan
back-up tape restorations were not tested as the DRP plan has not been formally implemented.
