Management summaries in respect of completed audit assignments
Appendix B (2)
Report No. NN/11/17 – Final Report issued 15 February 2011
Audit Report on Network Infrastructure, Security and Telecommunications
Audit Opinion
Limited Assurance given
Rationale supporting award of Opinion
The audit work carried out by Internal Auditindicated that there are weaknesses in the system
of internal controls such as to put the client’s objectives at risk.
Although overall the Council’s Domain Controller Configuration standards were on par with
other local authority organisations, there are still a number of weaknesses which need to be
addressed to meet good security practice and the Government Code of Connection (CoCo)
requirements. A total of 15 medium priority and three low priority recommendations have
been raised to lift controls to a good/leading practice standard; hence we have been able to
provide a limited level of assurance.
This system has not previously been audited, so there is no comparison possible with
previous findings.
Summary of Findings
Domain Account Policies – this refers to the general practices that operate such as
password policies, account lock-out policy etc. Password controls in this area are good, for
example, complexity has been enabled and other available supporting controls are in place.
There are a number of other controls that require review and recommendations on these have
been raised.
Audit Policy – The majority of the available audit functionality has been utilised, although the
logs created by the audit functionality are not reviewed. Recommendations around log review
and bringing the audit functionality not currently being used to a good practice standard have
been raised.
Event Logs – Event logs are equivalent to audit trails in the network domain. There are good
controls in the configuration of event log settings.
Security Options – The majority of available controls in this area are in line with good
practice, although it was also noted that some still require review. For example, it is not good
practice to allow the username of the previous user of a PC or laptop to be displayed to the
next user upon system start.
User Accounts – Good controls have been implemented, although the audit found that there
appears to be a large number of user accounts with passwords set to never expire and/or do
not require a password. The latter does not necessarily mean that no password is present,
just that the accounts are allowed to have no password set. A recent Code of Connection
onsite security IT Healthcheck found no accounts without passwords. Sample testing of the
leavers’ process noted a minor weakness in that two accounts out of a sample of 22 over the
period from July to September 2010 were still open. As the process clearly exists, the
weakness was discussed with management and no formal recommendation has been raised
here. However, recommendations on the accounts with no password expiry, and those which
do not require a password, have been raised.
Rights and Privileges – It was found that “rights to be granted to administrators only” were
configured in line with current good practice, although there are a number of “rights to be
granted to no one” that have been granted to users. There are also a number of
Discretionary Access Control Lists (“DACL”) that have been created for individual users, that
allow the users certain functionality within the system. Recommendations on this and the
“rights to be granted to no one” have been raised.
Trusted and Trusting Domains – Trust relationships allow one Domain to “trust” the access
rights given within another Domain (e.g. the network password would allow access to another
domain). There are no such relationships in place on the network domain.
Remote Access Service (RAS) – The RAS service has been disabled and no RAS servers
were defined within the domain. However, six supporting RAS services were still running on
the Domain Controller and one administrator account has permission to dial in using RAS.
Recommendations on stopping the services and reviewing the need to have an administrator
account with this privilege have been raised.
Services and Drivers – The domain controller had 276 services available, of which 148 were
running at the time of the audit. There is no regular review of the service to ensure that only
required services are running. A recommendation on this has been raised.
Updates and Patches – It was found that the last time any patches or updates were installed
was in January 2010 when Server 2003 Service Pack 2 was installed. There is no patch or
update review process in place that ensures that the hardware is hardened to current patches
and/or hotfixes. A recommendation on this has been raised.
Logical Drives and Network Shares – Logical drives are sections of physical drives that
have been partitioned, whilst network shares are pieces of information that can be shared
between users (e.g. shared files, shared printers). Good controls were noted here.
Backup – Good controls were noted here.
Physical and Environmental Security – Good controls were noted here.
Disaster Recovery Plan (DR) – Management have been working on drafting a Disaster
Recovery Plan although it requires further review to lift it to current good practice. A
recommendation containing suggestions for improvement has been raised.
Network Topology (layout) and Resilience – Single points of failure (which, if it failed,
would mean that a significant part of the network would also fail) were noted at the Firewall
and router switch. Spare devices are available to replace the active devices and
management are confident in their ability to do so with little delay. The Council’s
infrastructure is small and these controls have been considered to be adequate for their
needs.
Network Support – The support team is small, although there is good cross training in place
to help ensure adequate network management resourcing. However, there are weaknesses
in terms of security alert management and the lack of regular review of service desk activities
to identify any support trends that may require off line resolution. Recommendations on these
have been raised.
Network Device Security – The CISCO switches allow connections between, and within the
network. The CISCO switch configuration is such that one of the passwords has been
encrypted using a CISCO “Type 7” algorithm, which is known to be weak.
A
recommendation to harden this encryption to the stronger Type 5 encryption has been raised.
The Council currently has no Intrusion Detection System in place. A recommendation to
consider implementation of such a system has also been raised.
Remote Virtual Private Network (VPN) Access – These allow users to access the network
from other locations, e.g. through the internet. Good controls were noted. A VASCO (a data
security company) token 2-factor authentication mechanism is in place.
Network Management and Administration – Good controls have been noted in that there
appears to be adequate budget and resource in place to manage the network infrastructure,
although no Service Level Agreement between IT and the Business Areas is in place. In
addition, there is no separate Network Strategy. Recommendations on these weaknesses
have been raised.
Firewall – Good controls were noted in that there is evidence of regular (annual) penetration
testing in place. Management use a range of different external vendors to implement these
tests in order to get a cross section of opinion.
Telecommunications Administration – The Council uses older technology with a small
amount of Voice-over IP (VOIP) technology, which is used internally only. There is a range of
Disaster Recovery options available to management should such an event be invoked. Billing
is handled by apportioning total amounts equally across the total number of Council
employees.
Adequacy
and
Effectiveness
Assessments
Area of Scope
Domain Accounts
Policy
Audit Policy
Event Logs
Security Options
User Accounts
Rights and Privileges
Trusted and Trusting
Domains
Remote Access
Service (RAS)
Services and Drivers
Updates and Patches
Logical Drives and
Network Shares
Backup
Physical and
Environmental
Security
Disaster Recovery
Plan
Network Topology
and Resilience
Network Support
Network Device
Security
Remote Virtual
Private Network
(VPN) Access
Network
Management and
Administration
Firewall
Telecommunications
Administration
Adequacy
of Controls
Effectiveness
of Controls
Amber
Amber
High
0
Medium
1
Low
0
Amber
Green
Amber
Amber
Amber
Green
Amber
Green
Amber
Amber
Amber
Green
0
0
0
0
0
0
2
0
1
1
2
0
0
0
0
1
0
0
Amber
Amber
0
1
0
Amber
Amber
Green
Amber
Amber
Green
0
0
0
0
1
0
1
0
0
Green
Green
Green
Green
0
0
0
0
0
0
Amber
Amber
0
1
0
Green
Green
0
0
0
Amber
Amber
Amber
Amber
0
0
2
1
0
1
Green
Green
0
0
0
Amber
Amber
0
2
0
Green
Green
Green
Green
0
0
0
0
0
0
0
15
3
Total
Recommendations Raised
High Priority Recommendations
We have raised no high priority recommendations as a result of this audit
Management Responses
Management have disagreed with one recommendation raised:
Recommendation 18 – Network Strategy (low priority)
Management should draft and agree a Network Strategy to complement the existing ICT
Strategy. The document should include reference to the timescales that the strategy covers,
the level of current planned investment in the infrastructure and the aims of the strategy in
terms of how it is aligned to identified business needs over the lifetime of the strategy.
Rationale supporting Recommendation 18
A formal Network Strategy will help to ensure transparency and accountability for the network
and help to demonstrate how the IT area are supporting identified business objectives over
time.
There is currently no formal network strategy, although there are brief references to network
plans within the main ICT strategy.
A lack of formal Network Strategy increases the risk that the networks management will be
ineffective and not support business objectives over time.
Management Response
Disagreed. However, we shall include a network plan as part of the ICT strategy instead of
generating a separate document. This is to minimise the number of strategies.