Internal Audit Report 2010/11 North Norfolk District Council NN/11/17 Network Infrastructure, Security and Telecommunications February 2011 This report has been prepared on the basis of the limitations set out on page 26. Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17 Contents Executive Summary Recommendations Statement of Responsibility Appendix A – Definition of Audit Opinions, Direction of Travel, Adequacy and Effectiveness Appendix B – Audit Objectives & Scope Appendix C – Audit Team & Staff Consulted Appendix D – Audit Timetable Page No 1 8 26 27 30 32 33 This report and the work connected therewith are subject to the Terms and Conditions of the Contract dated 1 October 2007 between South Norfolk District Council and Deloitte & Touche Public Sector Internal Audit Limited. The report is confidential and produced solely for the use of the above named Participating Council. Therefore you should not, without our prior written consent, refer to or use our name or this document for any other purpose, disclose them or refer to them in any prospectus or other document, or make them available or communicate them to any other party. No other party is entitled to rely on our document for any purpose whatsoever and thus we accept no liability to any other party who is shown or gains access to this document. Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17 Executive Summary Introduction Audit Opinion As part of the 2010/11 Internal Audit Plan, agreed by the Audit Committee, we have undertaken an audit of Network Infrastructure, Security and Telecommunications. All the issues identified in the Audit Brief approved in September 2010 have been addressed. This report sets out our findings from the audit and raises recommendations to address areas of control weakness and / or potential areas of improvement. Unsatisfactory Assurance Limited Assurance Adequate Assurance Good Assurance We categorise our opinions according to the assessment of the controls in place and the level of compliance with those controls. Audit opinions are defined in Appendix A Rationale Supporting Award of Opinion and Direction of Travel The audit work carried out by Internal Audit (the scope of which is detailed in Appendix A) indicated that there are weaknesses in the system of internal controls such as to put the client’s objectives at risk. Although overall the Council’s Domain Controller Configuration standards were on par with other local authority organisations, there are still a number of weaknesses which need to be addressed to meet good security practice and the Government Code of Connection (CoCo) requirements. A total of 15 medium priority and three low priority recommendations have been raised to lift controls to a good/leading practice standard; hence we have been able to provide a limited level of assurance. This system has not previously been audited, so there is no comparison possible with previous findings. 1 Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17 Hence no direction of travel indicator can be given. Summary of Findings In this section we set out a summary of our findings under each area of scope. This is a balanced summary where possible. Where weaknesses are identified, full details of these are included in the recommendations raised. Domain Account Policies – this refers to the general practices that operate such as password policies, account lock-out policy etc. Password controls in this area are good, for example, complexity has been enabled and other available supporting controls are in place. There are a number of other controls that require review and recommendations on these have been raised. Audit Policy – The majority of the available audit functionality has been utilised, although the logs created by the audit functionality are not reviewed. Recommendations around log review and bringing the audit functionality not currently being used to a good practice standard have been raised. Event Logs – Event logs are equivalent to audit trails in the network domain. There are good controls in the configuration of event log settings. Security Options – The majority of available controls in this area are in line with good practice, although it was also noted that some still require review. For example, it is not good practice to allow the username of the previous user of a PC or laptop to be displayed to the next user upon system start. User Accounts – Good controls have been implemented, although the audit found that there appears to be a large number of user accounts with passwords set to never expire and/or do not require a password. The latter does not necessarily mean that no password is present, just that the accounts are allowed to have no password set. A recent Code of Connection onsite security IT Healthcheck found no accounts without passwords. Sample testing of the leavers’ process noted a minor weakness in that two accounts out of a sample of 22 over the period from July to September 2010 were still open. As the process clearly exists, the weakness was discussed with management and no formal recommendation has been raised here. However, recommendations on the accounts with no password expiry, and those which do not require a password, have been raised. Rights and Privileges – It was found that “rights to be granted to administrators only” were configured in line with current good practice, although there are a number of “rights to be granted to no one” that have 2 Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17 been granted to users. There are also a number of Discretionary Access Control Lists (“DACL”) that have been created for individual users, that allow the users certain functionality within the system. Recommendations on this and the “rights to be granted to no one” have been raised. Trusted and Trusting Domains – Trust relationships allow one Domain to “trust” the access rights given within another Domain (e.g. the network password would allow access to another domain). There are no such relationships in place on the network domain. Remote Access Service (RAS) – The RAS service has been disabled and no RAS servers were defined within the domain. However, six supporting RAS services were still running on the Domain Controller and one administrator account has permission to dial in using RAS. Recommendations on stopping the services and reviewing the need to have an administrator account with this privilege have been raised. Services and Drivers – The domain controller had 276 services available, of which 148 were running at the time of the audit. There is no regular review of the service to ensure that only required services are running. A recommendation on this has been raised. Updates and Patches – It was found that the last time any patches or updates were installed was in January 2010 when Server 2003 Service Pack 2 was installed. There is no patch or update review process in place that ensures that the hardware is hardened to current patches and/or hotfixes. A recommendation on this has been raised. Logical Drives and Network Shares – Logical drives are sections of physical drives that have been partitioned, whilst network shares are pieces of information that can be shared between users (e.g. shared files, shared printers). Good controls were noted here. Backup – Good controls were noted here. Physical and Environmental Security – Good controls were noted here. Disaster Recovery Plan (DR) – Management have been working on drafting a Disaster Recovery Plan although it requires further review to lift it to current good practice. A recommendation containing suggestions for improvement has been raised. Network Topology (layout) and Resilience – Single points of failure (which, if it failed, would mean that a significant part of the network would also fail) were noted at the Firewall and router switch. Spare devices are available to replace the active devices and management are confident in their ability to do so 3 Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17 with little delay. The Council’s infrastructure is small and these controls have been considered to be adequate for their needs. Network Support – The support team is small, although there is good cross training in place to help ensure adequate network management resourcing. However, there are weaknesses in terms of security alert management and the lack of regular review of service desk activities to identify any support trends that may require off line resolution. Recommendations on these have been raised. Network Device Security – The CISCO switches allow connections between, and within the network. The CISCO switch configuration is such that one of the passwords has been encrypted using a CISCO “Type 7” algorithm, which is known to be weak. A recommendation to harden this encryption to the stronger Type 5 encryption has been raised. The Council currently has no Intrusion Detection System in place. A recommendation to consider implementation of such a system has also been raised. Remote Virtual Private Network (VPN) Access – These allow users to access the network from other locations, e.g. through the internet. Good controls were noted. A VASCO (a data security company) token 2-factor authentication mechanism is in place. Network Management and Administration – Good controls have been noted in that there appears to be adequate budget and resource in place to manage the network infrastructure, although no Service Level Agreement between IT and the Business Areas is in place. In addition, there is no separate Network Strategy. Recommendations on these weaknesses have been raised. Firewall – Good controls were noted in that there is evidence of regular (annual) penetration testing in place. Management use a range of different external vendors to implement these tests in order to get a cross section of opinion. Telecommunications Administration – The Council uses older technology with a small amount of Voice-over IP (VOIP) technology, which is used internally only. There is a range of Disaster Recovery options available to management should such an event be invoked. Billing is handled by apportioning total amounts equally across the total number of Council employees. 4 Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17 Adequacy and Effectiveness Assessments (definitions are found in Appendix A) Area of Scope Domain Accounts Policy Audit Policy Event Logs Security Options User Accounts Rights and Privileges Trusted and Trusting Domains Remote Access Service (RAS) Services and Drivers Updates and Patches Logical Drives and Network Shares Backup Physical and Environmental Security Disaster Recovery Plan Network Topology and Resilience Network Support Network Device Security Remote Virtual Private Network (VPN) Access Network Management and Administration Adequacy of Controls Effectiveness of Controls Recommendations Raised* Amber Amber Green Amber Amber Amber Green Amber Amber Amber Green Amber Amber Green Amber Amber Amber Green Amber Amber Amber Green High 0 0 0 0 0 0 0 0 0 0 0 Medium 1 2 0 1 1 2 0 1 0 1 0 Low 0 0 0 0 1 0 0 0 1 0 0 Green Green Green Green 0 0 0 0 0 0 Amber Green Amber Green 0 0 1 0 0 0 Amber Amber Green Amber Amber Green 0 0 0 2 1 0 0 1 0 Amber Amber 0 2 0 5 Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17 Adequacy and Effectiveness Assessments (definitions are Area of Scope Firewall Telecommunications Administration Adequacy of Controls Green Green Effectiveness of Controls Green Green Recommendations Raised* High 0 0 Medium 0 0 Low 0 0 0 15 3 Total * Recommendation priorities are defined in Appendix A High Priority Recommendations We have raised no high priority recommendations as a result of this audit. Background The network infrastructure enables users to connect to servers and equipment which is not directly connected to their own physical PC or workstation. This could be on the next desk (as in printers), other rooms, other buildings or even other countries depending on the type of network. The Audit of the network infrastructure has looked at how the Council’s network is accessed, how it is supported and monitored and how the network is secured against unauthorised access. As part of the audit a Computer Audit Tool called SekChek was used to look at the Network Server Operating System (O/S) configuration and logical access controls. The administration procedure in place for the maintenance and security for the Council’s Voice network which runs alongside the Data network was also reviewed. Audit Objective The objective of the audit was to determine whether management has implemented adequate and effective controls over the Networks Infrastructure, Security and Telecommunications. The details of the areas covered are listed in Appendix B. 6 Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17 Acknowledgement We would like to thank the management and staff of North Norfolk District Council for their time and cooperation during the course of the audit. All staff consulted are included at Appendix C. 7 Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17 Recommendations Domain Accounts Policy 1. Domain Accounts Policy Medium priority Recommendation Rationale Management should give consideration to amending the Domain Accounts Policy in the following ways to comply with current good practice: • "Prevent transfer of password in clear text" should be set to Enabled; • "Reset Lockout Counter in minutes" should be raised to 1440; and • "Allow lockout of local administrator account" should be Enabled. The suggested enhancements will help to ensure that user accounts are managed as securely as possible. The audit noted that the following settings do not comply with current good practice: • "Prevent transfer of password in clear text" is Disabled; • "Reset lockout counter in minutes" is currently set to 30 minutes; and • "Allow lockout of local administrator account" is disabled. The Built in Administrator account also carries its delivery name. A lack of adequate logical controls increases the risk of unauthorised access. The built in administrator account should also be renamed. Management Response Agreed. Responsibility Networks Manager Deadline 30th April 2011 8 Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17 Audit Policy 2. Audit Policy Medium priority Recommendation Rationale In order to match good practice, management should look to Making the changes will help to ensure that changes requiring change the current Audit Policy settings for “Policy change enhanced privileges can be tracked adequately. events" and "Privilege use events" to Success/Failure. Currently "Policy change events" is set to Success only, which means that any failed attempts to make such changes are not recorded, and there is currently no auditing enabled for "Privilege use events". These settings do not comply with current good practice and increase the risk that unauthorised actions are not identified or cannot be investigated. Management Response Agreed. Responsibility Networks Manager Deadline 30th June 2011 9 Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17 3. Review of Audit Logs Recommendation Medium priority Rationale Management should implement a process whereby audit logs Regular documented reviews of audit logs will help to ensure undergo regular and documented review. that anomalies flagged in the logs can be investigated and unauthorised activity identified as a result. There is currently no regular process to review the audit logs, although management do conduct ad hoc reviews on management request. There is also work currently underway to bring a new log collation and reporting system (RSA Envision) online, which should assist the review process greatly. A lack of regular review increases the risk of unauthorised activity not being identified and dealt with in a timely manner. Management Response Agreed. Responsibility Networks Manager Deadline 30th June 2011 10 Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17 Security Options 4. Security Options Medium priority Recommendation Rationale Management should give consideration to changing the following settings: • "Unsigned non driver installation" should be set to "Warn but allow"; and • "Do not display last user name in logon screen" should be set to Enabled. Enhancing these security options will help protect the network from unauthorised access. The audit found that the following settings require review: • "Unsigned non driver installation" is set to "Silently succeed"; and • The user name of the last user that accessed a device is displayed to the next user on logon, which therefore only requires the entry of a correct password. There is an increased risk of unauthorised access and changes being made within the network. Management Response Agreed. We will need to look into this and implement if appropriate. Responsibility Networks Manager Deadline 30th June 2011 11 Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17 User Accounts 5. Null Passwords and Passwords that Never Expire Low priority Recommendation Rationale Management should conduct a review of accounts where passwords are set to never expire and where null passwords are permitted as the numbers of these accounts appears to be high. Keeping the numbers of such accounts to a minimum helps to protect against unauthorised access. There are 42 accounts which belong to members and 33 belong to "Outside agencies" with passwords set to never expire. There are also 256 user accounts where passwords are not required, although this does not mean that there are actual accounts with no passwords, just that these accounts allow null passwords. A recent CoCo security assessment did not find any accounts without passwords. Weak user account controls increase the risk of unauthorised access into the network. Management Response Agreed. We review our accounts regularly and we are happy that there are legitimate business reasons for the accounts where passwords have been set to never expire. This part of the recommendation has therefore been implemented. We will review the accounts where null passwords are possible and revoke this setting where appropriate. Responsibility Networks Manager Deadline 31 March 2011 12 Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17 6. Expired and Disabled User Accounts Recommendation Medium priority Rationale Management should conduct regular reviews of expired and Performing a regular review of user accounts will help identify disabled accounts to remove any that are no longer deemed inactive accounts and by removing, prevent unauthorised required. access being gained through these accounts. The audit found that there were 46 expired and 332 disabled user accounts. There is a risk of unauthorised access through unused accounts and reduced management effectiveness. Management Response Agreed. Implemented. Responsibility Networks Manager Deadline 31 January 2011 13 Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17 Rights and Privileges 7 Rights to be granted to no one Medium Priority Recommendation Rationale We recommend that the powerful system rights which should be granted to no one should be reviewed and removed. These include: • Adjust memory quotas for a process; • Log on as a batch job; • Log on as a service; and • Replace a process level token. Removing the powerful system rights that should be granted to any one, will help minimise security exposure and increase stability of the system. There are a number of system rights that should not be granted to any user. The audit found that some of these rights have been assigned to user accounts. These are as follows: • Adjust memory quotas for a process - 20 accounts have this right; • Log on as a batch job - 9 accounts have this right; • Log on as a service - 3 accounts have this right; and • Replace a process level token - 2 accounts have this. Restricting the use of powerful systems rights reduces the risk of either accidental or deliberate misuse. Management Response Agreed. We will need to look into this and implement where appropriate. Responsibility Networks Manager Deadline 30th June 2011 14 Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17 8 Review of DACLs Medium Priority Recommendation Rationale The Discretionary Access Control List (DACL) should be Reviewing the DACLs and the permissions granted will help reviewed to ensure that the list is valid, current and that ensure that the DACLs and the user permissions are current, permissions granted through this route is appropriate. valid and in line with users responsibilities. The audit noted that there are 14,119 DACLs defined within the domain of which 880 were granted by an individual user and 160 to the group ‘Helpdesk’. Weak controls in this area increase the risk that users may obtain powerful permissions which is not in line with their responsibilities. Management Response Agreed. We will need to look into this and implement any controls deemed appropriate at a later date. Responsibility Networks Manager Deadline 31 June 2011 15 Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17 Remote Access Service (RAS) 9 Remote Access Service Medium Priority Recommendation Rationale It is recommended that arrangements are made to stop the redundant Remote Access Service (RAS) services from the network and remove the permission from the identified user to dial in to RAS if no longer applicable. Removal of the redundant services and related permissions will help to ensure that no unauthorised, deliberate or accidental connection is made through this service and will also help in the maintenance of the domain network. The audit found that there are no RAS servers defined within the domain, although six RAS services (Rasacd, Rasauto, Rasl2tp, RasMan, Raspppoe, Raspti) were still found to be running. There is also one administrator account with permission to dial in using RAS. There is a risk of unauthorised access being obtained through RAS service as a result of unauthorised, deliberate or accidental connection. Management Response Agreed. We will stop this service but Remote Access is not configured and no modems exist. It is therefore a very very remote threat. Responsibility Networks Manager Deadline 31 December 2011 16 Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17 Services and Drivers 10 Periodic Review of Services Low Priority Recommendation Rationale Management should conduct periodic reviews of the services on the Domain Controller to ensure that only required services are available. Where services are not required, they should as a minimum be disabled, preferably removed. Keeping services available to a minimum required for the server will help protect the security of the network and help maximise performance. The audit found that there are 276 services available on the Domain, of which 148 were running. A lack of review increases the risk that network security will be compromised. Management Response Agreed. Responsibility Networks Manager Deadline 30th September 2011 17 Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17 Updates and Patches 11 Patches and Hotfixes Medium Priority Recommendation Rationale It is recommended that a process should be put in place for regular review of patches released by Microsoft, and ensure that the necessary (Security and Vulnerability) patches have been applied as early as practicable. Where a patch or fix has not been applied, its reason or reasons should be documented. The Microsoft Baseline Security Analyser (MBSA) tool could be used to conduct the reviews. Ensuring and applying the relevant patches will help minimise any vulnerability that may exist on the Domain controllers and servers. Formalising the process will help ensure that in future all patches and fixes have been reviewed and a record maintained of those that have been applied as well as those that have not been applied. Additionally it will help ensure that a patch or fix has not been overlooked that may be important for the security of the network environment. The audit noted that the last time any patches or hotfixes were applied was in January 2010 when Server 2003 Service Pack 2 was installed. The Council does not make use of available tools such as MBSA to ensure that the network has been hardened appropriately. A lack of appropriate review increases the risk that the Council's network may be exposed to security vulnerabilities and/or inefficiencies. Management Response Agreed. We will look into this and implement appropriate processes. Responsibility Networks Manager Deadline 30th June 2011 18 Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17 Disaster Recovery Plan 12 Disaster Recovery Planning Medium Priority Recommendation Rationale Management should review the Disaster Recovery plan as follows: • Use a recognised DR standard (for example BS25777) to guide the DR planning process; • Be clearer about how the list of priorities in section 4 was developed; • Include a procedure for invoking and escalating the DR plan from an IT management perspective; and • Have the plan formally signed off by the business and IT management. A robust and appropriately updated/documented/tested Disaster Recovery Plan will help to ensure that the plan is effective and meets business requirements in all respects. The audit noted that there is a disaster recovery plan, although it is not complete. For example, it is not clear that it is aligned to Business requirements, although a list of priority systems is present. There is no indication of the invocation and escalation procedures, no management signoff. A lack of relevant Disaster Recovery plan increases the risk that the Council cannot recover its systems as required by the business, which could result in a lack of priority service provision. Management Response We consider our current processes to be suitable for our needs, although we will review the plans based upon the recommendation. Responsibility Networks Manager Deadline 30th June 2011 19 Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17 Network Support 13 Security Alerts Email Contacts Recommendation Medium Priority Rationale Management should ensure that all email alerts that the Sending relevant alerts to multiple users will help to ensure that various monitoring systems send are configured so that they alerts are acted upon even when the primary responsible user is are sent to multiple users in the IT team. not present. The audit noted that there are a number of security alert emails relating to Anti Virus and client machine management but that they were not all configured to be sent to multiple users. Sending relevant alerts to single users only increases the risk that certain alerts that require immediate attention are not acted upon in a timely manner. Management Response Agreed. Implemented. Critical anti-virus alerts and backup messages are now configured to go to multiple staff . Responsibility Networks Manager Deadline 31 January 2011 20 Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17 14 Service Desk Reporting Medium Priority Recommendation Rationale Management should restart the helpdesk reporting process and consider inviting users to suggest improvements that could be made to the reports to make them more relevant to their needs. Adequate reporting will help to ensure that the Service Desk activity is transparent to users and management and helps to ensure that trends and root causes can be easily identified and resolved. It was noted that IT Management used to produce activity reporting, but no longer does, due to a perception that the reports were not considered useful. Management have also indicated that users have not commented on the lack of reporting to date. A lack of reporting increases the risk that Council management are not able to accurately track the effectiveness of the service desk. Management Response Agreed in part. The reports will be used within ICT for monitoring calls as it is felt Users do not have time to read reports of this nature on a regular basis. This is a good sign that the quality of the ICT service is not an issue. Responsibility Networks Manager Deadline 30th June 2011 21 Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17 Network Device Security 15 CISCO Switch encryption strength Recommendation Low Priority Rationale Management should review the CISCO switch configuration Strong encryption helps to ensure the security of the relevant and ensure that all type 7 encrypted passwords are enhanced devices. to type 5. It was noted that one of the passwords within the CISCO configuration was encrypted to type 5 standard, which is a CISCO proprietary standard and weaker than type 7. Weak password encryption increases the risk of unauthorised access to the device. Management Response Agreed. Implemented. Responsibility Networks Manager Deadline 31 December 2010 22 Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17 16 Intrusion Detection System Recommendation Medium Priority Rationale Management should give consideration to the implementation Adequate Intrusion Detection will help to ensure the security of of a suitable Intrusion Detection System. the network. The Council does not currently have Intrusion Detection installed on their network. A lack of adequate Intrusion Detection increases the risk of unauthorised access into the network. Management Response Agreed. We will look into this and implement where appropriate though budget could be a barrier here. The deadline is for consideration, not implementation. Responsibility Networks Manager Deadline 30th June 2011 23 Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17 Network Management and Administration 17 Service Level Agreement Recommendation Medium Priority Rationale Management should give consideration to drafting and A Service Level Agreement will help to ensure transparency in agreeing a Service Level Agreement with the Business Areas. and accountability for the performance of the IT department. There is currently no formal Service Level Agreement in place between IT and the Business Areas. However, it is acknowledged that there are bi annual customer satisfaction surveys, which is a Performance Management requirement. A lack of formal Service Level Agreement increases the risk of a degradation of the IT service and reputational damage to IT management. Management Response Agreed. We will consider whether this is appropriate. Responsibility ICT Manager Deadline 31st August 2011 24 Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17 18 Network Strategy Medium Priority Recommendation Rationale Management should draft and agree a Network Strategy to complement the existing ICT Strategy. The document should include reference to the timescales that the strategy covers, the level of current planned investment in the infrastructure and the aims of the strategy in terms of how it is aligned to identified business needs over the lifetime of the strategy. A formal Network Strategy will help to ensure transparency and accountability for the network and help to demonstrate how the IT area are supporting identified business objectives over time. There is currently no formal network strategy, although there are brief references to network plans within the main ICT strategy. A lack of formal Network Strategy increases the risk that the networks management will be ineffective and not support business objectives over time. Management Response Disagreed. However, we shall include a network plan as part of the ICT strategy instead of generating a separate document. This is to minimise the number of strategies. Responsibility Networks Manager Deadline 31st August 2011 25 Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17 Statement of Responsibility We take responsibility for this report which is prepared on the basis of the limitations set out below. The matters raised in this report are only those which came to our attention during the course of our internal audit work and are not necessarily a comprehensive statement of all the weaknesses that exist or all improvements that might be made. Recommendations for improvements should be assessed by you for their full impact before they are implemented. The performance of internal audit work is not and should not be taken as a substitute for management’s responsibilities for the application of sound management practices. We emphasise that the responsibility for a sound system of internal controls and the prevention and detection of fraud and other irregularities rests with management and work performed by internal audit should not be relied upon to identify all strengths and weaknesses in internal controls, nor relied upon to identify all circumstances of fraud or irregularity. Auditors, in conducting their work, are required to have regards to the possibility of fraud or irregularities. Even sound systems of internal control can only provide reasonable and not absolute assurance and may not be proof against collusive fraud. Internal audit procedures are designed to focus on areas as identified by management as being of greatest risk and significance and as such we rely on management to provide us full access to their accounting records and transactions for the purposes of our audit work and to ensure the authenticity of these documents. Effective and timely implementation of our recommendations by management is important for the maintenance of a reliable internal control system. The assurance level awarded in our internal audit report is not comparable with the International Standard on Assurance Engagements (ISAE 3000) issued by the International Audit and Assurance Standards Board. Deloitte & Touche Public Sector Internal Audit Limited St. Albans February 2011 In this document references to Deloitte are references to Deloitte & Touche Public Sector Internal Audit Limited. Registered office: Hill House, 1 Little New Street, London EC4A 3TR, United Kingdom. Registered in England and Wales No 4585162. Deloitte & Touche Public Sector Internal Audit Limited is a subsidiary of Deloitte LLP, the United Kingdom member firm of Deloitte Touche Tohmatsu Limited (“DTTL”), a UK private company limited by guarantee, whose member firms are legally separate and independent entities. Please see www.deloitte.co.uk/about for a detailed description of the legal structure of DTTL and its member firms. Member of Deloitte Touche Tohmatsu Limited 26 Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17 Appendix A – Definition of Audit Opinions, Direction of Travel, Adequacy and Effectiveness Assessments, and Recommendation Priorities Audit Opinions We have four categories by which we classify internal audit assurance over the processes we examine, and these are defined as follows: Good Assurance There is a sound system of internal control designed to achieve the client’s objectives. Adequate Assurance While there is a basically sound system of internal control, there are weaknesses, which put some of the client’s objectives at risk. The control processes tested are being consistently applied. There is evidence that the level of non-compliance with some of the control processes may put some of the client’s objectives at risk. Limited Assurance Unsatisfactory Assurance Weaknesses in the system of internal controls are such as to put the client’s objectives at risk. The level of non-compliance puts the client’s objectives at risk. Control processes are generally weak leaving the processes/systems open to significant error or abuse. Significant non-compliance with basic control processes leaves the processes/systems open to error or abuse. 27 Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17 The assurance gradings provided above are not comparable with the International Standard on Assurance Engagements (ISAE 3000) issued by the International Audit and Assurance Standards Board and as such the grading of ‘Good Assurance’ does not imply that there are no risks to the stated objectives. Direction of Travel Improved since the last audit visit. Position of the arrow indicates previous status. Deteriorated since the last audit visit. Position of the arrow indicates previous status. Unchanged since the last audit report. No arrow Not previously visited by Internal Audit. Adequacy and Effectiveness Assessments Please note that adequacy and effectiveness are not connected. The adequacy assessment is made prior to the control effectiveness being tested. The controls may be adequate but not operating effectively, or they may be partly adequate / inadequate and yet those that are in place may be operating effectively. In general, partly adequate / inadequate controls can be considered to be of greater significance than when adequate controls are in place but not operating fully effectively, i.e. control gaps are a bigger issue than controls not being fully complied with. Adequacy Effectiveness 28 Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17 Existing controls are adequate to manage the risks in this area Operation of existing controls is effective Existing controls are partly adequate to manage the risks in this area Operation of existing controls is partly effective Existing controls are inadequate to manage the risks in this area Operation of existing controls is ineffective Recommendation Priorities High A fundamental weakness in the system that puts the Council at risk. To be addressed as a matter of urgency, within a 3-month time frame wherever possible, or, to put in place compensating controls to mitigate the risk identified until such time as full implementation of the recommendation can be achieved. Medium A weakness within the system that leaves the system open to risk. To be resolved within a 4-6 month timescale. Low Desirable improvement to the system. To be introduced within a 7-9 month period. 29 Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17 Appendix B – Audit Approach, Methodology and Scope Audit Approach and Methodology The audit approach was developed through an assessment of risks and management controls operating within each area of the scope. The following procedures were adopted: • Identification of the role and objectives of each area; • Identification of risks within each area which threaten the achievement of objectives; • Identification of controls in existence within each area to manage the risks identified; • Assessment of the adequacy of controls in existence to manage the risks and identification of additional proposed controls where appropriate; and • Testing of the effectiveness of key controls in existence within each area. 30 Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17 Scope Our work focussed on the internal controls in the following areas as agreed with management prior to the start of our work: • Domain account policies • Audit policy • Event logs • Security options • User accounts • Rights and privileges • Trusted and trusting domains • Remote Access Service (RAS) • Services and drivers • Updates and patches • Logical drives and network shares • Backup • Physical and environmental security • Disaster Recovery plan (DR) • Network topology and resilience • Network support • Network device security • Remote Virtual Private Network (VPN) access • Network management and administration • Firewall; and • Telecommunications administration. 31 Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17 Appendix C – Audit Team & Staff Consulted AUDIT TEAM STAFF CONSULTED Deloitte North Norfolk District Council Mike Clarkson – General Manager Kate Wilson - Networks Manager Daniel Hellary – Sector Manager Chris Hele - Senior Technical Support Officer Cliff Breadnam – CAS Engagement Manager cbreadnam@deloitte.co.uk 07795 952194 Paul Neale - Senior Technical Support Officer Paul Kamminga – IT Auditor pkamminga@deloitte.co.uk 07500 882247 Terry Raynor - Technical Support Officer South Norfolk Council Eunice Lord - Technical Support Officer Sandra King – scking@s-norfolk.gov.uk 01508 533863 Head of Internal Audit Leah Mickleborough – Deputy Audit Manager 01508 533954 lmickleborough@s-norfolk.gov.uk 32 Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17 Appendix D – Audit Timetable DATES Planning Meeting September 2010 Fieldwork Start 05 October 2010 Fieldwork completion 26 October 2010 Draft report issued to client 18 January 2011 Exit Meeting 13 October 2010 Final report issued to client 15 February 2011 33 Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17