Add to collection(s) Add to saved
  1. Business
  2. Management

Internal Audit Report 2010/11 North Norfolk District Council February 2011

advertisement 
Internal Audit Report 2010/11
North Norfolk District Council
NN/11/17 Network Infrastructure, Security
and Telecommunications
February 2011
This report has been prepared on the basis of the limitations set out on page 26.
Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17
Contents
Executive Summary
Recommendations
Statement of Responsibility
Appendix A – Definition of Audit Opinions, Direction of Travel, Adequacy and Effectiveness
Appendix B – Audit Objectives & Scope
Appendix C – Audit Team & Staff Consulted
Appendix D – Audit Timetable
Page No
1
8
26
27
30
32
33
This report and the work connected therewith are subject to the Terms and Conditions of the Contract dated 1 October 2007 between South Norfolk District Council and
Deloitte & Touche Public Sector Internal Audit Limited. The report is confidential and produced solely for the use of the above named Participating Council. Therefore you
should not, without our prior written consent, refer to or use our name or this document for any other purpose, disclose them or refer to them in any prospectus or other
document, or make them available or communicate them to any other party. No other party is entitled to rely on our document for any purpose whatsoever and thus we
accept no liability to any other party who is shown or gains access to this document.
Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17
Executive Summary
Introduction
Audit Opinion
As part of the 2010/11 Internal Audit Plan, agreed by the Audit Committee, we have undertaken an audit
of Network Infrastructure, Security and Telecommunications. All the issues identified in the Audit Brief
approved in September 2010 have been addressed.
This report sets out our findings from the audit and raises recommendations to address areas of control
weakness and / or potential areas of improvement.
Unsatisfactory
Assurance
Limited Assurance
Adequate Assurance
Good Assurance
We categorise our opinions according to the assessment of the controls in place and the level of
compliance with those controls. Audit opinions are defined in Appendix A
Rationale
Supporting Award
of Opinion and
Direction of Travel
The audit work carried out by Internal Audit (the scope of which is detailed in Appendix A) indicated that
there are weaknesses in the system of internal controls such as to put the client’s objectives at risk.
Although overall the Council’s Domain Controller Configuration standards were on par with other local
authority organisations, there are still a number of weaknesses which need to be addressed to meet good
security practice and the Government Code of Connection (CoCo) requirements. A total of 15 medium
priority and three low priority recommendations have been raised to lift controls to a good/leading practice
standard; hence we have been able to provide a limited level of assurance.
This system has not previously been audited, so there is no comparison possible with previous findings.
1
Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17
Hence no direction of travel indicator can be given.
Summary of
Findings
In this section we set out a summary of our findings under each area of scope. This is a balanced
summary where possible. Where weaknesses are identified, full details of these are included in the
recommendations raised.
Domain Account Policies – this refers to the general practices that operate such as password policies,
account lock-out policy etc. Password controls in this area are good, for example, complexity has been
enabled and other available supporting controls are in place. There are a number of other controls that
require review and recommendations on these have been raised.
Audit Policy – The majority of the available audit functionality has been utilised, although the logs
created by the audit functionality are not reviewed. Recommendations around log review and bringing
the audit functionality not currently being used to a good practice standard have been raised.
Event Logs – Event logs are equivalent to audit trails in the network domain. There are good controls in
the configuration of event log settings.
Security Options – The majority of available controls in this area are in line with good practice, although
it was also noted that some still require review. For example, it is not good practice to allow the
username of the previous user of a PC or laptop to be displayed to the next user upon system start.
User Accounts – Good controls have been implemented, although the audit found that there appears to
be a large number of user accounts with passwords set to never expire and/or do not require a password.
The latter does not necessarily mean that no password is present, just that the accounts are allowed to
have no password set. A recent Code of Connection onsite security IT Healthcheck found no accounts
without passwords. Sample testing of the leavers’ process noted a minor weakness in that two accounts
out of a sample of 22 over the period from July to September 2010 were still open. As the process
clearly exists, the weakness was discussed with management and no formal recommendation has been
raised here. However, recommendations on the accounts with no password expiry, and those which do
not require a password, have been raised.
Rights and Privileges – It was found that “rights to be granted to administrators only” were configured in
line with current good practice, although there are a number of “rights to be granted to no one” that have
2
Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17
been granted to users. There are also a number of Discretionary Access Control Lists (“DACL”) that
have been created for individual users, that allow the users certain functionality within the system.
Recommendations on this and the “rights to be granted to no one” have been raised.
Trusted and Trusting Domains – Trust relationships allow one Domain to “trust” the access rights given
within another Domain (e.g. the network password would allow access to another domain). There are no
such relationships in place on the network domain.
Remote Access Service (RAS) – The RAS service has been disabled and no RAS servers were defined
within the domain. However, six supporting RAS services were still running on the Domain Controller
and one administrator account has permission to dial in using RAS. Recommendations on stopping the
services and reviewing the need to have an administrator account with this privilege have been raised.
Services and Drivers – The domain controller had 276 services available, of which 148 were running at
the time of the audit. There is no regular review of the service to ensure that only required services are
running. A recommendation on this has been raised.
Updates and Patches – It was found that the last time any patches or updates were installed was in
January 2010 when Server 2003 Service Pack 2 was installed. There is no patch or update review
process in place that ensures that the hardware is hardened to current patches and/or hotfixes. A
recommendation on this has been raised.
Logical Drives and Network Shares – Logical drives are sections of physical drives that have been
partitioned, whilst network shares are pieces of information that can be shared between users (e.g.
shared files, shared printers). Good controls were noted here.
Backup – Good controls were noted here.
Physical and Environmental Security – Good controls were noted here.
Disaster Recovery Plan (DR) – Management have been working on drafting a Disaster Recovery Plan
although it requires further review to lift it to current good practice. A recommendation containing
suggestions for improvement has been raised.
Network Topology (layout) and Resilience – Single points of failure (which, if it failed, would mean that
a significant part of the network would also fail) were noted at the Firewall and router switch. Spare
devices are available to replace the active devices and management are confident in their ability to do so
3
Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17
with little delay. The Council’s infrastructure is small and these controls have been considered to be
adequate for their needs.
Network Support – The support team is small, although there is good cross training in place to help
ensure adequate network management resourcing. However, there are weaknesses in terms of security
alert management and the lack of regular review of service desk activities to identify any support trends
that may require off line resolution. Recommendations on these have been raised.
Network Device Security – The CISCO switches allow connections between, and within the network.
The CISCO switch configuration is such that one of the passwords has been encrypted using a CISCO
“Type 7” algorithm, which is known to be weak. A recommendation to harden this encryption to the
stronger Type 5 encryption has been raised. The Council currently has no Intrusion Detection System in
place. A recommendation to consider implementation of such a system has also been raised.
Remote Virtual Private Network (VPN) Access – These allow users to access the network from other
locations, e.g. through the internet. Good controls were noted. A VASCO (a data security company)
token 2-factor authentication mechanism is in place.
Network Management and Administration – Good controls have been noted in that there appears to
be adequate budget and resource in place to manage the network infrastructure, although no Service
Level Agreement between IT and the Business Areas is in place. In addition, there is no separate
Network Strategy. Recommendations on these weaknesses have been raised.
Firewall – Good controls were noted in that there is evidence of regular (annual) penetration testing in
place. Management use a range of different external vendors to implement these tests in order to get a
cross section of opinion.
Telecommunications Administration – The Council uses older technology with a small amount of
Voice-over IP (VOIP) technology, which is used internally only. There is a range of Disaster Recovery
options available to management should such an event be invoked. Billing is handled by apportioning
total amounts equally across the total number of Council employees.
4
Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17
Adequacy and
Effectiveness
Assessments
(definitions are
found in
Appendix A)
Area of Scope
Domain Accounts Policy
Audit Policy
Event Logs
Security Options
User Accounts
Rights and Privileges
Trusted and Trusting Domains
Remote Access Service (RAS)
Services and Drivers
Updates and Patches
Logical Drives and Network
Shares
Backup
Physical and Environmental
Security
Disaster Recovery Plan
Network Topology and
Resilience
Network Support
Network Device Security
Remote Virtual Private Network
(VPN) Access
Network Management and
Administration
Adequacy of
Controls
Effectiveness
of Controls
Recommendations Raised*
Amber
Amber
Green
Amber
Amber
Amber
Green
Amber
Amber
Amber
Green
Amber
Amber
Green
Amber
Amber
Amber
Green
Amber
Amber
Amber
Green
High
0
0
0
0
0
0
0
0
0
0
0
Medium
1
2
0
1
1
2
0
1
0
1
0
Low
0
0
0
0
1
0
0
0
1
0
0
Green
Green
Green
Green
0
0
0
0
0
0
Amber
Green
Amber
Green
0
0
1
0
0
0
Amber
Amber
Green
Amber
Amber
Green
0
0
0
2
1
0
0
1
0
Amber
Amber
0
2
0
5
Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17
Adequacy and
Effectiveness
Assessments
(definitions are
Area of Scope
Firewall
Telecommunications
Administration
Adequacy of
Controls
Green
Green
Effectiveness
of Controls
Green
Green
Recommendations Raised*
High
0
0
Medium
0
0
Low
0
0
0
15
3
Total
* Recommendation priorities are defined in Appendix A
High Priority
Recommendations
We have raised no high priority recommendations as a result of this audit.
Background
The network infrastructure enables users to connect to servers and equipment which is not directly
connected to their own physical PC or workstation. This could be on the next desk (as in printers), other
rooms, other buildings or even other countries depending on the type of network. The Audit of the
network infrastructure has looked at how the Council’s network is accessed, how it is supported and
monitored and how the network is secured against unauthorised access. As part of the audit a Computer
Audit Tool called SekChek was used to look at the Network Server Operating System (O/S) configuration
and logical access controls. The administration procedure in place for the maintenance and security for
the Council’s Voice network which runs alongside the Data network was also reviewed.
Audit Objective
The objective of the audit was to determine whether management has implemented adequate and effective
controls over the Networks Infrastructure, Security and Telecommunications. The details of the areas
covered are listed in Appendix B.
6
Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17
Acknowledgement
We would like to thank the management and staff of North Norfolk District Council for their time and cooperation during the course of the audit.
All staff consulted are included at Appendix C.
7
Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17
Recommendations
Domain Accounts Policy
1.
Domain Accounts Policy
Medium priority
Recommendation
Rationale
Management should give consideration to amending the
Domain Accounts Policy in the following ways to comply with
current good practice:
• "Prevent transfer of password in clear text" should be set
to Enabled;
• "Reset Lockout Counter in minutes" should be raised to
1440; and
• "Allow lockout of local administrator account" should be
Enabled.
The suggested enhancements will help to ensure that user
accounts are managed as securely as possible.
The audit noted that the following settings do not comply with
current good practice:
• "Prevent transfer of password in clear text" is Disabled;
• "Reset lockout counter in minutes" is currently set to 30
minutes; and
• "Allow lockout of local administrator account" is disabled.
The Built in Administrator account also carries its delivery name.
A lack of adequate logical controls increases the risk of
unauthorised access.
The built in administrator account should also be renamed.
Management Response
Agreed.
Responsibility
Networks Manager
Deadline
30th April 2011
8
Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17
Audit Policy
2.
Audit Policy
Medium priority
Recommendation
Rationale
In order to match good practice, management should look to Making the changes will help to ensure that changes requiring
change the current Audit Policy settings for “Policy change enhanced privileges can be tracked adequately.
events" and "Privilege use events" to Success/Failure.
Currently "Policy change events" is set to Success only, which
means that any failed attempts to make such changes are not
recorded, and there is currently no auditing enabled for
"Privilege use events".
These settings do not comply with current good practice and
increase the risk that unauthorised actions are not identified or
cannot be investigated.
Management Response
Agreed.
Responsibility
Networks Manager
Deadline
30th June 2011
9
Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17
3.
Review of Audit Logs
Recommendation
Medium priority
Rationale
Management should implement a process whereby audit logs Regular documented reviews of audit logs will help to ensure
undergo regular and documented review.
that anomalies flagged in the logs can be investigated and
unauthorised activity identified as a result.
There is currently no regular process to review the audit logs,
although management do conduct ad hoc reviews on
management request. There is also work currently underway to
bring a new log collation and reporting system (RSA Envision)
online, which should assist the review process greatly.
A lack of regular review increases the risk of unauthorised
activity not being identified and dealt with in a timely manner.
Management Response
Agreed.
Responsibility
Networks Manager
Deadline
30th June 2011
10
Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17
Security Options
4.
Security Options
Medium priority
Recommendation
Rationale
Management should give consideration to changing the
following settings:
• "Unsigned non driver installation" should be set to "Warn
but allow"; and
• "Do not display last user name in logon screen" should be
set to Enabled.
Enhancing these security options will help protect the network
from unauthorised access.
The audit found that the following settings require review:
• "Unsigned non driver installation" is set to "Silently succeed";
and
• The user name of the last user that accessed a device is
displayed to the next user on logon, which therefore only
requires the entry of a correct password.
There is an increased risk of unauthorised access and changes
being made within the network.
Management Response
Agreed.
We will need to look into this and implement if appropriate.
Responsibility
Networks Manager
Deadline
30th June 2011
11
Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17
User Accounts
5.
Null Passwords and Passwords that Never Expire
Low priority
Recommendation
Rationale
Management should conduct a review of accounts where
passwords are set to never expire and where null passwords
are permitted as the numbers of these accounts appears to
be high.
Keeping the numbers of such accounts to a minimum helps to
protect against unauthorised access.
There are 42 accounts which belong to members and 33 belong
to "Outside agencies" with passwords set to never expire. There
are also 256 user accounts where passwords are not required,
although this does not mean that there are actual accounts with
no passwords, just that these accounts allow null passwords. A
recent CoCo security assessment did not find any accounts
without passwords.
Weak user account controls increase the risk of unauthorised
access into the network.
Management Response
Agreed.
We review our accounts regularly and we are happy that there are legitimate business reasons for the accounts where
passwords have been set to never expire. This part of the recommendation has therefore been implemented.
We will review the accounts where null passwords are possible and revoke this setting where appropriate.
Responsibility
Networks Manager
Deadline
31 March 2011
12
Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17
6.
Expired and Disabled User Accounts
Recommendation
Medium priority
Rationale
Management should conduct regular reviews of expired and Performing a regular review of user accounts will help identify
disabled accounts to remove any that are no longer deemed inactive accounts and by removing, prevent unauthorised
required.
access being gained through these accounts.
The audit found that there were 46 expired and 332 disabled
user accounts.
There is a risk of unauthorised access through unused accounts
and reduced management effectiveness.
Management Response
Agreed.
Implemented.
Responsibility
Networks Manager
Deadline
31 January 2011
13
Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17
Rights and Privileges
7
Rights to be granted to no one
Medium Priority
Recommendation
Rationale
We recommend that the powerful system rights which should
be granted to no one should be reviewed and removed.
These include:
• Adjust memory quotas for a process;
• Log on as a batch job;
• Log on as a service; and
• Replace a process level token.
Removing the powerful system rights that should be granted to
any one, will help minimise security exposure and increase
stability of the system.
There are a number of system rights that should not be granted
to any user. The audit found that some of these rights have
been assigned to user accounts. These are as follows:
• Adjust memory quotas for a process - 20 accounts have this
right;
• Log on as a batch job - 9 accounts have this right;
• Log on as a service - 3 accounts have this right; and
• Replace a process level token - 2 accounts have this.
Restricting the use of powerful systems rights reduces the risk of
either accidental or deliberate misuse.
Management Response
Agreed.
We will need to look into this and implement where appropriate.
Responsibility
Networks Manager
Deadline
30th June 2011
14
Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17
8
Review of DACLs
Medium Priority
Recommendation
Rationale
The Discretionary Access Control List (DACL) should be Reviewing the DACLs and the permissions granted will help
reviewed to ensure that the list is valid, current and that ensure that the DACLs and the user permissions are current,
permissions granted through this route is appropriate.
valid and in line with users responsibilities.
The audit noted that there are 14,119 DACLs defined within the
domain of which 880 were granted by an individual user and 160
to the group ‘Helpdesk’.
Weak controls in this area increase the risk that users may
obtain powerful permissions which is not in line with their
responsibilities.
Management Response
Agreed.
We will need to look into this and implement any controls deemed appropriate at a later date.
Responsibility
Networks Manager
Deadline
31 June 2011
15
Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17
Remote Access Service (RAS)
9
Remote Access Service
Medium Priority
Recommendation
Rationale
It is recommended that arrangements are made to stop the
redundant Remote Access Service (RAS) services from the
network and remove the permission from the identified user to
dial in to RAS if no longer applicable.
Removal of the redundant services and related permissions will
help to ensure that no unauthorised, deliberate or accidental
connection is made through this service and will also help in the
maintenance of the domain network.
The audit found that there are no RAS servers defined within the
domain, although six RAS services (Rasacd, Rasauto, Rasl2tp,
RasMan, Raspppoe, Raspti) were still found to be running.
There is also one administrator account with permission to dial
in using RAS.
There is a risk of unauthorised access being obtained through
RAS service as a result of unauthorised, deliberate or accidental
connection.
Management Response
Agreed.
We will stop this service but Remote Access is not configured and no modems exist. It is therefore a very very remote threat.
Responsibility
Networks Manager
Deadline
31 December 2011
16
Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17
Services and Drivers
10
Periodic Review of Services
Low Priority
Recommendation
Rationale
Management should conduct periodic reviews of the services
on the Domain Controller to ensure that only required
services are available.
Where services are not required, they should as a minimum
be disabled, preferably removed.
Keeping services available to a minimum required for the server
will help protect the security of the network and help maximise
performance.
The audit found that there are 276 services available on the
Domain, of which 148 were running.
A lack of review increases the risk that network security will be
compromised.
Management Response
Agreed.
Responsibility
Networks Manager
Deadline
30th September 2011
17
Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17
Updates and Patches
11
Patches and Hotfixes
Medium Priority
Recommendation
Rationale
It is recommended that a process should be put in place for
regular review of patches released by Microsoft, and ensure
that the necessary (Security and Vulnerability) patches have
been applied as early as practicable. Where a patch or fix
has not been applied, its reason or reasons should be
documented. The Microsoft Baseline Security Analyser
(MBSA) tool could be used to conduct the reviews.
Ensuring and applying the relevant patches will help minimise
any vulnerability that may exist on the Domain controllers and
servers. Formalising the process will help ensure that in future
all patches and fixes have been reviewed and a record
maintained of those that have been applied as well as those that
have not been applied. Additionally it will help ensure that a
patch or fix has not been overlooked that may be important for
the security of the network environment.
The audit noted that the last time any patches or hotfixes were
applied was in January 2010 when Server 2003 Service Pack 2
was installed. The Council does not make use of available tools
such as MBSA to ensure that the network has been hardened
appropriately.
A lack of appropriate review increases the risk that the Council's
network may be exposed to security vulnerabilities and/or
inefficiencies.
Management Response
Agreed.
We will look into this and implement appropriate processes.
Responsibility
Networks Manager
Deadline
30th June 2011
18
Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17
Disaster Recovery Plan
12
Disaster Recovery Planning
Medium Priority
Recommendation
Rationale
Management should review the Disaster Recovery plan as
follows:
• Use a recognised DR standard (for example BS25777) to
guide the DR planning process;
• Be clearer about how the list of priorities in section 4 was
developed;
• Include a procedure for invoking and escalating the DR
plan from an IT management perspective; and
• Have the plan formally signed off by the business and IT
management.
A robust and appropriately updated/documented/tested Disaster
Recovery Plan will help to ensure that the plan is effective and
meets business requirements in all respects.
The audit noted that there is a disaster recovery plan, although it
is not complete. For example, it is not clear that it is aligned to
Business requirements, although a list of priority systems is
present. There is no indication of the invocation and escalation
procedures, no management signoff.
A lack of relevant Disaster Recovery plan increases the risk that
the Council cannot recover its systems as required by the
business, which could result in a lack of priority service
provision.
Management Response
We consider our current processes to be suitable for our needs, although we will review the plans based upon the
recommendation.
Responsibility
Networks Manager
Deadline
30th June 2011
19
Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17
Network Support
13
Security Alerts Email Contacts
Recommendation
Medium Priority
Rationale
Management should ensure that all email alerts that the Sending relevant alerts to multiple users will help to ensure that
various monitoring systems send are configured so that they alerts are acted upon even when the primary responsible user is
are sent to multiple users in the IT team.
not present.
The audit noted that there are a number of security alert emails
relating to Anti Virus and client machine management but that
they were not all configured to be sent to multiple users.
Sending relevant alerts to single users only increases the risk
that certain alerts that require immediate attention are not acted
upon in a timely manner.
Management Response
Agreed.
Implemented. Critical anti-virus alerts and backup messages are now configured to go to multiple staff .
Responsibility
Networks Manager
Deadline
31 January 2011
20
Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17
14
Service Desk Reporting
Medium Priority
Recommendation
Rationale
Management should restart the helpdesk reporting process
and consider inviting users to suggest improvements that
could be made to the reports to make them more relevant to
their needs.
Adequate reporting will help to ensure that the Service Desk
activity is transparent to users and management and helps to
ensure that trends and root causes can be easily identified and
resolved.
It was noted that IT Management used to produce activity
reporting, but no longer does, due to a perception that the
reports were not considered useful. Management have also
indicated that users have not commented on the lack of
reporting to date.
A lack of reporting increases the risk that Council management
are not able to accurately track the effectiveness of the service
desk.
Management Response
Agreed in part.
The reports will be used within ICT for monitoring calls as it is felt Users do not have time to read reports of this nature on a
regular basis. This is a good sign that the quality of the ICT service is not an issue.
Responsibility
Networks Manager
Deadline
30th June 2011
21
Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17
Network Device Security
15
CISCO Switch encryption strength
Recommendation
Low Priority
Rationale
Management should review the CISCO switch configuration Strong encryption helps to ensure the security of the relevant
and ensure that all type 7 encrypted passwords are enhanced devices.
to type 5.
It was noted that one of the passwords within the CISCO
configuration was encrypted to type 5 standard, which is a
CISCO proprietary standard and weaker than type 7.
Weak password encryption increases the risk of unauthorised
access to the device.
Management Response
Agreed.
Implemented.
Responsibility
Networks Manager
Deadline
31 December 2010
22
Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17
16
Intrusion Detection System
Recommendation
Medium Priority
Rationale
Management should give consideration to the implementation Adequate Intrusion Detection will help to ensure the security of
of a suitable Intrusion Detection System.
the network.
The Council does not currently have Intrusion Detection installed
on their network.
A lack of adequate Intrusion Detection increases the risk of
unauthorised access into the network.
Management Response
Agreed.
We will look into this and implement where appropriate though budget could be a barrier here.
The deadline is for consideration, not implementation.
Responsibility
Networks Manager
Deadline
30th June 2011
23
Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17
Network Management and Administration
17
Service Level Agreement
Recommendation
Medium Priority
Rationale
Management should give consideration to drafting and A Service Level Agreement will help to ensure transparency in
agreeing a Service Level Agreement with the Business Areas. and accountability for the performance of the IT department.
There is currently no formal Service Level Agreement in place
between IT and the Business Areas.
However, it is
acknowledged that there are bi annual customer satisfaction
surveys, which is a Performance Management requirement.
A lack of formal Service Level Agreement increases the risk of a
degradation of the IT service and reputational damage to IT
management.
Management Response
Agreed.
We will consider whether this is appropriate.
Responsibility
ICT Manager
Deadline
31st August 2011
24
Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17
18
Network Strategy
Medium Priority
Recommendation
Rationale
Management should draft and agree a Network Strategy to
complement the existing ICT Strategy. The document should
include reference to the timescales that the strategy covers,
the level of current planned investment in the infrastructure
and the aims of the strategy in terms of how it is aligned to
identified business needs over the lifetime of the strategy.
A formal Network Strategy will help to ensure transparency and
accountability for the network and help to demonstrate how the
IT area are supporting identified business objectives over time.
There is currently no formal network strategy, although there are
brief references to network plans within the main ICT strategy.
A lack of formal Network Strategy increases the risk that the
networks management will be ineffective and not support
business objectives over time.
Management Response
Disagreed.
However, we shall include a network plan as part of the ICT strategy instead of generating a separate document. This is to
minimise the number of strategies.
Responsibility
Networks Manager
Deadline
31st August 2011
25
Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17
Statement of Responsibility
We take responsibility for this report which is prepared on the basis of the limitations set out below.
The matters raised in this report are only those which came to our attention during the course of our internal audit work and are not necessarily a comprehensive
statement of all the weaknesses that exist or all improvements that might be made. Recommendations for improvements should be assessed by you for their full impact
before they are implemented. The performance of internal audit work is not and should not be taken as a substitute for management’s responsibilities for the application
of sound management practices. We emphasise that the responsibility for a sound system of internal controls and the prevention and detection of fraud and other
irregularities rests with management and work performed by internal audit should not be relied upon to identify all strengths and weaknesses in internal controls, nor
relied upon to identify all circumstances of fraud or irregularity. Auditors, in conducting their work, are required to have regards to the possibility of fraud or irregularities.
Even sound systems of internal control can only provide reasonable and not absolute assurance and may not be proof against collusive fraud. Internal audit procedures
are designed to focus on areas as identified by management as being of greatest risk and significance and as such we rely on management to provide us full access to
their accounting records and transactions for the purposes of our audit work and to ensure the authenticity of these documents. Effective and timely implementation of
our recommendations by management is important for the maintenance of a reliable internal control system. The assurance level awarded in our internal audit report is
not comparable with the International Standard on Assurance Engagements (ISAE 3000) issued by the International Audit and Assurance Standards Board.
Deloitte & Touche Public Sector Internal Audit Limited
St. Albans
February 2011
In this document references to Deloitte are references to Deloitte & Touche Public Sector Internal Audit Limited.
Registered office: Hill House, 1 Little New Street, London EC4A 3TR, United Kingdom. Registered in England and Wales No 4585162.
Deloitte & Touche Public Sector Internal Audit Limited is a subsidiary of Deloitte LLP, the United Kingdom member firm of Deloitte Touche Tohmatsu Limited (“DTTL”), a UK
private company limited by guarantee, whose member firms are legally separate and independent entities. Please see www.deloitte.co.uk/about for a detailed description
of the legal structure of DTTL and its member firms.
Member of Deloitte Touche Tohmatsu Limited
26
Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17
Appendix A – Definition of Audit Opinions, Direction of Travel, Adequacy and Effectiveness
Assessments, and Recommendation Priorities
Audit Opinions
We have four categories by which we classify internal audit assurance over the processes we examine, and these are defined as
follows:
Good
Assurance
There is a sound system of internal control designed to achieve the client’s objectives.
Adequate
Assurance
While there is a basically sound system of internal control, there are weaknesses, which put some of
the client’s objectives at risk.
The control processes tested are being consistently applied.
There is evidence that the level of non-compliance with some of the control processes may put some
of the client’s objectives at risk.
Limited
Assurance
Unsatisfactory
Assurance
Weaknesses in the system of internal controls are such as to put the client’s objectives at risk.
The level of non-compliance puts the client’s objectives at risk.
Control processes are generally weak leaving the processes/systems open to significant error or
abuse.
Significant non-compliance with basic control processes leaves the processes/systems open to error
or abuse.
27
Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17
The assurance gradings provided above are not comparable with the International Standard on Assurance Engagements (ISAE
3000) issued by the International Audit and Assurance Standards Board and as such the grading of ‘Good Assurance’ does not
imply that there are no risks to the stated objectives.
Direction of Travel
Improved since the last audit visit. Position of the arrow indicates previous status.
Deteriorated since the last audit visit. Position of the arrow indicates previous status.
Unchanged since the last audit report.
No arrow
Not previously visited by Internal Audit.
Adequacy and Effectiveness Assessments
Please note that adequacy and effectiveness are not connected. The adequacy assessment is made prior to the control
effectiveness being tested.
The controls may be adequate but not operating effectively, or they may be partly adequate / inadequate and yet those that are in
place may be operating effectively.
In general, partly adequate / inadequate controls can be considered to be of greater significance than when adequate controls are
in place but not operating fully effectively, i.e. control gaps are a bigger issue than controls not being fully complied with.
Adequacy
Effectiveness
28
Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17
Existing controls are adequate to manage the risks in
this area
Operation of existing controls is effective
Existing controls are partly adequate to manage the
risks in this area
Operation of existing controls is partly effective
Existing controls are inadequate to manage the risks
in this area
Operation of existing controls is ineffective
Recommendation Priorities
High
A fundamental weakness in the system that puts the Council at risk. To be addressed as a matter of urgency,
within a 3-month time frame wherever possible, or, to put in place compensating controls to mitigate the risk
identified until such time as full implementation of the recommendation can be achieved.
Medium
A weakness within the system that leaves the system open to risk. To be resolved within a 4-6 month timescale.
Low
Desirable improvement to the system. To be introduced within a 7-9 month period.
29
Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17
Appendix B – Audit Approach, Methodology and Scope
Audit Approach
and Methodology
The audit approach was developed through an assessment of risks and management controls operating
within each area of the scope.
The following procedures were adopted:
•
Identification of the role and objectives of each area;
•
Identification of risks within each area which threaten the achievement of objectives;
•
Identification of controls in existence within each area to manage the risks identified;
•
Assessment of the adequacy of controls in existence to manage the risks and identification of
additional proposed controls where appropriate; and
•
Testing of the effectiveness of key controls in existence within each area.
30
Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17
Scope
Our work focussed on the internal controls in the following areas as agreed with management prior to the
start of our work:
•
Domain account policies
•
Audit policy
•
Event logs
•
Security options
•
User accounts
•
Rights and privileges
•
Trusted and trusting domains
•
Remote Access Service (RAS)
•
Services and drivers
•
Updates and patches
•
Logical drives and network shares
•
Backup
•
Physical and environmental security
•
Disaster Recovery plan (DR)
•
Network topology and resilience
•
Network support
•
Network device security
•
Remote Virtual Private Network (VPN) access
•
Network management and administration
•
Firewall; and
•
Telecommunications administration.
31
Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17
Appendix C – Audit Team & Staff Consulted
AUDIT TEAM
STAFF CONSULTED
Deloitte
North Norfolk District Council
Mike Clarkson
–
General Manager
Kate Wilson
-
Networks Manager
Daniel Hellary
–
Sector Manager
Chris Hele
-
Senior Technical Support Officer
Cliff Breadnam
–
CAS Engagement Manager
cbreadnam@deloitte.co.uk
07795 952194
Paul Neale
-
Senior Technical Support Officer
Paul Kamminga
–
IT Auditor
pkamminga@deloitte.co.uk
07500 882247
Terry Raynor
-
Technical Support Officer
South Norfolk Council
Eunice Lord
-
Technical Support Officer
Sandra King
–
scking@s-norfolk.gov.uk
01508 533863
Head of Internal Audit
Leah Mickleborough –
Deputy Audit Manager
01508 533954
lmickleborough@s-norfolk.gov.uk
32
Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17
Appendix D – Audit Timetable
DATES
Planning Meeting
September 2010
Fieldwork Start
05 October 2010
Fieldwork completion
26 October 2010
Draft report issued to client
18 January 2011
Exit Meeting
13 October 2010
Final report issued to client
15 February 2011
33
Internal Audit Report – North Norfolk District Council – Network Infrastructure 2010/11 - report number NN/11/17
Related documents
Update on Past Actions November 7, 2012 FINANCE AND AUDIT COMMITTEE
Update on Past Actions November 7, 2012 FINANCE AND AUDIT COMMITTEE
Look Ahead Feature To access the application that
Look Ahead Feature To access the application that
Audit Committee Board of Trustees The University of North Carolina at Wilmington
Audit Committee Board of Trustees The University of North Carolina at Wilmington
Download
advertisement