Document 12928081
advertisement
Summary assessment of ICT audit NN/11/17 Network Infrastructure, Security and Telecommunications (22 days allocated, October 2010) Scope area Summary & Recommendations Domain Account Policies Password controls good. Audit Policy Event logs Security option User Accounts Rights and Privileges 1. Some controls require amending to comply with current good practice Majority of available functionality utilised. 2. Change Audit policy settings to match a good practice standard. 3. Audit logs not reviewed. Good Controls Majority of available controls in line with good practice 4. Consider not displaying previous user of PC or laptop Good controls implemented 5. Review accounts with no password expiry 6. Regularly review expired and disabled accounts Configured in line with current good practice 7. Review rights granted to users that are ‘rights to be granted to no one’ Ref: HMM|Summary assessment of ICT audit NN1117 Level (No High) ICT assessment including risk and ease of implementation Status Medium Agreed, by 30th April 2011 Complete Medium Agreed, by 30th June 2011 Complete Medium None Agreed, by 30th June 2011 Achievable Medium Originally it was agreed, that ICT will look into and implement if appropriate, by 30th June 2011. Having looked at it, taking into account that the previous user is not displayed externally and that internally it would be easy to work out the user name, due to the inconvenience it would cause to users the decision is not to implement. Considered but decision is not to implement. Low Agreed, the accounts set never to expire are reviewed regularly. Accounts with null passwords to be reviewed & revoke if appropriate. By 31st March 2011 Agreed and implemented Complete Medium Medium Agreed, will look into and implement where appropriate, by 30th June 2011 Page 1 of 4 Complete Achievable 16 May 2011 Trusted and Trusting Domains Remote Access Service (RAS) Services and Drivers Updates and Patches Logical Drives and Network Shares Backup Physical and Environmental Security Disaster Recovery Plan (DR) Network Topology 8. Review discretionary access controls created for individual users. Medium No trust relationships exist to allow one domain to trust another domain RAS service disabled, no RAS servers within the Domain 9. Some supporting RAS services still running and one account has permission to dial in using RAS None Agreed, will look into this and implement any appropriate controls. Audit identified this as a key item, by 30th June 2011 Achievable Medium Agreed, we will stop service but Remote Access is not configured and no modems exist, therefore it is a very very remote threat, by 31st December 2011 Complete Low Agreed, Audit identified this as a key item, by 30th September 2011 Achievable Last installed January 2010 11. Implement a patch and update process Medium Agreed, we will look into this and implement appropriate processes. Audit identified as a key item. By 30th June 2011 Good progress has been made. Good Controls None Good Controls Good Controls None None We consider our current processes to be suitable for our needs, although we will review the plans based on the recommendation. By 30th June 2011 The plan is being updated and will be agreed by the ICT strategy group and Business Continuity group June / July. 276 services available, 148 running at time of audit 10. Review regularly services running The plan is being worked on and requires further review to lift to current good practice 12. Include suggestions for improvement in plan Controls adequate for council’s Ref: HMM|Summary assessment of ICT audit NN1117 Medium None Page 2 of 4 16 May 2011 (layout) and Resilience Network Support infrastructure as spare devices are available for single points of failure. Network team is small with good cross training in place to help ensure adequate network management resources. 13. Security alert management needs improving. 14. Review service desk activities to identify support trends Network Device Security Remote Virtual Private Network (VPN) access Network Management and Administration CISCO switches which allow network connections use a weak password algorithm 15. Change encryption to a stronger algorithm 16. Implement intrusion detection Good controls, a token 2-factor authentication mechanism is in place Medium Agreed. Implemented, critical anti-virus alerts and backup messages are now configured to go to multiple staff. Agreed in part. The reports will be used within ICT for monitoring calls, but not appropriate for users, by 30th June 2011 Complete Low Agreed & Implemented Complete Medium Agreed. Will look into and implement if appropriate though budget could be a barrier. Deadline is for consideration & will schedule later if appropriate. By 30th June 2011 Not realistic, new date 31st October 2011 Agreed. The previous service descriptions had not been updated for some time. They have been reviewed and updated to reflect the current situation. A network plan will be included in the ICT strategy instead of generating a separate document to minimise the number of strategies. Circulated to ICT strategy group for comment and agreement May2011. By 31st August 2011. To be completed by 31st October 2011 (change from 31st August 2011 in plan, as dependant on Medium On target None Good controls with adequate budget and resource in place. 17. Implement a service level agreement between IT and Business areas Medium 18. Agree a separate Network strategy Medium Ref: HMM|Summary assessment of ICT audit NN1117 Page 3 of 4 16 May 2011 The ICT strategy will be updated in the autumn when the new Corporate plan is agreed. Firewall Telecommunications Administration Good controls noted, annual penetration tests in place Older technology used with a small amount of internal Voice-over IP. A range of Disaster Recovery options are available Ref: HMM|Summary assessment of ICT audit NN1117 corporate strategy) None None Page 4 of 4 16 May 2011
