Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Audit Planning Memorandum

advertisement 
Performance Audit - Audit Planning Memorandum
Audit Planning Memorandum
Security of ICT Infrastructure
Background
The Tasmanian public sector relies on many computer-based systems and
services. Important Information and Communications Technology (ICT)
infrastructure such as patient management systems, police databases and motor
registry systems is pivotal to successful service provision. Larger systems use
data centres that provide storage, availability and security. Hobart’s Bathurst
Street data centre had an outage early in January 2012, shutting down the
Tasmanian Government server and communications hardware consequently
impacting on systems reliant on this hardware and the government services they
supported1.
Government ICT assets and information must be secure, with adequate
protection against equipment failure, data loss or cyber-attack. The core
principle of information security is to protect the confidentiality, integrity, and
availability of information.
Traditionally, government’s approach to ICT security has been agency-based
with some whole-of-government support for management and planning2. While
this model has suited government well in the past, a more coordinated and
strategic focus has become necessary due to emerging factors such as:

more Government services are delivered online

increased need for coordinated service delivery across government
entities

increasing sophistication of attacks on ICT infrastructure

budget pressures that demand greater efficiency of ICT services.
Two units within the Department of Premier and Cabinet — the Office of eGovernment and TMD — are involved in a change process to modernise ICT
practices. This has led to the creation of The Tasmanian Government ICT Strategy
that includes measures such as:

the eventual closure of the Bathurst St and Salamanca data centres and
the switch to a private sector to provide storage and security

agencies sharing resources and combining purchasing power to improve
cost-efficiency and reduce duplication

the development of the Tasmanian Government Information Security
Policy.
1
TMD Data Centre outage 1 January 2012
2
Tasmanian Government ICT Strategy, December 2011, Page 3
The subsequent Information Security Policy Manual contains mandatory and
recommended procedures to improve ICT security within and across agencies.
Audit objective
The objective of the audit is to assess the effectiveness of security measures for
ICT infrastructure.
Audit scope
The audit will include ICT physical infrastructure, applications and information.
The audit will consider measures to ensure appropriate availability of data and
systems as well as strategies to protect systems from intrusion.
The following departments and systems will be subject to audit:

Premier and Cabinet

Health and Human Services

Police and Emergency Management

Treasury and Finance

Primary Industry, Parks, Water and Environment
Audit criteria
Criteria
Sub-criteria
Audit approach
1. Is there
physical
security over
facilities,
network
infrastructure
and servers,
within gov’t
buildings?
1.1 Is there effective identity Visit data storage centres.
and access management
Visit and inspect IT equipment
over the server room and rooms in various locations.
servers?
Check compliance with the
1.2 Have control measures
Tasmanian Government Identity
been taken to protect
and Access Management
network infrastructure?
Toolkit.
1.3 Are physical facilities
Check compliance with the
certified and accredited? Australian Government Physical
Security Management Protocol.
Document1
2
Criteria
Sub-criteria
Audit approach
2. Is the
information
safe and
secure?
2.1 Is the data backed up
effectively?
Examine backup procedures.
Interview staff about
o Are backups tested and procedures and measures used
stored off-site?
to classify and protect data.
o Is the frequency cycle
effective?
2.2 Is the data safe from
cyber-attack?
Is the entity using
controls for:
o Application
whitelisting
o Patching applications
o Patching operating
system
o Minimising users with
administrative
privileges
o Disable local
administrator accounts
o Application based
workstation firewall
o Multi-factor
authentication
o Network segmentation
and segregation
o Host based intrusion
detection/prevention
system
o Centralised and timesynchronised logging
2.3 Is confidential data only
available to appropriate
people?
o Are access controls
kept up to date?
Document1
2.4 Are access controls tested
and monitored?
3
Test steps taken to protect data
and systems against a sample
from the Top 35 Strategies to
Mitigate Targeted Cyber
Intrusions from the Australian
Government Information
Security Manual
Criteria
Sub-criteria
Audit approach
3. Are ICT
resources
managed
effectively?
3.1 Does the entity have an
effective Information
Security Plan and risk
management process?
Examine information security
and risk management
documentation.
Examine minutes of
Information Security
Governance and Management
Committee.
3.2 Does the entity have an
Information Security
Governance and
Management Committee? Look at records of information
3.3 Are the requirements of
security inspections and
the Plan inbuilt?
reviews.
3.4 Is there an incident
recording and
management system?
Examine incident records and
registers.
3.5 Do business and disaster
continuity plans enable
maintenance of business
functions and security?
Review business continuity
plans.
Examine complaint records.
Look at compliance with the
Information Security Policy
Conduct of audit
Agency(ies) involved
A judgement sample of entities would allow assessment of the effectiveness of
ICT security at the agency level. Agencies audited would be:

Department of Health and Human Services

Department of Police and Emergency Management

Department of Treasury and Finance

Department of Primary Industries, Water and Environment - Service
Tasmania

Department of Premier and Cabinet
Audit approach, resource requirements and audit timing:
The audit would involve gathering evidence from entities, examining strategy
and risk management documentation and procedures in place to protect ICT
infrastructure, availability of systems and confidentiality of data. The audit will
examine disaster recovery and business continuity plans and the budget spend
on ICT security. The audit will also consider any relevant work resulting from the
entities’ own internal audit work program.
Document1
4
The audit would then assess the suitability of the ICT strategy in providing for
ongoing ICT infrastructure security by applying benchmarks from the Australian
Information Commission and Australian Government information Security
Manual.
Consideration was given to whether an expert was required to assist with the
audit. The decision was made not to use an expert as the onus is on the auditees
to demonstrate and provide evidence that they have security measures in place.
Proposed Audit Advisory Committee Members
The Audit Advisory Committee would consist of representatives of each of the
agencies selected in the judgement sample above.

Department of Health and Human Services

Department of Police and Emergency Management

Department of Treasury and Finance

Department of Primary Industries, Parks, Water and Environment Service Tasmania

Department of Premier and Cabinet
Document1
5
Related documents
Evolution of an Automated Internal Audit Management System
Evolution of an Automated Internal Audit Management System
School ICT Policy
School ICT Policy
Audit Poster - BSG Colonoscopy Audit
Audit Poster - BSG Colonoscopy Audit
ICT in Art and Design work
ICT in Art and Design work
LGFMA Presentation - Internal Audit Program Model
LGFMA Presentation - Internal Audit Program Model
Self-Audit
Self-Audit
QUALITY ASSURANCE: Obstetrics Auditing, Records & Reports
QUALITY ASSURANCE: Obstetrics Auditing, Records & Reports
Download
advertisement