Incident_Response_-_IT - the Texas Department of

advertisement
TxDOT Internal Audit Report
Incident Response - IT
Objective
To assess the design, operating effectiveness, and internal/external coordination
regarding TxDOT’s network security penetration vulnerabilities identified.
Opinion
Based on the audit scope areas reviewed, control mechanisms require improvement
and only partially address risk factors and exposures considered significant relative to
operational execution and regulatory compliance. The organization's system of internal
controls requires improvement in order to provide reasonable assurance that key goals
and objectives will be achieved. Improvements are required to minimize existing
process variation and control gap corrections that may result in potentially significant
negative impacts to the organization including the achievement of the organization's
business/control objectives. Management has agreed to corrective action that
addresses the relevant risks within 6 months.
Overall Engagement Assessment
Needs Improvement
Findings
Finding 1
Title
Control
Design
Operating
Effectiveness
Rating
Incident Response Plan Development
and Implementation
X
X
Needs
Improvement
Management concurs with the above findings and has prepared management action
plans to address the opportunities for improvement.
Internal Environment
TxDOT’s Information Technology (IT) staff recognizes the risks inherent in the
vulnerability management process and has drafted a proposed ‘TxDOT Cyber Security
Incident Response Plan’, which includes guidance for:
 Incidents and Response States
 Responding to an Incident
 Incident Response Team Roles
 Annual Testing
 Contact Lists and so forth
The draft plan is being circulated for comments.
TxDOT Internal Audit – Full Scope
Incident Response - IT Audit
Summary Results
Finding
Scope Area
1
Scope Areas:
- Identification and Validation
- Risk Assessment and
Prioritization
- Remediation
- Maintenance and Improvement
Evidence
Evidence listed in order of priority based on
criticality and industry benchmark
observations:
Critical:
• 25 of 45 (56%) incidents reviewed did not
include sensitivity information helpful in
prioritizing work activities
Industry Benchmark:
• 7 of 45 (16%) incidents reviewed did not
include contact information for the
individual who reported or who mitigated
the issue
• 10 of 45 (22%) incidents reviewed did not
include a reference to the root cause
Recommended:
• 32 of 45 (71%) incidents reviewed did not
include security administrator notification
information
• 15 of 45 (33%) incidents did not
reference information about anti-virus
software detection
• 27 of 45 (60%) incidents reviewed did not
include a response by the anti-virus
software administrator which indicates
that information about the incident was
limited
Audit Scope
The scope of the audit work focused on agency-wide incident response activities by the
Information Technology Operations Division (IOD) and the Information Technology
Customer Relations (ICR) groups in TxDOT’s Information Technology (IT) organization,
formerly known as the Technology Services Division (TSD). Audit activities included
tests to determine whether incident response controls were designed to achieve the
organization’s objectives and whether the incident response controls consistently
operated effectively.
The audit was performed by Patti Drummer, Justan Lopez, Todd Pauley and Sonya
Ayers (Engagement Lead). The audit was conducted during the period from January 16,
2013 to July 12, 2013.
2 of 9
August 20, 2013
TxDOT Internal Audit – Full Scope
Incident Response - IT Audit
Methodology
The work performed consisted of:
 review of TxDOT’s Information Security Manual, Information Security Procedures
and the IT Security Incident Reporting Form 2394
 research, analysis, and review of laws and regulations, including Texas
Administrative Code (TAC) Section 202.26 as it pertains to incident response
 review of National Institute of Standards and Technology (NIST) standards for
incident handling and the Institute of Internal Auditors’ Global Technology Audit
guide (GTAG6) for Managing and auditing IT Vulnerabilities
 inquiry and interview of key personnel
 review of internal documents including organization charts and internal memos
 review of prior audit findings including any reference to TxDOT’s IT in reports
from the State Auditor’s Office (SAO)
 evaluation of control design and operating effectiveness of the vulnerability
management process for incident response
Tests were performed to assess the effectiveness of preventive, detective, and
mitigating measures against past attacks, as well as, efforts to prevent future attempts
or incidents deemed likely to occur.
Background
This report was prepared for the Transportation Commission, TxDOT Administration
and Management. The report presents the results of the Incident Response IT Audit
which was conducted as part of the Fiscal Year 2013 Audit Plan.
The TxDOT IT organization (formerly the Technology Services Division) has undergone
considerable internal reorganization over the years and continuing in FY2013.
Reorganization included the hiring of a Chief Information Officer (CIO) and other key
personnel. In June 2013, TxDOT announced it was moving forward with privatization of
specific areas within the IT function. After an evaluation process that began in January
2013, NTT DATA, Inc. was selected as TxDOT’s new IT partner moving
forward. Specifically NTT DATA will be responsible for Application Management,
Customer Relations, Communication Services, IT Security Services, and Professional
Support Services (currently Engineering Support Services) except for Photogrammetry.
The IT organization has also implemented numerous initiatives over the past months.
Notable is the migration of all e-mail services to Microsoft Outlook, the implementation
of an activity tracking system known as TxDOTNow, and other initiatives identified as
“Quick-Win” and self-help. These initiatives are designed to create a more efficient and
effective IT organization.
TxDOT utilizes services provided by the Department of Information Resources (DIR) as
well as anti-virus detection software to assist in managing its statewide technology
infrastructure. The IT infrastructure includes network servers, desktop equipment, and
peripherals like laptops and personal devices that are routinely used to facilitate travel in
3 of 9
August 20, 2013
TxDOT Internal Audit – Full Scope
Incident Response - IT Audit
the field. TxDOT’s IT personnel are routinely called upon to respond to a threat of a
network intrusion by first identifying the virus or malware, develop remediation
measures to contain any potential damage, and repair the damage that may not be
contained. Layers of coordination and communication between locations are required.
We conducted this performance audit in accordance with Generally Accepted
Government Auditing Standards and in conformance with the International Standards
for the Professional Practice of Internal Auditing. Those standards require that we plan
and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable
basis for our findings and conclusions based on our audit objectives. We believe that
the evidence obtained provides a reasonable basis for our findings and conclusions
based on our audit objectives.
A defined set of control objectives was utilized to focus on operational and regulatory
goals for the identified scope areas. Our audit opinion is an assessment of the health of
the overall control environment based on (1) the effectiveness of enterprise risk
management activities throughout the audit period and (2) the degree to which the
defined control objectives were being met. Our audit opinion is not a guarantee against
operational sub-optimization or regulatory non-compliance, particularly in areas not
included in the scope of this audit.
4 of 9
August 20, 2013
TxDOT Internal Audit – Full Scope
Incident Response - IT Audit
Detailed Findings and Management Action Plans (MAP)
Finding No. 1: Incident Response Plan Development and Implementation
Condition
TxDOT does not maintain or perform key activities in accordance with a documented
Incident Response Plan that outlines agency resources dedicated to incident response,
roles, responsibilities, reporting, communication, and other important elements of its IT
vulnerability management process.
Effect/Potential Impact
Without a documented incident response plan, response activities may be impaired due
to misunderstood or an incomplete incident response (i.e., critical information not
documented to support the incident reports or inconsistencies in statewide response
reporting). As a result, there may be an increased potential that agency computer
systems and networks are exposed to additional risk of threats such as computer
viruses/intrusions and including denial of service attacks. Other risks resulting from this
increased risk include:

a computer virus can be copied to a LAN server impacting many employees
and their computers; recovery may take several people and several days to
complete

backups can be infected with viruses and result in re-infected systems,
requiring more time and expense to remediate

vulnerabilities in software can be discovered that permit unauthorized entry
and access to information technology assets and private employee
information

system intruders can exploit known and unknown network vulnerabilities

outbreaks of viruses or system penetrations can appear in the press causing
negative reputational impact
Criteria & Cause
TxDOT’s Information Security Manual (2012), Information Security Procedures (2010)
and the IT Security Incident Reporting Form 2394 serve to document TxDOT’s policies
and procedures for incident reporting. The documents outline the requirements of the
Texas Administrative Code (TAC) Section 202.26 which requires each state agency to
provide timely reporting of security incidents. The combined documents serve to meet
the requirements to comply with the TAC; however, the documents do not include many
of the elements of an ‘industry benchmark’ vulnerability management plan, such as an
Incident Response Plan.
After the reorganization and restructuring process of the IT department, no formal
Incident Response Plan has been established and implemented for IT personnel. In
addition, competing demands and new self-help initiatives (i.e., “Quick Win”) have taken
5 of 9
August 20, 2013
TxDOT Internal Audit – Full Scope
Incident Response - IT Audit
priority over a statewide focus on incident response reporting and training resulting in
overall inconsistent handling of incident results and reporting.
Evidence
For the audit period from February 1, 2012 through January 31, 2013, twenty-seven
Security Incident Reports (Form 2394) and various “trouble tickets” were selected to
compile a sample of 45 incidents to review 1) identification/validation procedures, 2) risk
assessment and prioritization, and 3) remediation activities. TxDOT IT confirmed with
IOD that all Security Incident Reports (Form 2394) for the audit cycle were provided.
In the review of identification and validation procedures, it was determined that:
 25 of 45 (56%) incidents reviewed did not include sensitivity information, which is
used for documenting the severity of the issue and prioritization amongst multiple
issues.
 7 of 45 (16%) incident reports reviewed did not include contact information for
individual(s) who reported or who mitigated the issue. Contact information is
critical for accountability reference and as a resource for incident follow up tasks.
 4 of 45 (9%) incident reports reviewed did not include information to document
the timeline of the incident and the duration of the incident.
In the review of incident response for risk assessment and prioritization methodology, it
was determined that:
 44 of 45 (98%) incidents reviewed did not include historical cost data related to
repair, recovery, and system function loss.
 32 of 45 (71%) incidents reviewed did not include security administrator
notification information, which validates the appropriate personnel was notified
and consistency between incidents.
In the review of incident response for remediation activities and for continued
maintenance opportunities, it was determined that:
 10 of 45 (22%) incidents reviewed did not include a reference to the root cause of
the incident.
 15 of 45 (33%) incidents did not reference information about the anti-virus
software detection.
 27 of 45 (60%) of incidents reviewed did not include a response by the anti-virus
software administrator which indicates that information about the incident was
limited.
6 of 9
August 20, 2013
TxDOT Internal Audit – Full Scope
Incident Response - IT Audit
Management Action Plan (MAP):
MAP Owner: Seithur Srinivasan, Service Delivery Manager
MAP 1.1 - IT Division (ITD) reviewed the findings and will develop an incident response
plan to mitigate risks and impacts identified in the findings. ITD is currently working with
the IT service provides to develop a comprehensive Incident Response Plan.
The TxDOT IT Incident Response Plan will:

Identify teams, both internal and external to TxDOT, involved with identifying and
remediating a security incident (including specific contact information for persons
performing remediation and any administrators, such as the anti-virus detection
software administrator)

Define the roles and responsibilities of the teams in each phase of an incident
response (including role of the Security Administrator, Information Security
Manager, Information Security Officer and other key persons involved in incident
handling)

Develop a repeatable incident engagement, management, and preventative
response process (including reference to completion of the Security Incident
Report in a complete and consistent fashion across the agency and reference to
software detection of intrusion with tools such as the anti-virus detection
software)

Determine applicable service level agreements (“SLAs”) for each team and
activity (including timing of notification and communication with the Security
Administrator and other pertinent notification/communication)

Document the previous referenced activities so that ITD is not relying on a
specific individual to handle an incident (including timeline information to
determine duration of incident and detection of intrusion)

Develop and implement a test plan to validate and identify gaps in the incident
response process.(including analysis for sensitivity, prioritization, risk
assessment and/or root cause analysis, detection of intrusion by software such
as the anti-virus detection software utilized at TxDOT)
Upon completion of the IT Incident Response Plan, IT should be able to quickly identify,
engage, and resolve security incidents as they occur to limit impact and proactively
prevent the same or similar incidents from occurring in the future. The plan will also
address the completion and retention guidelines for the Security Incident Report Form
2394 or comparable tool.
Completion Date: August 15, 2013
7 of 9
August 20, 2013
TxDOT Internal Audit – Full Scope
Incident Response - IT Audit
MAP Owner: Seithur Srinivasan, Service Delivery Manager
MAP 1.2 - The plan will be adopted by IT and the IT service providers. The
implementation of the plan will include:
 Incident Response Plan Communication
 Incident Response test exercises to train and validate plan
 establishment of a feedback loop for continuous improvement
The Service Delivery Manager responsible for IT Security will provide the oversight for
the implementation of the plan. The Service Delivery Manager responsible for IT
Security will serve as the MAP Coordinator.
Completion Date: September 15, 2013
8 of 9
August 20, 2013
TxDOT Internal Audit – Full Scope
Incident Response - IT Audit
Summary Results Based on Enterprise Risk Management Framework
Rating Assessment Grid
Exemplary
Satisfactory
Needs
Improvement
Unsatisfactory
Closing Comments
The results of this audit were reviewed and discussed with TxDOT’s CIO, Director IOD, Interim Director – ICR, and other key personnel in IT in an exit conference on April
1, 2013.
We appreciate the assistance and cooperation received from IT Operations, IT
Customer Relations, and employees contacted during this audit.
9 of 9
August 20, 2013
Download