TxDOT Internal Audit Report Incident Response - IT Objective To assess the design, operating effectiveness, and internal/external coordination regarding TxDOT’s network security penetration vulnerabilities identified. Opinion Based on the audit scope areas reviewed, control mechanisms require improvement and only partially address risk factors and exposures considered significant relative to operational execution and regulatory compliance. The organization's system of internal controls requires improvement in order to provide reasonable assurance that key goals and objectives will be achieved. Improvements are required to minimize existing process variation and control gap corrections that may result in potentially significant negative impacts to the organization including the achievement of the organization's business/control objectives. Management has agreed to corrective action that addresses the relevant risks within 6 months. Overall Engagement Assessment Needs Improvement Findings Finding 1 Title Control Design Operating Effectiveness Rating Incident Response Plan Development and Implementation X X Needs Improvement Management concurs with the above findings and has prepared management action plans to address the opportunities for improvement. Internal Environment TxDOT’s Information Technology (IT) staff recognizes the risks inherent in the vulnerability management process and has drafted a proposed ‘TxDOT Cyber Security Incident Response Plan’, which includes guidance for: Incidents and Response States Responding to an Incident Incident Response Team Roles Annual Testing Contact Lists and so forth The draft plan is being circulated for comments. TxDOT Internal Audit – Full Scope Incident Response - IT Audit Summary Results Finding Scope Area 1 Scope Areas: - Identification and Validation - Risk Assessment and Prioritization - Remediation - Maintenance and Improvement Evidence Evidence listed in order of priority based on criticality and industry benchmark observations: Critical: • 25 of 45 (56%) incidents reviewed did not include sensitivity information helpful in prioritizing work activities Industry Benchmark: • 7 of 45 (16%) incidents reviewed did not include contact information for the individual who reported or who mitigated the issue • 10 of 45 (22%) incidents reviewed did not include a reference to the root cause Recommended: • 32 of 45 (71%) incidents reviewed did not include security administrator notification information • 15 of 45 (33%) incidents did not reference information about anti-virus software detection • 27 of 45 (60%) incidents reviewed did not include a response by the anti-virus software administrator which indicates that information about the incident was limited Audit Scope The scope of the audit work focused on agency-wide incident response activities by the Information Technology Operations Division (IOD) and the Information Technology Customer Relations (ICR) groups in TxDOT’s Information Technology (IT) organization, formerly known as the Technology Services Division (TSD). Audit activities included tests to determine whether incident response controls were designed to achieve the organization’s objectives and whether the incident response controls consistently operated effectively. The audit was performed by Patti Drummer, Justan Lopez, Todd Pauley and Sonya Ayers (Engagement Lead). The audit was conducted during the period from January 16, 2013 to July 12, 2013. 2 of 9 August 20, 2013 TxDOT Internal Audit – Full Scope Incident Response - IT Audit Methodology The work performed consisted of: review of TxDOT’s Information Security Manual, Information Security Procedures and the IT Security Incident Reporting Form 2394 research, analysis, and review of laws and regulations, including Texas Administrative Code (TAC) Section 202.26 as it pertains to incident response review of National Institute of Standards and Technology (NIST) standards for incident handling and the Institute of Internal Auditors’ Global Technology Audit guide (GTAG6) for Managing and auditing IT Vulnerabilities inquiry and interview of key personnel review of internal documents including organization charts and internal memos review of prior audit findings including any reference to TxDOT’s IT in reports from the State Auditor’s Office (SAO) evaluation of control design and operating effectiveness of the vulnerability management process for incident response Tests were performed to assess the effectiveness of preventive, detective, and mitigating measures against past attacks, as well as, efforts to prevent future attempts or incidents deemed likely to occur. Background This report was prepared for the Transportation Commission, TxDOT Administration and Management. The report presents the results of the Incident Response IT Audit which was conducted as part of the Fiscal Year 2013 Audit Plan. The TxDOT IT organization (formerly the Technology Services Division) has undergone considerable internal reorganization over the years and continuing in FY2013. Reorganization included the hiring of a Chief Information Officer (CIO) and other key personnel. In June 2013, TxDOT announced it was moving forward with privatization of specific areas within the IT function. After an evaluation process that began in January 2013, NTT DATA, Inc. was selected as TxDOT’s new IT partner moving forward. Specifically NTT DATA will be responsible for Application Management, Customer Relations, Communication Services, IT Security Services, and Professional Support Services (currently Engineering Support Services) except for Photogrammetry. The IT organization has also implemented numerous initiatives over the past months. Notable is the migration of all e-mail services to Microsoft Outlook, the implementation of an activity tracking system known as TxDOTNow, and other initiatives identified as “Quick-Win” and self-help. These initiatives are designed to create a more efficient and effective IT organization. TxDOT utilizes services provided by the Department of Information Resources (DIR) as well as anti-virus detection software to assist in managing its statewide technology infrastructure. The IT infrastructure includes network servers, desktop equipment, and peripherals like laptops and personal devices that are routinely used to facilitate travel in 3 of 9 August 20, 2013 TxDOT Internal Audit – Full Scope Incident Response - IT Audit the field. TxDOT’s IT personnel are routinely called upon to respond to a threat of a network intrusion by first identifying the virus or malware, develop remediation measures to contain any potential damage, and repair the damage that may not be contained. Layers of coordination and communication between locations are required. We conducted this performance audit in accordance with Generally Accepted Government Auditing Standards and in conformance with the International Standards for the Professional Practice of Internal Auditing. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. A defined set of control objectives was utilized to focus on operational and regulatory goals for the identified scope areas. Our audit opinion is an assessment of the health of the overall control environment based on (1) the effectiveness of enterprise risk management activities throughout the audit period and (2) the degree to which the defined control objectives were being met. Our audit opinion is not a guarantee against operational sub-optimization or regulatory non-compliance, particularly in areas not included in the scope of this audit. 4 of 9 August 20, 2013 TxDOT Internal Audit – Full Scope Incident Response - IT Audit Detailed Findings and Management Action Plans (MAP) Finding No. 1: Incident Response Plan Development and Implementation Condition TxDOT does not maintain or perform key activities in accordance with a documented Incident Response Plan that outlines agency resources dedicated to incident response, roles, responsibilities, reporting, communication, and other important elements of its IT vulnerability management process. Effect/Potential Impact Without a documented incident response plan, response activities may be impaired due to misunderstood or an incomplete incident response (i.e., critical information not documented to support the incident reports or inconsistencies in statewide response reporting). As a result, there may be an increased potential that agency computer systems and networks are exposed to additional risk of threats such as computer viruses/intrusions and including denial of service attacks. Other risks resulting from this increased risk include: a computer virus can be copied to a LAN server impacting many employees and their computers; recovery may take several people and several days to complete backups can be infected with viruses and result in re-infected systems, requiring more time and expense to remediate vulnerabilities in software can be discovered that permit unauthorized entry and access to information technology assets and private employee information system intruders can exploit known and unknown network vulnerabilities outbreaks of viruses or system penetrations can appear in the press causing negative reputational impact Criteria & Cause TxDOT’s Information Security Manual (2012), Information Security Procedures (2010) and the IT Security Incident Reporting Form 2394 serve to document TxDOT’s policies and procedures for incident reporting. The documents outline the requirements of the Texas Administrative Code (TAC) Section 202.26 which requires each state agency to provide timely reporting of security incidents. The combined documents serve to meet the requirements to comply with the TAC; however, the documents do not include many of the elements of an ‘industry benchmark’ vulnerability management plan, such as an Incident Response Plan. After the reorganization and restructuring process of the IT department, no formal Incident Response Plan has been established and implemented for IT personnel. In addition, competing demands and new self-help initiatives (i.e., “Quick Win”) have taken 5 of 9 August 20, 2013 TxDOT Internal Audit – Full Scope Incident Response - IT Audit priority over a statewide focus on incident response reporting and training resulting in overall inconsistent handling of incident results and reporting. Evidence For the audit period from February 1, 2012 through January 31, 2013, twenty-seven Security Incident Reports (Form 2394) and various “trouble tickets” were selected to compile a sample of 45 incidents to review 1) identification/validation procedures, 2) risk assessment and prioritization, and 3) remediation activities. TxDOT IT confirmed with IOD that all Security Incident Reports (Form 2394) for the audit cycle were provided. In the review of identification and validation procedures, it was determined that: 25 of 45 (56%) incidents reviewed did not include sensitivity information, which is used for documenting the severity of the issue and prioritization amongst multiple issues. 7 of 45 (16%) incident reports reviewed did not include contact information for individual(s) who reported or who mitigated the issue. Contact information is critical for accountability reference and as a resource for incident follow up tasks. 4 of 45 (9%) incident reports reviewed did not include information to document the timeline of the incident and the duration of the incident. In the review of incident response for risk assessment and prioritization methodology, it was determined that: 44 of 45 (98%) incidents reviewed did not include historical cost data related to repair, recovery, and system function loss. 32 of 45 (71%) incidents reviewed did not include security administrator notification information, which validates the appropriate personnel was notified and consistency between incidents. In the review of incident response for remediation activities and for continued maintenance opportunities, it was determined that: 10 of 45 (22%) incidents reviewed did not include a reference to the root cause of the incident. 15 of 45 (33%) incidents did not reference information about the anti-virus software detection. 27 of 45 (60%) of incidents reviewed did not include a response by the anti-virus software administrator which indicates that information about the incident was limited. 6 of 9 August 20, 2013 TxDOT Internal Audit – Full Scope Incident Response - IT Audit Management Action Plan (MAP): MAP Owner: Seithur Srinivasan, Service Delivery Manager MAP 1.1 - IT Division (ITD) reviewed the findings and will develop an incident response plan to mitigate risks and impacts identified in the findings. ITD is currently working with the IT service provides to develop a comprehensive Incident Response Plan. The TxDOT IT Incident Response Plan will: Identify teams, both internal and external to TxDOT, involved with identifying and remediating a security incident (including specific contact information for persons performing remediation and any administrators, such as the anti-virus detection software administrator) Define the roles and responsibilities of the teams in each phase of an incident response (including role of the Security Administrator, Information Security Manager, Information Security Officer and other key persons involved in incident handling) Develop a repeatable incident engagement, management, and preventative response process (including reference to completion of the Security Incident Report in a complete and consistent fashion across the agency and reference to software detection of intrusion with tools such as the anti-virus detection software) Determine applicable service level agreements (“SLAs”) for each team and activity (including timing of notification and communication with the Security Administrator and other pertinent notification/communication) Document the previous referenced activities so that ITD is not relying on a specific individual to handle an incident (including timeline information to determine duration of incident and detection of intrusion) Develop and implement a test plan to validate and identify gaps in the incident response process.(including analysis for sensitivity, prioritization, risk assessment and/or root cause analysis, detection of intrusion by software such as the anti-virus detection software utilized at TxDOT) Upon completion of the IT Incident Response Plan, IT should be able to quickly identify, engage, and resolve security incidents as they occur to limit impact and proactively prevent the same or similar incidents from occurring in the future. The plan will also address the completion and retention guidelines for the Security Incident Report Form 2394 or comparable tool. Completion Date: August 15, 2013 7 of 9 August 20, 2013 TxDOT Internal Audit – Full Scope Incident Response - IT Audit MAP Owner: Seithur Srinivasan, Service Delivery Manager MAP 1.2 - The plan will be adopted by IT and the IT service providers. The implementation of the plan will include: Incident Response Plan Communication Incident Response test exercises to train and validate plan establishment of a feedback loop for continuous improvement The Service Delivery Manager responsible for IT Security will provide the oversight for the implementation of the plan. The Service Delivery Manager responsible for IT Security will serve as the MAP Coordinator. Completion Date: September 15, 2013 8 of 9 August 20, 2013 TxDOT Internal Audit – Full Scope Incident Response - IT Audit Summary Results Based on Enterprise Risk Management Framework Rating Assessment Grid Exemplary Satisfactory Needs Improvement Unsatisfactory Closing Comments The results of this audit were reviewed and discussed with TxDOT’s CIO, Director IOD, Interim Director – ICR, and other key personnel in IT in an exit conference on April 1, 2013. We appreciate the assistance and cooperation received from IT Operations, IT Customer Relations, and employees contacted during this audit. 9 of 9 August 20, 2013