Western Australian Auditor General’s Report Information Systems Audit Report Report 2: March 2010 The President Legislative Council The Speaker Legislative Assembly INFORMATION SYSTEMS AUDIT Report I submit to Parliament my Information Systems Audit Report under the provisions of sections 24 and 25 of the Auditor General Act 2006 GLEN CLARKE ACTING AUDITOR GENERAL 24 March 2010 Information Systems Audit Report l Western Australian Auditor General Contents Auditor General’s Overview IS Compliance Audit: Security of Laptop and Portable Storage Devices Application and General Computer Controls Audits 17 Application Controls 20 General Computer Controls and Capability Assessments for Agenices 24 Western Australian Auditor General l Information Systems Audit Report Auditor General’s Overview This is the second annual Information Systems Audit Report tabled by this Office Following the inaugural 2009 report, I have been encouraged by feedback that the reported results provide an important performance benchmark for agencies This report has two sections covering three items: • Information systems compliance audit m • Application and general computer controls audits m Application controls m General computer controls and capability assessments of agencies Security of laptop and portable storage devices The first item of the report, ‘Security of laptop and portable storage devices’, rounds out a four year focus on various aspects of Information Systems security This year’s audit looked at how agencies manage the physical security of laptops, mobile phones, media players and flash drives and at the security of information stored on those devices Laptops and other portable storage devices offer benefits through allowing flexible work arrangements and easy access, storage and transfer of large amounts of data However their portability also places them at greater risk of being lost or stolen Information stored on portable devices also needs to be adequately protected None of the seven agencies we reviewed had adequately considered or addressed these risks Our audit of four key business applications at four agencies, found weaknesses in security and data processing controls that could potentially impact delivery of key services to the public Our general computer control audits involved assessing 52 agencies and benchmarking 42 against good practice for IS management Forty-five per cent of agencies failed to meet the benchmark While we have seen some good practice and some signs of improvement, too many agencies continue to ignore the risks from not effectively managing their information systems The standards and frameworks we audit against not place unrealistic expectations on agencies and are generally accepted across all industries I strongly urge senior management of agencies to act on the recommendations of this report Information Systems Audit Report l Western Australian Auditor General IS Compliance Audit: Security of Laptop and Portable Storage Devices Overview Western Australian Government agencies own and use large numbers of laptop computers and other portable storage devices (PSDs) – including flash drives, portable hard drives and mobile phones These devices can hold large volumes of information The portability of laptops and PSDs allow flexible work arrangements and easy transfer of information However, their portability also increases the risk that they will be lost or stolen On average about 250 laptops are reported stolen by agencies each year Without adequate safeguards in place these losses can easily result in unauthorised access to sensitive information Agencies therefore have a responsibility to manage these items effectively This includes protecting the physical assets and ensuring appropriate security for the information stored on them The challenge facing agencies is to meet security needs without restricting the benefits that portable devices offer This is the fourth and last in a series of information systems compliance audits we have carried out since 2007 that has focused on information security The previous examinations were: Protection of personal and sensitive information held in databases (Report 2, 2009); Information security: disposal of government hard drives (Report 1, 2008); and Security of wireless local area networks in government (Report 3, 2007) This examination assessed whether seven government agencies were effectively managing their laptops and PSDs to reduce the risk of loss or theft and subsequent access to sensitive information The agencies were: • Curriculum Council • Department of Commerce • Department of Education (Central Office) • Department of Water • Royal Perth Hospital • Western Australia Police • WorkCover WA Conclusion All seven agencies lacked comprehensive management, technical and physical controls over their laptops and PSDs to minimise the risk of them being lost or stolen and of sensitive information being accessed More serious weaknesses included: • not knowing the number of laptops or PSDs owned, who had them, or where they were located • ineffective controls to prevent information being accessed if a laptop was lost or stolen • basic security weaknesses including inadequate access controls and failure to implement vendor security patches to fix known security flaws • gaps in relevant policies and procedures including action to be taken in the event of a laptop or PSD being lost or stolen Western Australian Auditor General l Information Systems Audit Report IS Compliance Audit: Security of Laptop and Portable Storage Devices Key Findings • • None of the agencies had complete knowledge of the number of PSDs they owned or the potential security risks of their PSDs Only two agencies – Western Australia Police (WAP) and WorkCover WA – had registers to track portable hard drives • WAP was the only agency that had addressed the risks associated with flash drives Staff are only allowed to use the encrypted devices they are issued • All agencies used systems logons on their laptops However, all agencies had weaknesses in other fundamental access controls: m m • Six agencies had not used basic security controls on laptops to protect them from dangers associated with connecting to external networks This increased the risk of unauthorised access to sensitive data on the laptops and/or on networks systems m m • The Department of Commerce and Royal Perth Hospital did not have up-to-date registers to track laptops and so did not know how many laptops they owned The lack of this information increases the risk that laptops and information stored on them will be lost without agencies knowing It also limits effective asset planning and replacement Only WAP had comprehensive polices and procedures, including those dealing with the use and security of PSDs The Curriculum Council had weaknesses in all policy and procedure areas Five agencies had not ensured that boot passwords were systematically used on laptops Department of Commerce and Royal Perth Hospital had activated ‘boot’ passwords on some individual and unit/branch computers When activated, boot passwords protect information on computer hard drives from being accessed by unauthorised users, even if the hard drive is removed from the computer All laptops have this capability Four agencies – the Curriculum Council, the Department of Water, Royal Perth Hospital and the Department of Education (Central Office) – did not use screen lock-outs These require a password to unlock a computer if it is not used for a set period of time Only WorkCover had enabled local firewalls on its laptops Local firewalls are necessary to protect laptops from external threats from the internet when they are connected outside their home networks Only WorkCover and WAP had controls in place to prohibit users from connecting their laptops to external networks Four agencies – the Curriculum Council, the Department of Water, the Department of Commerce and WAP had not updated software patches on their laptops While the Department of Commerce did have an automated patch update program, it was not working Product vendors release software patches regularly to fix critical security flaws Information Systems Audit Report l Western Australian Auditor General IS Compliance Audit: Security of Laptop and Portable Storage Devices What Should Be Done • All agencies should ensure that they have adequate information about their portable IT assets In particular: m they should maintain comprehensive registers for their laptops m they should consider the best way to record information about PSDs • All agencies should ensure that basic access controls - ‘boot’ passwords and screen lock-outs – are activated as standard • Agencies should ensure that their external security controls and practices – including updating patches, and firewall strategies – meet their security needs • All agencies should assess the threats and vulnerabilities to their laptops and PSDs and implement policies, procedures and practices to mitigate those risks This will likely include deciding about: m accessing external networks m different rules for different types of information and devices m the need for laptops and PSDs Western Australian Auditor General l Information Systems Audit Report IS Compliance Audit: Security of Laptop and Portable Storage Devices Agency Responses Curriculum Council – An Information and Communications Technologies security policy and procedures plan is being developed covering laptops, portable storage devices, security of data and physical security of equipment Progress is being made for all laptops on: • boot passwords and BIOS passwords • removal of local administrator rights Department of Commerce – The Department agrees with the findings and has: • implemented an IT Asset Management module to provide a single register for laptop information and to emulate the physical stocktake process • updated software patches on all laptops which connect to the Department’s network Other actions in progress are: • development of policy and procedures dealing with PSDs, external network connections and missing assets • risk assessment to determine information classification levels and the appropriateness of local firewalls and boot passwords Department of Education – The Department of Education will consider the findings of the audit and the recommendations of the Auditor General to determine the appropriate action to be taken Improvements in our security procedures for all portable storage devices are continually sought to ensure the security of the stored information Department of Water – The Department of Water has taken steps to address the issues and will continue to implement changes to improve security for laptops Department of Health – The Department of Health, on behalf of Royal Perth Hospital (RPH), accepts the findings and implications set out in the OAG’s report of its examination Steps to address the most important of the examination’s recommendations have already been taken Action in relation to the other recommendations is being assessed by RPH management and other areas of WA Health, particularly the Health Information Network, and will form part of WA Health’s ongoing endeavours to improve its information and communication technology governance framework WorkCover WA – WorkCover WA is actively working towards addressing the areas of concern identified in the audit A comprehensive Portable Storage Device Policy that covers all aspects of use of PSDs is in the final stages of management approval WorkCover WA will also be implementing the use of encrypted flash drives throughout the agency Information Systems Audit Report l Western Australian Auditor General IS Compliance Audit: Security of Laptop and Portable Storage Devices Background Most agencies have an increasing number of laptops and use a variety of PSDs PSDs include mobile phones with storage, USB memory sticks (flash drives), media players, CDs, DVDs and portable hard drives Their portability assists with information access and sharing and can make working life easier and more effective However, their size and portability increases the risk of them being lost or stolen In the last two years there have been a number of high profile incidents in the United Kingdom where the loss or theft of laptops and PSDs has led to serious data breaches There have also been cases reported in Australia where laptops containing personal and sensitive information have been lost or stolen Fifty-six State Government agencies reported 750 laptops stolen or lost with a total value of $828 030 in the three years to 2009 In addition to the loss of the asset, many of these devices are likely to have contained sensitive data This creates a significant risk of data breaches through unauthorised access to the information stored on the devices To mitigate these risks, agencies should have two basic types of controls in place The first are physical tracking and security controls to minimise the risk that laptops or PSDs will be lost or stolen The second are information security controls to prevent access to information stored on these devices if they are lost or stolen Physical tracking and security controls include keeping good records of assets These should include listing where the assets are, who has them and if the assets have up-to-date patches and software licences Information security controls include good lock-out measures – including differing levels of passwords and encryption These help limit opportunities for unauthorised people to access information on devices Figure illustrates the types of devices and the controls that can be used Information Security Controls: • Appropriate data policies • System and logon passwords • Keypad locks • Encryption • External device controls Physical tracking and security controls: • Asset registers • Safe storage and handling to minimise risk of loss or theft Figure 1: Types of portable storage devices Western Australian Auditor General l Information Systems Audit Report IS Compliance Audit: Security of Laptop and Portable Storage Devices What Did We Do? We examined seven agencies that have reported theft and loss of laptops These agencies maintain various types of sensitive information including financial, medical, legal and educational records Having suffered these losses, we expected that these agencies would have acted to put good controls in place The agencies were: • Curriculum Council • Department of Commerce • Department of Education (Central Office) • Department of Water • Royal Perth Hospital • Western Australia Police • WorkCover The Department of Education reported 561 laptops lost or stolen from its total of more than 26 000 This is 75 per cent of all those reported lost or stolen in this period The Curriculum Council lost the next largest number – 24 – but 22 of those were lost in one break-in to their offices Only two other agencies reported double figures – 10 and 11 lost in the period The agencies in our examination represent 81 per cent of losses in this period Table shows the agencies we examined and the numbers and value of laptops they have reported lost Agency Total number of laptops in 2009 Number laptops reported lost/ stolen 2006-09 Insured value of lost/stolen laptops 100 24** $31 036 Department of Commerce * $7 166 Department of Education 26 278 561 $580 434 Department of Water 289 $7 464 Royal Perth Hospital * $4 200 1 443 $9 509 40 $1 325 28 150 608 $641 134 Curriculum Council Western Australia Police WorkCover Total Table 1: Laptops reported lost All agencies had reported some lost laptops in the past three years * Figures not available for these agencies (see below for detail) ** 22 laptops were lost in a single break-in to one Curriculum Council building Source: Insurance Commission of WA and OAG 10 Information Systems Audit Report l Western Australian Auditor General Application and General Computer Controls Audits Weak access controls make it easy for unauthorised users to access sensitive information Attempting to login to a system by guessing simple passwords is a commonly used strategy for gaining unauthorised system access The combination of weaknesses we found create serious exposures and could lead to the information stored and handled by these agencies being comprised All four agencies had weaknesses in the IT applications we audited These included: • At two agencies we guessed passwords for highly privileged database accounts and obtained full access to sensitive information We also found that any changes made using these accounts would not be detected A third agency’s application did not enforce basic password controls This allowed users to create single character passwords that not expire • In two agencies we found numerous network and application user accounts with the highest privileges had been created without approval A number of these accounts belonged to former staff • One agency had not defined what access privileges should be required by different staff As a result, inappropriate levels of access had been assigned to numerous users One agency was unable to produce a list of user accounts and respective access privileges for its application • At three of the four agencies we found active user accounts belonging to former staff that allowed access to key applications, the network, and databases At two of these agencies there was no monitoring or logging of user access This makes it impossible to know whether unauthorised access or changes to information had occurred • Critical security updates were missing from key servers hosting business applications in two agencies This leaves the applications inadequately protected against potential threats and may result in unauthorised access and/or loss of system operation and information The firewall for one application was ineffective against these threats • In one agency we found multiple physical and environmental control weaknesses such as no air conditioning in server rooms and no physical protection of equipment This significantly increases the risk of applications and networks being compromised • Two of the applications did not log failed access attempts and only held information relating to successful logons for the previous three days Confidential information was not adequately protected • • 22 At one agency we found that confidential information such as client names and address details was unnecessarily attached to other data sent to external contractors This increases the risk of information being leaked and/or misused In another agency security controls were not in place to protect sensitive information from access by unauthorised staff At two agencies support staff used generic administrator accounts to access computer systems with sensitive information Staff that use these accounts cannot be identified on the network and made accountable One of these agencies was unable to provide the required police clearances for staff accessing such information These practices are contradictory to each agency’s own policies Information Systems Audit Report l Western Australian Auditor General Application and General Computer Controls Audits Data controls – poor data controls are resulting in unreliable information Agency management rely on accurate information from their business applications to make informed decisions This requires controls that ensure the complete and accurate processing of data from input to output Typical data controls include: • standard input formats, rules and data verification prior to input • data change controls and authorisations to ensure any changes or anomalies are identified and addressed during processing • output checking through validation of reports or reconciliation and tracing of transaction processing Prior to examining data controls for an application we obtain an understanding of the business processes involved and the underlying IT systems We identify all relevant business and control activities and map the flow of information from input to output This includes reviewing any policies and procedures as well as interfaces between applications Data control weaknesses we identified included: • Input control weaknesses in one application – deficient rules in the system allowed incorrect information to be entered or updated As well, processes to verify information contained in the system were not documented and were unreliable due to their ad-hoc nature • One agency had not formalised the types of controls that should be established over data processing at its sub-agencies Such controls should be documented in approved policies and procedures • Three of the four agencies were not conducting routine verification of data accuracy and validity for key business processes Other control categories Operational controls ensure that applications are used consistently and correctly across an agency to meet business requirements These controls include staff training, application specific manuals as well as monitoring and reporting of data input, processing and output Change control is required to ensure that any modifications to existing computer systems are appropriately implemented and changes are authorised, approved and tested where appropriate Business continuity planning is vital for all agencies as it provides for the rapid recovery of computer services in the event of an unplanned disruption Western Australian Auditor General l Information Systems Audit Report 23 Application and General Computer Controls Audits The management over change control and business continuity planning were adequate for the four applications However, we did identify a number of operational control weaknesses Specifically: • One application did not notify users when they accessed restricted information This increases the risk that staff may unwittingly disclose confidential information • Managers at two agencies did not fully understand the level of access they authorised for staff and consequently had allocated inappropriate access to sensitive information Segregation of duties was not in place to mitigate the risk of unauthorised or inappropriate transactions being made • Contractor service level agreements in one agency were not monitored so the agency does not know if contractors were meeting their contractual obligations • Management for one of the applications did not monitor or review the security logs and audit trails of the application Any unauthorised access or inappropriate modifications to system data will not be identified by the agency • We reviewed a sample of sub-agencies accessing the parent agency application These subagencies were managing their own data on site using inadequate backup regimes This increases the risk of losing information permanently We recommended that the backup and recovery plans of the agencies and sub-agencies be consolidated for efficiency and effectiveness General computer controls and capability assessments for agencies The objective of our general computer controls (GCC) audits is to determine whether the computer controls effectively support the confidentiality, integrity, and availability of information systems General computer controls include controls over the information technology (IT) environment, computer operations, access to programs and data, program development and program changes In 2009 we focused specifically on the following types of GCC categories: • management of IT risks • information security • business continuity • change control • physical security Capability maturity models are a way of assessing how well developed and capable the established IT controls are and how well developed or capable they should be We use the results of our GCC work to inform our capability assessments of agencies This is the second year we have used capability maturity models 24 Information Systems Audit Report l Western Australian Auditor General Application and General Computer Controls Audits The models we developed use accepted industry good practice as the basis for assessment Our assessment of the appropriate maturity level for an agency’s general computer controls is influenced by various factors These include: the business objectives of the agency; the level of dependence on IT; the technological sophistication of their computer systems; and the value of information managed by the agency What Did We Do? We conducted GCC work at 52 agencies and did capability assessments at 42 of these agencies of which 35 were also assessed last year We provided the 42 selected agencies with capability assessment forms and asked them to complete and return the forms at the end of the audit We then met with each of the agencies to compare their assessment and that of ours which was based on the results of our GCC audits The agreed results are reported below We use a five scale rating1 listed below to evaluate each agency’s capability and maturity levels in each of the GCC audit focus areas The models provide a baseline for comparing results for these agencies from year to year Our intention is to increase the number of agencies assessed each year (non-existent) Management processes are not applied at all Complete lack of any recognisable processes (initial/ad hoc) Processes are ad hoc and overall approach to management is disorganised (repeatable but intuitive) Processes follow a regular pattern where similar procedures are followed by different people with no formal training or standard procedures Responsibility is left to the individual and errors are highly likely (defined) Processes are documented and communicated Procedures are standardised, documented and communicated through training Processes are mandated however, it is unlikely that deviations will be detected The procedures themselves are not sophisticated but are the formalisation of existing practices (managed and measurable) Management monitors and measures compliance with procedures and takes action where appropriate Processes are under constant improvement and provide good practice Automation and tools are used in a limited or fragmented way (optimised) Good practices are followed and automated Processes have been refined to a level of good practice, based on the results of continuous improvement and maturity modeling with other enterprises IT is used in an integrated way to automate the workflow, providing tools to improve quality and effectiveness, making the agency quick to adapt Table 4: Rating criteria The information within this maturity model assessment is based on the criteria defined within the Control Objectives for Information and related Technology (COBIT) manual Western Australian Auditor General l Information Systems Audit Report 25 Application and General Computer Controls Audits What Did We Find? Fifty-two per cent of the agencies we assessed using capability models had not established effective controls to manage IT risks, information security and business continuity Thirty-one per cent of agencies had not established effective change controls and 33 per cent had not established effective controls for management of physical security Figure illustrates the results of the capability assessments of the 42 agencies We expect all agencies should be at least within the level three band across all the categories Figure 3: Capability Maturity Model Assessment Results Most agencies achieved a rating of two or less out of five when assessed against each of the five GCC categories The categories with the lowest results were management of IT risks, information security and business continuity We were encouraged to see improvements in some of the agencies we reviewed last year Specifically, 26 per cent of agencies we reviewed last year using the capability assessments made improvements in at least one of the categories without regressing in any area Forty-one per cent of agencies showed no change The remainder may have made improvements in one area but regressed in another Six of the seven of agencies that we assessed for the first time this year were not managing risks effectively Four fell below our expectations for managing Information security, business continuity and physical security and two for change control Specific results for the GCC categories examined are presented below 26 Information Systems Audit Report l Western Australian Auditor General Application and General Computer Controls Audits Management of IT risks 64% 49% 15% 36% 51% Risk 2008 Risk 2009 All agencies are required to have risk management policies and practices that identify, assess and treat risks that affect key business objectives IT is one of the key risk areas that should be addressed We therefore expect agencies to have IT specific risk management policies and practices such as risk assessments, registers and treatment plans Although there was a 15 per cent improvement from last year, 49 per cent of agencies still did not meet our expectations for managing IT risks Six of the seven agencies assessed for the first time this year also failed to meet our expectations Without appropriate IT risk policies and practices, threats may not be identified and treated within reasonable timeframes, thereby increasing the likelihood that agency objectives will not be met Examples of findings from the GCC audits that informed our assessments include: • Several agencies either had no established risk management policies and practices or their policies and practices were inadequate • Many agencies did not maintain risk registers and lacked clear processes for identifying and communicating risks even when agency policy required it Agencies also lacked treatment plans and were not monitoring identified risks • Several agencies had not assigned responsibility to key staff for risk management We found a lack of active participation by key staff across most agencies in the identification, assessment and treatment of IT risks • Many agencies had not carried out any risk assessments of their Information Systems and supported business functions including the likelihood and impacts of risk events • Risk management within several agencies was not driven by an enterprise wide risk management program that identifies core business processes and the people, process and technologies that affect them • IT project associated risks were not being recorded in risk registers and tracked on an ongoing basis Information security 61% 51% 10% 39% 49% Security 2008 Security 2009 Information security is critical to maintaining data integrity and reliability of key financial and operational systems from accidental or deliberate threats and vulnerabilities We examined what controls were established and whether they were administered and configured to appropriately restrict access to programs, data, and other information resources We found an overall improvement of 10 per cent from last year though half of the agencies still fell below our benchmark for managing information security This result was similar amongst those agencies we assessed for the first time It is clear from the basic security weaknesses we identified that many agencies have not implemented fundamental security controls to secure their systems and information Western Australian Auditor General l Information Systems Audit Report 27 Application and General Computer Controls Audits The information security controls we reviewed for our GCC audits are divided into five main areas The breakdown of findings across the five areas is shown in Figure for all 52 agencies audited The figure shows that weaknesses in access controls made up 41 per cent of security findings Access controls are the most basic and inexpensive control to implement Weaknesses with network security controls made up a further 23 per cent of our findings Such weaknesses can leave information and systems on an agency’s network vulnerable Figure 4: Security Control Findings Access controls and network security were the two most common types of security weakness among the 52 agencies Agencies not understand the implications of having weak access controls Typical information security control weaknesses we identified were: • • Two agencies stored unsecured credit card details One of these agencies was storing the information on a network accessible by any user and the other through an application Neither of the two agencies were compliant with Payment Card Industry (PCI) standards as required by credit card providers • 28 At one agency we were able to view and access bank account details of other organisations via an Internet payment system used by many agencies Critical files for payments to staff and external suppliers were stored on unsecured network folders allowing the files to be read and manipulated prior to processing In several agencies we easily guessed or obtained passwords to view thousand’s of sensitive records and confidential information Information Systems Audit Report l Western Australian Auditor General Application and General Computer Controls Audits • Thousands of active accounts across agencies belonging to former staff with high privileges providing access to computer resources and information Many of these agencies would not know if unauthorised access had occurred In two agencies we found a number of these accounts had been used to log onto the network and access key applications The agencies were unable to tell what information was accessed • Instances of no segregation of duties amongst staff involved in financial processing and payments resulting in a high risk of fraudulent activity Three of these staff had unlimited purchase limits and could raise purchase orders, approve the purchase and receipt the goods in the system • New user accounts created and given access to agency networks without appropriate authorisation and without the user acknowledging their responsibilities • Hundreds of active default database accounts across the agencies with default passwords Attempting to log into computer systems and databases using default passwords is a common strategy to gain unauthorised access to systems and information Network security plays an important part in protecting applications and information resources The vulnerability assessments we perform consistently reveal that most agencies are not protecting their key applications and databases adequately We identified a number of weaknesses across most agencies which could affect the confidentiality, integrity and availability of computer systems Specifically: • No logging of user activity to identify exceptions affecting agency networks, computer applications and database information As a result, security breaches can go undetected Two agencies that were logging user activity only kept the logs for several hours before overwriting them • Methods of managing devices on networks were insecure, allowing log-on credentials to be easily intercepted These credentials could then be used to access agency networks and information • At two agencies we found excessive numbers of firewall administrators who could make changes to firewall settings These agencies had no records of changes made to their firewalls In addition, the firewalls did not log exceptions, such as attempted unauthorised access, so that staff could assess potential threats and problems to agency computer systems • Agencies allowing uncontrolled installation of software on computers risking noncompliance with software licensing agreements and introducing a wide variety of threats Threats include the introduction of viruses and spyware to the agency computer environment • Numerous servers and workstations across agencies that did not have updated anti-virus software Some agencies were unaware that their virus updates were failing and that their systems had no protection Western Australian Auditor General l Information Systems Audit Report 29 Application and General Computer Controls Audits • A number of agencies lacked any controls to prevent or detect unauthorised devices connecting to their networks We were able to connect to network devices and gain access to a variety of information with the agency’s IT staff unable to detect the intrusion Policies and procedures help agency staff understand requirements and responsibilities Typical types of policy and procedural weaknesses we identified were: • Agencies either having no established security policies and practices or their policies and practices were inadequate Many agencies have not enforced policies or procedures even when they had been documented • Agency staff not having certified that they understand and accept agency policies relating to acceptable use of information systems and the confidentiality of information Several agencies requiring staff to have background checks and police clearances had not enforced this requirement prior to allowing access to systems and information • Agencies lacking incident response procedures We examined a number of ‘phishing’ security incidents at one agency where staff disclosed their system credentials to external perpetrators Although the incidents were reported to management, the absence of agreed incident response procedures meant that they were inconsistently classified and handled • No ongoing IT Security awareness program to inform users of their role and responsibilities regarding IT Security and the services IT Security can provide Business continuity 64% 49% 15% 36% 51% Continuity 2008 Continuity 2009 To ensure business continuity, agencies should have in place a business continuity plan (BCP), a disaster recovery plan (DRP) and an incident response plan (IRP) The BCP defines and prioritises business critical operations and therefore determines the resourcing and focus areas of the DRP The IRP needs to consider potential incidents and detail the immediate steps to ensure timely, appropriate and effective response These plans should be tested on a periodic basis Such planning and testing is vital for all agencies as it provides for the rapid recovery of computer systems in the event of an unplanned disruption affecting business operations and services We examined whether plans have been developed and tested Although we found an improvement of 15 per cent from last year, nearly half of the agencies did not have adequate business continuity arrangements We identified the following types of business continuity issues: • 30 Agencies had not conducted risk assessments or business impact analysis to inform and assist development of appropriate BCPs A small number of agencies did not have any disaster recovery, business continuity or incident response plans for any of their computer systems Information Systems Audit Report l Western Australian Auditor General Application and General Computer Controls Audits • Some DRPs may not support business requirements or needs as they were developed without any business unit input • Agencies lack documented incident response procedures increasing the risk that incidents may not be managed in a timely or effective manner particularly in the absence of key staff Additionally, required approval processes, escalations and critical systems can be overlooked in an emergency leading to further disruption • Many agencies have not adequately tested and maintained BCPs and DRPs for the recovery of systems that support critical business functions and services The lack of testing means the length of time required to recover key systems back to an operational state is unknown Infrastructure and systems will fail in the event of a power disruption and information may be permanently lost We found several agencies had not tested their ‘uninterrupted power supplies’ (UPS) Without regular testing and maintenance of the UPS, agencies cannot be confident that it will work in the event of a power disruption We have found several instances where the UPS devices will fail if disruption to power occurs We also found many instances of backup media stored in areas that not provide sufficient protection against accidental or deliberate damage This included backup media stored onsite and/or in unsecured areas Some agencies are only storing their backups for short periods of time (less than six hours) before over writing them Change control 45% 32% 13% 55% 68% Change 2008 Change 2009 An overarching change control framework is essential to ensure a uniform standard change control process is followed, to achieve better performance, to reduce time and staff impacts and to increase the reliability of changes When examining change control, we expect defined procedures are used consistently for changes to IT systems The objective of change control is to facilitate appropriate handling of all changes We examined whether changes are appropriately authorised, implemented, recorded and tested We reviewed any new applications acquired or developed and evaluated the consistency with management’s intentions We also tested whether existing data converted to new systems was complete and accurate We found an improvement from last year of 13 per cent in change control practices by agencies Nearly 70 per cent of agencies were meeting our benchmark for change controls Despite the improvements we still found issues at over 30 per cent of agencies we reviewed In some cases this has adversely affected agency systems and functions Western Australian Auditor General l Information Systems Audit Report 31 Application and General Computer Controls Audits Uncontrolled changes have left agencies not knowing the status of their computer systems and suffering unplanned outages There is a risk that without adequate change control procedures, systems will not process information as intended and agency’s operations and services will be disrupted There is also a greater chance that information will be lost and access given to unauthorised persons We found a range of change control weaknesses including: • Five agencies were unaware of their network configurations and architecture as a result of unapproved or undocumented changes This meant that there was no up-to-date record of the current configurations needed to restore or fix critical systems if required • Four agencies had made significant changes to critical systems with no assessment of potential impacts In one agency we tested and found unauthorised program changes had been made to financial applications without the agency knowing • A lack of change management processes for three applications leading to failure of business functions at one agency This agency incurred significant downtime and had to enter information manually in several applications to recover • There was an overall lack of documented policies or procedures for how changes are to be made to key applications, databases and the IT infrastructure In several cases, even where policies and procedures did exist, they were not followed Physical security 27% 33% 6% 67% 73% Physical 2008 Physical 2009 We examined whether computer systems were protected against environmental hazards and related damage We also determined whether physical access restrictions are implemented and administered to ensure that only authorised individuals have the ability to access or use computer systems We found a six per cent improvement from last year in agency management of physical security, with over 70 per cent of agencies meeting our benchmark However in the new agencies we assessed, four of the seven had poor physical security controls Inadequate protection of IT systems against various physical and environmental threats increases the potential risk of unauthorised access to systems and information and system failure Some common areas we identified for improvement included: • • Agencies not complying with their own policies for security over server rooms containing critical equipment • 32 Multiple instances of staff, contractors and maintenance people with unauthorised access to server rooms In some agencies IT management not control the access to the server room and users are provided access unnecessarily Agencies not recording or maintaining records of who has keys to server rooms containing critical infrastructure In one agency the computer room and agency ‘tea room’ can be accessed using the same key A number of master keys were also distributed among non IT staff with no registers Information Systems Audit Report l Western Australian Auditor General Application and General Computer Controls Audits • Agencies locating vital network operating infrastructure such as routers and wireless access points in freely accessible areas • Server rooms lacking environmental controls such as temperature, humidity and smoke alarms, air conditioning and fire extinguishers We found several server rooms operating at high temperatures • Server room doors left open or unlocked and unsecured server racks leaving network devices exposed to deliberate or accidental disruptions by individuals that enter the server room Western Australian Auditor General l Information Systems Audit Report 33 Auditor General’s Report Report Number 2010 Reports Date Tabled The Planning and Management of Perth Arena 10 March 2010 13 Audit Results Report: 2008-09 Assurance Audits 11 November 2009 12 Fourth Public Sector Performance Report 2009 – Preliminary Examination of the Royalties for Regions Program – Accountability for Government Grants – Management of Government Purchasing Cards 11 November 2009 11 Third Public Sector Performance Report 2009 – Regulation of Firearms – Follow-up – Managing Staff Attendance in the Public Sector – Evaluation in Government 21 October 2009 10 Adult Community Mental Health Teams: Availability, Accessibility and Effectiveness of Services 14 October 2009 Every Day Counts: Managing Student Attendance in Western Australian Public Schools 19 August 2009 Opinion on Ministerial Notification: Ministerial Decision to not Provide Information to Parliament – Country Age Pension Fuel Card 19 August 2009 Second Public Sector Performance Report – Dangerous Goods Safety – Compliance in Western Australia’s Commercial and Recreational Fisheries 25 June 2009 Maintaining the State Road Network 17 June 2009 Rich and Rare: Conservation of Threatened Species 10 June 2009 Coming, Ready or Not: Preparing for Large-scale Emergencies 20 May 2009 Audit Results Report – 31 December 2008 Assurance Audits and other audits completed since November 2008 May 2009 Information Systems Audit Report April 2009 Public Sector Performance Report 2009 – Management of Water Resources in Western Australia – Follow-up – Administration of the Metropolitan Region Scheme by the Department for Planning and Infrastructure – Management of Fringe Benefits Tax April 2009 2009 Reports The above reports can be accessed on the Office of the Auditor General’s website at www.audit.wa.gov.au On request these reports may be made available in an alternative format for those with visual impairment 34 Information Systems Audit Report l Western Australian Auditor General ... individuals that enter the server room Western Australian Auditor General l Information Systems Audit Report 33 Auditor General’s Report Report Number 2010 Reports Date Tabled The Planning and... ACTING AUDITOR GENERAL 24 March 2010 Information Systems Audit Report l Western Australian Auditor General Contents Auditor General’s Overview IS Compliance Audit: Security of Laptop and Portable... Controls Audits 17 Application Controls 20 General Computer Controls and Capability Assessments for Agenices 24 Western Australian Auditor General l Information Systems Audit Report Auditor General’s