PROGRESS ON THE IMPLEMENTATION OF AUDIT RECOMMENDATIONS FOR - PowerPoint Presentation

Slide1

PROGRESS ON THE IMPLEMENTATION OF AUDIT RECOMMENDATIONS FOR 2014/15: INFORMATION AND COMMUNICATION TECHNOLOGY (ICT)

1

Briefing presentation to the Portfolio Committee on Environmental Affairs (PCEA)

16 February 2016Slide2

PRESENTATION OUTLINE

2

Summary for the implementation of audit recommendationsInformation Technology (IT) security management IT service continuity Corporate Governance of IT/Governance of ITSlide3

SUMMARY FOR THE IMPLEMENTATION OF AUDIT RECOMMENDATIONS

% Resolved

%

Partially resolved

%

Not resolved

71.4% (5/7)

IT Security Plan approved,

Server baseline procedure/security settings updated, Disaster Recovery Plan approved, and Patch Management practices adequately implemented, andCorporate Governance of ICT customised/approved/implemented. 28.6% (2/7) User Access management practices adequately implemented, (policy developed – approval process outstanding, to be finalised by 31 March 2016), and The Demilitarised Zone configurations have been optimised ensuring segregation (commenced migration of internet facing systems as per approved plan)0% (0/0)None

3Slide4

INFORMATION TECHNOLOGY (IT) SECURITY MANAGEMENT

Key audit finding

RecommendationsProgress

Status

There is no formally approved IT Security Plan in place at the Department

Management is

encouraged to develop an IT security plan

IT Security Plan developed and approved by the Accounting Officer in July 2015; implementation underway.ResolvedOutdated server baseline security policies and procedures: Disaster Recovery Plan -DRP approved 2012, multiple control failures relating to general system security settings; Inadequate Access to privileged IT functions; Inadequate Access to system resources and utilities; and Inadequate Patch managementManagement is encouraged to develop, approve, implement and communicate formal Security baseline standards and procedures.Procedures should ensure risks relating to configuration of servers are addressed. User Account Management, Access Control Management, Configuration and Supporting Processes should be well defined and adequately enforced. The approved IT Security Plan makes provision for a formal baseline standards and procedures, an approved Server configuration guide is in place, also the DRP was reviewed and approved in July 2015 with baseline configuration to recover systems.Server standard configuration procedures in place.The approved user account management policy outlines the required configurations for access control systems and the supporting process for access management is implemented or enforced.Resolved4Slide5

IT SECURITY MANAGEMENT

Key audit finding

RecommendationsProgress

Status

Inadequate implementation of the Patch management practices:

multiple vulnerabilities relating to missing patches were noted during the assessment

, monthly patch cycle not complied to as

Patches released during a 35 days back and some older were found to be outstanding

Management is encouraged to expedite addressing the resource capacity constraints. Monthly reports should be provided to the GITO regarding the status of updates on both Microsoft and non-Microsoft applications.IT Security Manager appointed in March 2015. Monthly patch deployment/compliance reports are provided to IT Management/GITO (both Microsoft and non-Microsoft applications are addressed). Patch deployments follow the relevant cycle as per the approved patch management policy. Regular compliance monitoring and scanning is also done to identify and fix any non-compliant systems.Resolved5Slide6

IT SECURITY MANAGEMENT

Key audit finding

RecommendationsProgress

Status

Firewall

management inadequately designed and implemented:

access between the Demilitarized Zone (DMZ) and the Department internal network is not effectively restricted by the firewall, for internet facing

systems

Management should ensure that the DMZ is segregated from the internal network and the internal environment should be well designed and adequately secured. The Firewall rules have been revised/optimised implementing the recommended restrictions/security measures to ensure the DMZ is effectively segregated from the internal network (optimisation report signed off by the GITO). A plan has been developed and approved to migrate internet facing systems to the DMZ.Partially ResolvedTo be fully resolved by 31 March 2016New due data March 20176Slide7

INFORMATION TECHNOLOGY SECURITY MANAGEMENT

Key audit finding

RecommendationsProgress

Status

Inadequate implementation of user account management on the local area network:

The requirements to review access and logon violations has not been included in the user account management policy,

access and logon violations as well as the activities of users with administrator activities were not being monitored on a regular basis

and no regular reviews of accessManagement is encouraged to review the User Account Management policy and ensure that it makes provision for the review of access and logon violations. Enable the required audit trails and to regular monitor the access and logon violations and activities of the administrative users. User privileges should also be reviewed on a regular basis to ensure that users only have appropriate access in accordance with the User access management policy. The policy has been reviewed and makes provisioning for access and logon violation, approval underway to be concluded before 31 March 2016.Audit trails enabled on critical systems and monitoring of access/logon violations and activities of privileged users is done on a regular basis.The review of User privileges has commenced. Reports will be submitted on a quarterly basis to IT management.Partially ResolvedTo be fully resolved by 31 March 20167Slide8

INFORMATION TECHNOLOGY SERVICES CONTINUITY

Key audit finding

RecommendationsProgress

Status

Outdated Business continuity plan (BCP) and Information technology disaster recovery plan:

plans have not yet been updated to reflect the changes in the environment since the relocation to the new office building, which also includes the migration to Microsoft Active Directory

Management is encouraged to update the current BCP and DRP with the changes in the environment due to the relocation to the new office building and migration projects from IT.

The

updated BCP including the DRP should periodically be tested to ensure that the plan is practical with regard to its execution/activation. The BCP has been updated by the respective Directorate with inputs from relevant Management structures to reflect the changes of the new environment and outlining all the continuity requirements.The IT Disaster Recovery Plan has been reviewed and updated to cater for the new environment and platforms in place, and it was approved by the Accounting Officer in July 2015. The DRP is tested twice annually, the first test has been concluded successfully. The second recovery test is scheduled before the financial year end (disaster recovery site commissioned at SITA Centurion).Resolved8Slide9

IT GOVERNANCE

Key audit finding

RecommendationsProgress

Status

Inadequate Corporate Governance of ICT (CGICT) framework, charter and practices

:

framework was not customised for the

Department

unique environment, charter not showing all the structures, RACI and no evidence for the establishment of those. Delegation of relevant structures, roles or capacity.GITO not part of the executive committee. Findings continue on the next slide….The Accounting Officer, in consultation with the Chief Director: GITO, should review the current CGICT framework and customise it to the environment within which the Department operations to ensure that it is implementable. Following the revision and customisation of the framework, a CGICT charter and policy should be revised and implemented.Included in this should be the establishment of the different structures and positions together with the assignment of the roles and responsibilities and reporting lines. The CGICT policy and charter was reviewed/updated to cater for all the requirements and customised to the Departments context, approved by the Accounting Officer in October 2015. The CGICT Policy and Charter is currently being implemented, noting that most of the structures/principles are implemented already.Relevant structures and capacity/roles have been revived/established/delegated/implemented (GITO, Governance Champion, ICT Strategic (Governance & Administration)/Steering/Operational Committee, ICT managers). Resolved9Slide10

INFORMATION TECHNOLOGY GOVERNANCE

Key audit finding

RecommendationsProgress

Status

GITO not reporting to the Accounting Officer.

Risk Management policy not informed by COBIT.

Information plan and security policy not addressing information classification requirements

GITO should

report to the Accounting Officer.Risk management policy should be informed by COBIT.Information plan and security policy should address information security requirements.GITO reporting to the COO, due to the current reporting scope for the Accounting Officer. GITO a permanent member of the Executive Strategic Committee (Governance and Administration cluster: sub committee of EXCO), and ICT is a standing agenda on that forum.The Enterprise Risk management policy is informed by the COSO Framework, as COBIT complements COSO. The reviewed IT security policy (approved December 2015) caters for information classification, and security requirements inline with the the Minimum Information Security Standard.The Information Plan that is part of the Master Systems Plan does not address information classification/security requirements for Information, but those are addressed in other IT documents such as the IT Security Plan, IT security Policy, EDMS policy and measures are in place to ensure that classified information is effectively protected on ICT systems. Resolved10Note: The updates provided for resolving of the Information plan, and the Risk Management practices have been forwarded to the Auditors for consideration (as the Framework calls for a flexible implementation as Departments are unique).Slide11

11

Thank you..