Subject IT SECURITY
Author Deidre Butler
Typed by Harma Freese
Submitted to Council/
Community Board/ Council Subcommittee/ Board Committee
Name of Board/ Committee/ Subcommittee
Audit & Risk Subcommittee
Date of Meeting 5 December 2005
Date Required by Secretariat 30 November 2005 Community Board Consultation Not Required Matter Previously Considered
by Council
No If Yes, date
Public Excluded Yes If Yes, Section of Act
Significance Medium
CONFIRMATION OF COMPLIANCE The attached reports:
1. Contain sufficient information about the options and their benefit and costs, bearing in mind the significance of the decision; and
2. Are based on adequate knowledge about, and consideration of, the views and preferences of affected and interested parties bearing in mind the significance of the decision.
3. Are accompanied by completed checklists that have been sighted and are on file.
NAME POSITION SIGNATURE
Prepared by Deidre Butler Chief Information Officer
Approved by Chris Kerr Corporate Support Unit Manager Approved by Roy Baker General Manager of Corporate
ITSECURITY
General Manager responsible: General Manager Corporate Services Officer responsible: Chief Information Officer (Deidre Butler)
Author: Deidre Butler, DDI 941-8787
PURPOSE OF REPORT
1. The purpose of this report is to update the Audit Subcommittee of the progress which has been made in upgrading IT security; specifically against a comprehensive IT security audit carried out by Ernst and Young three years ago.
STAFFRECOMMENDATION
BACKGROUND
2. The comprehensive IT Security Audit undertaken by Ernst and Young identified 21 primary security vulnerabilities in Christchurch City Council systems. To date, of these identified concerns;
• some have been attended to • some are no longer applicable
• some require policy decisions from the business • some still require attention and
• some were considered to be overstated for the Council Context
3. The predominant risk to the security of our IT systems is from virus attacks, primarily from our connection to the global network - the internet. On a daily basis CCC are subject to over 200 attacks, this can climb to thousands of attacks daily when there is heightened virus activity. 4. Regardless, over the past five years CCC has had only 3 significant breaches. These have all
been contained quickly and effectively (albeit by significant input from IT staff). Over the past year there have been no infiltrations.
5. CCC have in place multiple levels of protection for virus activity. The anti-virus filter at the internet gateway is automatically updated with new anti-virus definitions every hour. These are then pushed out to all PC’s to prevent infection via other sources (i.e. floppy or from connections made when laptops at home).
6. In general the CCC systems are well managed and therefore relatively ‘secure’. However this needs to be continually maintained as new technologies evolve and new ‘threats’ emerge on a daily basis.
Future
7. The ITS Group has been realigned in context with the changing CCC organisation. Now called Information Management & Communications Technology, and with a broader mandate and across Council role and responsibilities, additional resources and skill sets have been brought on board in support. This includes the new role of a Security Co-ordinator who is dedicated to, and responsible for, security processes and procedures across the IM&CT systems. With this new resource, a number of items identified in the Ernst & Young report can now be picked up with focus by the Security Co-ordinator. The incumbent will work closely with the Audit \ Risk function of the Council across the area of Security alongside Disaster Recovery, Access Control and Authorisation. This will bring a significant focus on ensuring good practice and processes are in place across the breadth of Council IM&CT systems.
Detail
8. Below is an overview of the 21 primary security vulnerabilities identified by Ernst and Young and an update on their status.
WINDOWS SERVERS ISSUES Deletion of Old Accounts
Ernst & Young Recommendation:
9. Regular review and removal of old accounts CCC IM&CT Comment:
10. Many old accounts are due to correct HR processes not being followed and therefore no request from the business to remove these.
Status:
11. Processes now being followed for SAP and GEMS accounts. Security Co-ordinator to review processes for others.
LACK OF ‘STRONG’ PASSWORDS Ernst & Young Recommendation: 12. Use ‘strong’ passwords
CCC IM&CT Comments:
13. Strong passwords are random strings of numbers and letters. In the past, customers have complained about the difficulty of remembering these
Status:
14. CCC management need to determine whether the policy for passwords needs changing to reflect a need for ‘strong’ passwords. The Security Co-ordinator has now picked this up. VIRUS PROTECTION (WINDOWS 2000)
Ernst & Young Recommendation: 15. Further levels of virus protection CCC IM&CT Comments:
16. Two levels of virus protection now in place. The anti-virus filter at the internet gateway is automatically updated with new anti-virus definitions hourly. These are then pushed out to all PC’s to prevent infection from other sources, such as diskettes or from connections made when laptops have been at home.
Status:
17. The high availability of CCC systems and lack of virus infection despite large numbers circulating in the ‘marketplace’, suggest CCC has an appropriate level of virus protection currently.
VIRUS PROTECTION (WINDOWS NT) Ernst & Young Recommendation: 18. Further levels of virus protection Status:
ATTACK MANAGEMENT Ernst & Young Recommendation:
20. Invest in systems to analyze and report on external attacks and possible intrusion. CCC IM&CT Comments:
21. CCC maintain logs of the huge numbers of attempts to break into CCC systems, but currently do not analyse these. This is due to no software being in place to do so, nor the resources available to undertake this activity.
Status:
22. The Security Co-ordinator will consider this requirement when they are on board.
ANONYMOUS ACCESS
Ernst & Young Recommendation: 23. Anonymous access be disabled. CCC IM&CT Comments:
24. Anonymous access is required for the GEMS product. Status:
25. This will be further investigated by the Security Co-ordinator. INSUFFICIENT SECURITY PATCHING (WINDOWS 2000)
Ernst & Young Recommendation:
26. Maintain systems with latest service and security patches. CCC IM&CT Comments:
27. This activity has been tightened up with fortnightly Microsoft security patches being applied. Status:
28. Significant resource commitment and good systems have been put in place by CCC ensuring patches are up to date on servers and PC’s.
INSUFFICIENT SECURITY PATCHING (WINDOWS NT) Ernst & Young Recommendation:
29. Maintain systems with latest service and security patches. Status:
30. We no longer use Windows NT. TELNET
Ernst & Young Recommendation:
CCC IM&CT Comments:
32 This access has been disabled with users being moved onto connection via the internet. Status:
33. Access has been disabled.
NETWORK EQUIPMENT ISSUES - DOCUMENTATION Ernst & Young Recommendation:
34 Document network equipment admin procedures CCC IM&CT Comments:
35 To be actioned by the Security Co-ordinator Status:
36 To be undertaken
CORE SWITCH PASSWORD
Ernst & Young Recommendation:
37 Use stronger level encryption on the Core Switch password CCC IM&CT Comments:
38 This wasn’t possible with the Operating System version we had previously Since upgraded and actioned.
Status: 39 Actioned
SNMP ACCESS
Ernst & Young Recommendation:
40 Create access controls for SNMP admin access to network equipment CCC IM&CT Comments:
41 To be actioned by the Security Co-ordinator Status:
42 To be undertaken FIREWALL INCIDENT PLAN Ernst & Young Recommendation:
43 Formal plans for handling firewall incidents (such as finding attackers, containing and deleting an intruder).
CCC IM&CT Comments:
Status:
45. To be undertaken
FIREWALL SNMP ACCESS
Ernst & Young Recommendation:
47. Needs to be secured by a unique community string Status:
48. Actioned.
MAIL - OUTLOOK WEB ACCESS Ernst & Young Recommendation:
49. The server should be in the DMZ zone without a LAN connection CCC IM&CT Comments:
50. Currently connected to both the DMZ and LAN Status:
51. To be actioned as part of a planned upgrade to be undertaken in the next few months. INTERNET SECURITY SERVICE (ISA) SERVICE PACKS
Ernst & Young Recommendation: 52. Be updated with latest service packs CCC IM&CT Comments:
53. Done
Status: 54. Actioned
TUNNELS THROUGH FIREWALL Ernst & Young Recommendation: 55. Locate in DMZ
CCC IM&CT Comments:
56. This has been addressed through upgrades. Status:
57. Higher security than EYs recommendation will be provided by ISA2004 upgrade currently being planned to progress in the next few months.
PUBLIC TERMINALS - PHYSICAL SECURITY Ernst & Young Recommendation:
58. Padlocked, possibly hidden from view, possibly diskette & CD drives removed CCC IM&CT Comments:
59. These terminals are the responsibility of the Libraries – who at time of report, managed their own equipment.
Status:
60. Issue has been raised with Libraries and PC cases have been locked and the cables have been secured.
CD AUTORUN
Ernst & Young Recommendation: 61. Should be disabled
CCC IM&CT Comments:
63. These terminals are the responsibility of the Libraries – who at time of report, managed their own equipment.
Status:
64. Done
CITRIX - SERVICE PACKS
Ernst & Young Recommendation: 65. Should be up to date
CCC IM&CT Comments:
66. Citrix capability is used for working from home and some GEMS terminals. Validating with GEMS created complications.
Status:
67. Working through the issues – staff shortage has delayed this being completed. REMOTE ACCESS - RAS LOGIN ATTEMPTS
Ernst & Young Recommendation:
68. An unlimited number of login attempts permitted. This should be restricted Status: