General computer controls and capability assessments

Introduction

The objective of our general computer controls (GCC) audits is to determine whether computer controls effectively support the confidentiality, integrity, and availability of information systems. General computer controls include controls over the information technology (IT) environment, computer operations, access to programs and data, program development and program changes. In 2016 we focused on the following control categories:

management of IT risks
information security
business continuity
change control
physical security
IT operations.

Conclusion

We reported 441 general computer controls (GCC) issues to the 46 agencies audited in 2016 compared with 454 issues at 45 agencies in 2015.

There was also a decrease in the number of agencies assessed as having mature general computer control environments across all 6 categories of our assessment. Only 7 agencies met our expectations for managing their computer environments effectively, compared with 10 in 2015.

While system change controls and physical security are managed effectively by most agencies, 2 of the categories, information security and business continuity, have shown no improvement in the last 9 years. The majority of issues we have identified can be easily addressed with better password management and ensuring processes to recover data and operations in the event of an incident are kept updated.

By not prioritising the security and continuity of its information systems, agencies risk disruption to the delivery of vital services to the community and compromise the confidentiality and integrity of the information they hold.

Background

We use the results of our GCC work to inform our capability assessments of agencies. Capability maturity models are a way of assessing how well developed and capable the established IT controls are and how well developed or capable they should be. The models provide a benchmark for agency performance and a means for comparing results from year to year.

The models we developed use accepted industry good practice as the basis for assessment. Our assessment of the appropriate maturity level for an agency’s general computer controls is influenced by various factors. These include: the business objectives of the agency; the level of dependence on IT; the technological sophistication of their computer systems; and the value of information managed by the agency.

Audit focus and scope

We conducted GCC audits at 46 agencies. This is the ninth year we have assessed agencies against globally recognised good practice.

We provided 41 of the 46 agencies with capability assessment documentation and asked them to complete and return the forms at the end of the audit. We then met with each of the agencies to compare their assessment and ours, which was based on the results of our GCC audits.

We use a 0-5 scale rating^[1] to evaluate each agency’s capability and maturity levels in each of the GCC audit focus areas. The models provide a baseline for comparing results for agencies from year to year. This year we have included specific case studies where information security weaknesses potentially compromise agencies systems.

[1] The information within this maturity model assessment is based on the criteria defined within the Control Objectives for Information and related Technology (COBIT) manual.

Audit findings

Our capability maturity model assessments show that agencies need to establish better controls to manage IT operations, IT risks, information security and business continuity. Figure 1 summarises the results of the capability assessments across all categories for the 41 agencies assessed. We expect agencies to rate a level 3 or better across all the categories.

The model shows that the categories with the greatest weakness were management of IT risks, information security and business continuity.

The percentage of agencies reaching level 3 or above for individual categories was as follows:

The results for information security and business continuity were disappointing. They show that 61% of agencies failed to achieve a level 3 or higher in information security and 73% failed to meet level 3 or higher in business continuity.

However, the following agencies have consistently demonstrated good management practices across all areas assessed.

Lotterywest (5 years at level 3 or higher)
Department of the Premier and Cabinet (4 years at level 3 or higher)
Racing and Wagering Western Australia (3 years at level 3 or higher)

Information security

Only 39% of agencies met our benchmark for effectively managing information security, down 1% from the previous year. It is clear from the basic security weaknesses we identified that many agencies are lacking some important and fundamental security controls needed to protect systems and information. The trend across the last 9 years shows no change to information security controls.

We assessed whether agency controls were administered and configured to appropriately restrict access to programs, data, and other information resources.

Weaknesses we found included:

information security policies did not exist, were out of date or not approved
100s of sensitive documents shared publicly on the internet due to vulnerabilities
easy to guess passwords for networks, applications and databases, e.g. Password, Password1, guest or no password at all.
applications and operating systems without critical updates applied (more than 11,000 critical and high severity)
highly privileged generic accounts shared with many staff and contractors, some accounts exist without agency knowledge
lack of processes and skill to identify security vulnerabilities within IT infrastructure
no review of highly privileged application, database and network user accounts
excessive domain administrator accounts – 1 agency had 60 assigned to a contractor
unauthorised access to systems from the internet by former staff
not installed or out of date anti-virus software
default database accounts remain unchanged with credentials widely known and published on the internet.

Information security is critical to maintaining data integrity and reliability of key financial and operational systems from accidental or deliberate threats and vulnerabilities

Specific examples where security weaknesses compromised agency information

Many agencies remain vulnerable to attacks from the internet and are at risk of being compromised. We performed vulnerability assessments and reported over 1,800 critical and 9,200 high severity vulnerabilities on a small sample of key systems to 29 agencies. Security issues ranged from software updates not being applied to weak passwords, malware infections, unauthorised access and disclosure of sensitive and confidential information.

We also performed tests that demonstrated that agencies failed to detect the loss of information from the internet and were unaware of the risks. The following case studies demonstrate the risks to agency information when information is not securely managed.

Business continuity

To ensure business continuity, agencies should have in place a business continuity plan (BCP), a disaster recovery plan (DRP) and an incident response plan (IRP). The BCP defines and prioritises business critical operations and therefore determines the resourcing and focus areas of the DRP. The IRP needs to consider potential incidents and detail the immediate steps to ensure timely, appropriate and effective response.

These plans should be tested on a periodic basis. Such planning and testing is vital for all agencies as it provides for the rapid recovery of computer systems in the event of an unplanned disruption affecting business operations and services.

We examined whether plans have been developed and tested. We found a 9% reduction from last year with 73% of the agencies still not having adequate business continuity and disaster recovery arrangements in place. The trend over the last 9 years has shown agencies are not affording sufficient priority to disaster recovery and continuity.

Weaknesses we found included:

no BCPs
BCPs in draft or not reviewed for many years
tolerable outages for critical systems not defined
no DRPs
old and redundant DRPs with some not reflecting current ICT infrastructure
DRPs never tested
backups never tested and not stored securely
uninterrupted power supplies not tested or not functional.

Without appropriate continuity planning there is an increased risk that key business functions and processes will fail and not be restored in a timely manner after a disruption. Disaster recovery planning will help enable the effective and timely restoration of systems supporting agency operations and business functions.

Management of IT risks

Sixty-three percent of agencies met our expectations for managing IT risks, a 27% improvement since the first assessment in 2008, with agencies showing improved management controls over risks.

Weaknesses we found included:

risk management policies in draft or not developed
inadequate processes for identifying, assessing and treating IT and related risks
no risk registers
risk registers not maintained, for ongoing monitoring and mitigation of identified risks.

All agencies are required to have risk management policies and practices that identify, assess and treat risks that affect key business objectives. IT is one of the key risk areas that should be addressed. We therefore expect agencies to have IT specific risk management policies and practices such as risk assessments, registers and treatment plans.

Without appropriate IT risk policies and practices, threats may not be identified and treated within reasonable timeframes, thereby increasing the likelihood that agency objectives will not be met.

IT operations

The rating for ‘performance in IT practices and the service level performance provided to meet their agency’s business’ increased 5% in 2016 compared to the previous year. However, there has been overall improvement of 28% since 2011.

Effective management of IT operations is a key element for maintaining data integrity and ensuring that IT infrastructure can resist and recover from errors and failures.

We assessed whether agencies have adequately defined their requirements for IT service levels and allocated resources according to these requirements. We also tested whether service and support levels within agencies are adequate and meet good practice. Other tests included whether:

policies and plans are implemented and effectively working
repeatable functions are formally defined, standardised, documented and communicated
effective preventative and monitoring controls and processes have been implemented to ensure data integrity and segregation of duties.

Weaknesses we found included:

information and communication technology strategies not in place
no logging of user access and activity on critical systems or sensitive data
network logs only kept for short periods, e.g. 1hr to 4 days
former staff with access to agency networks and applications years after termination
unauthorised devices can connect to networks, such as USBs and portable hard drives
no reviews of security logs for critical systems including remote access and changes to databases with confidential information
lack of policies and procedures
cloud solutions adopted by staff without approval
several agencies are running unsupported operating systems
no user education of security policy and security related responsibilities and induction processes not implemented or followed
no incident management procedure
asset registers not maintained and ICT equipment unable to be located.

The above types of findings can mean that service levels from computer environments may not meet business requirements or expectations. Without appropriate ICT strategies and supporting procedures, ICT operations may not be able to respond to business needs and recover from errors or failures.

Change control

We examined whether system changes are appropriately authorised, implemented, recorded and tested. We reviewed any new applications acquired or developed to evaluate consistency with management’s intentions. We also tested whether existing data converted to new systems was complete and accurate.

Change control practices have slowly been improving since 2008, with 32 out of the 41 agencies achieving a level 3 or higher rating.

Weaknesses we observed included:

no formal system change management policies in place
changes to critical systems not logged or approved
no documentation regarding changes made to systems and critical devices
risk assessments for major changes to infrastructure not performed
individuals are able to request and approve their own changes
change control groups exist but have never met to manage or consider changes
changes affecting staff are not communicated.

An overarching change control framework is essential to maintaining a uniform standard change control process and to achieving better performance, reduced time and staff impact and increased reliability of changes. When examining change control, we expect defined procedures are used consistently for changes to IT systems. The objective of change control is to facilitate appropriate handling of all changes.

There is a risk that without adequate change control procedures, systems will not process information as intended and agencies’ operations and services will be disrupted. There is also a greater chance that information will be lost and access given to unauthorised persons.

Physical security

We examined whether computer systems were protected against environmental hazards and related damage. We also determined whether physical access restrictions are implemented and administered to ensure that only authorised individuals have the ability to access or use computer systems.

Six of the 41 agencies fell below our expectations for the management of physical security.

Weaknesses we observed included:

power generators in the event of power failure not tested
no fire suppression system installed in the server room
no temperature or humidity monitoring for server rooms
no restricted access to computer rooms for staff, contactors and maintenance.

Inadequate protection of IT systems against various physical and environmental threats increases the potential risk of unauthorised access to systems and information and system failure.

The majority of our findings require prompt action

Figure 14 provides a summary of the distribution of significance of our findings. It shows that the majority of our findings at agencies are rated as moderate. This means that the finding is of sufficient concern to warrant action being taken by the entity as soon as possible. However, it should be noted that combinations of issues can leave agencies with more serious exposure to risk.