PROGRESS ON THE IMPLEMENTATION OF AUDIT RECOMMENDATIONS FOR 2014/15: INFORMATION AND COMMUNICATION TECHNOLOGY (ICT) 1 Briefing presentation to the Portfolio.

Slides:



Advertisements
Similar presentations
The Value of a Project Management Office Copyright: Kathy J. Lang, 2004.
Advertisements

Managing Risk: A Framework and Reporting Cycle 2014.
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
Information Security Policies and Standards
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
1 Portfolio Committee on Home Affairs Compliance monitoring in the Department of Home Affairs 30 April 2013.
1 Portfolio Committee on Home Affairs Presentation on Internal Audit 19 April 2013 Building a New Home Affairs.
Peer Information Security Policies: A Sampling Summer 2015.
Challenges Faced in Developing Audit Plans and Programs 21 st March, 2013.
Governance of the Treasury Function CIPFA Scottish Treasury Management Forum Alan George, Regional Director 23rd February 2012.
Implementation of DOE Order 450.1: Self-Declaration and Report Letters Steven R. Woodbury US Department of Energy March 9, 2005.
PRESENTATION TO THE PORTFOLIO COMMITTEE ON ENERGY PROF YASWANT GORDHAN CA (SA) AUDIT COMMITTEE CHAIRPERSON 11 OCTOBER 2012.
NIST Special Publication Revision 1
1 1 BRANCH: CORPORATE AFFAIRS 1. CORPORATE MANAGEMENT SERVICES To provide financial and strategic support services that enhance service delivery by the.
Implementation Issues of Sarbanes-Oxley CASE Presentation September 23, 2004 By Denise Farnan.
Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.
Portfolio Committee Presentation Government printing Works Audit and Compliance 07 May 2013 Presented by: Chief Executive Officer.
Roles and Responsibilities
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
1 1 UNDP’s Financial Management and Assurance March 2007.
Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.
Auditing Information Systems (AIS)
AUDITOR-GENERAL Presentation to the Public Service and Administration Portfolio Committee on the appointment and utilisation of consultants Report of the.
SANEDI. INDEX  KEY ACTIVITIES DURING FINANCIAL YEAR  DISCUSSIONS ON KEY ACTIVITIES  CONCLUSION  APPRECIATION.
Planning and Community Development Department Housing Element City Council February 03, 2014.
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
Appendix C: Designing an Operations Framework to Manage Security.
Audit Planning Process
1 Chapter Nine Conducting the IT Audit Lecture Outline Audit Standards IT Audit Life Cycle Four Main Types of IT Audits Using COBIT to Perform an Audit.
COMPLIANCE WITH THE SIGNING AND FILING OF PERFORMANCE AGREEMENTS BY HEADS OF DEPARTMENT BRIEFING TO THE PORTFOLIO COMMITTEE ON PUBLIC SERVICE AND ADMINISTRATION.
1 Status of PSC recommendations (January December 2007) Portfolio Committee on Public Service and Administration 14 March 2008.
CIVILIAN SECRETARIAT FOR POLICE STATUS REPORT ON IMPLEMENTATION OF THE CIVILIAN SECRETARIAT FOR POLICE SERVICE ACT 2 OF 2011 PORTFOLIO COMMITTEE ON POLICE.
Knowing What You Missed Forensic Techniques for Investigating Network Traffic.
I C A S A Annual Report Supplementary Presentation Presented by Dr Stephen Mncube Chairperson, Councillors, CEO and CFO October 2012 Parliamentary.
IMFO Annual Conference – 2015 S21: Good Governance & Oversight B2B.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Portfolio Committee on Appropriations Quarter 1 Expenditure and Performance 24 August 2012 The Presidency Department of Performance Monitoring and Evaluation.
Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.
Organizational Study of Inspectional Services City of Springfield, Massachusetts February 21, 2008.
Briefing to the Portfolio Committee on Economic Development Department on the audit outcomes for the 2013/2014 financial year Presenter: Ahmed Moolla October.
International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.
Chapter 8 Auditing in an E-commerce Environment
By: Nthabiseng Mosupye GITO Portfolio Committee 30/05/
REPORTS ON THE IMPLEMENTATION OF THE PMDS FOR SENIOR MANAGERS IN THE EASTERN CAPE AND NORTH WEST PROVINCES Presentation to the Portfolio Committee on Public.
Briefing to the Portfolio Committee on Rural Development and Land Reform (DRDLR) Audit outcomes of the DRDLR portfolio 2 February 2016.
Briefing to the portfolio committee: Social Development Audit outcomes of the Social Development portfolio for the financial year October 2015.
State IT Agency Briefing on Annual Report 2014/15 to Parliamentary Portfolio Committee on Telecommunications and Postal Services 16 October 2015.
AN UPDATE ON THE EVALUATION OF THE PERFORMANCE OF HEADS OF DEPARTMENT IN THE PUBLIC SERVICE Presentation to the Portfolio Committee on Public Service and.
Page 1 Portfolio Committee on Water and Environmental Affairs 14 July 2009.
Information Security Office: Function, Alignment in the Organization, Goals, and Objectives Presentation to Sacramento PMO March 2011 Kevin Dickey.
Management Performance Assessment Tool (MPAT) Briefing the Portfolio Committee 05 November 2014.
HHS Security and Improvement Recommendations Insert Name CSIA 412 Final Project Final Project.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Effective Board Governance & role of the Audit Committee Presentation by Cluster Audit Committee – July / August 2012.
PROGRESS IN IMPLEMENTING e-GOVERNANCE
7th Annual Audit & Risk Indaba
Audit of predetermined objectives
Business Managers Meeting May 15, 2017 Presented by Management Advisory Services Sharon Doherty-Ritter, Director David Sohns, Management Analyst.
CIGFARO ANNUAL CONFERENCE – 11 OCTOBER 2017
Parliament and the National Budget Process
THE IMPLEMENTATION PLAN
IT Development Initiative: Status and Next Steps
IS4680 Security Auditing for Compliance
Response to Report on Local Government new risk management and internal audit framework for NSW councils.
Overview of the Audit Committee for the 2016/17 financial year
IS4680 Security Auditing for Compliance
Presentation to the Portfolio Committee - Labour
Mr Mirco Barbero European Commission, IAS.C1
OVERVIEW OF THE OCJ ANNUAL REPORT FOR THE 2016/17 FINANCIAL YEAR
Presentation transcript:

PROGRESS ON THE IMPLEMENTATION OF AUDIT RECOMMENDATIONS FOR 2014/15: INFORMATION AND COMMUNICATION TECHNOLOGY (ICT) 1 Briefing presentation to the Portfolio Committee on Environmental Affairs (PCEA) 16 February 2016

PRESENTATION OUTLINE 2 – Summary for the implementation of audit recommendations – Information Technology (IT) security management – IT service continuity – Corporate Governance of IT/Governance of IT

SUMMARY FOR THE IMPLEMENTATION OF AUDIT RECOMMENDATIONS % Resolved% Partially resolved% Not resolved 71.4% (5/7) IT Security Plan approved, Server baseline procedure/security settings updated, Disaster Recovery Plan approved, and Patch Management practices adequately implemented, and Corporate Governance of ICT customised/approved/implemented. 28.6% (2/7) User Access management practices adequately implemented, (policy developed – approval process outstanding, to be finalised by 31 March 2016), and The Demilitarised Zone configurations have been optimised ensuring segregation (commenced migration of internet facing systems as per approved plan) 0% (0/0) None 3

INFORMATION TECHNOLOGY (IT) SECURITY MANAGEMENT Key audit finding RecommendationsProgress Status There is no formally approved IT Security Plan in place at the Department Management is encouraged to develop an IT security plan IT Security Plan developed and approved by the Accounting Officer in July 2015; implementation underway. Resolved Outdated server baseline security policies and procedures: Disaster Recovery Plan -DRP approved 2012, multiple control failures relating to general system security settings; Inadequate Access to privileged IT functions; Inadequate Access to system resources and utilities; and Inadequate Patch management Management is encouraged to develop, approve, implement and communicate formal Security baseline standards and procedures. Procedures should ensure risks relating to configuration of servers are addressed. User Account Management, Access Control Management, Configuration and Supporting Processes should be well defined and adequately enforced. The approved IT Security Plan makes provision for a formal baseline standards and procedures, an approved Server configuration guide is in place, also the DRP was reviewed and approved in July 2015 with baseline configuration to recover systems. Server standard configuration procedures in place. The approved user account management policy outlines the required configurations for access control systems and the supporting process for access management is implemented or enforced. Resolved 4

IT SECURITY MANAGEMENT Key audit finding RecommendationsProgress Status Inadequate implementation of the Patch management practices: multiple vulnerabilities relating to missing patches were noted during the assessment, monthly patch cycle not complied to as Patches released during a 35 days back and some older were found to be outstanding Management is encouraged to expedite addressing the resource capacity constraints. Monthly reports should be provided to the GITO regarding the status of updates on both Microsoft and non-Microsoft applications. IT Security Manager appointed in March Monthly patch deployment/compliance reports are provided to IT Management/GITO (both Microsoft and non-Microsoft applications are addressed). Patch deployments follow the relevant cycle as per the approved patch management policy. Regular compliance monitoring and scanning is also done to identify and fix any non-compliant systems. Resolved 5

IT SECURITY MANAGEMENT Key audit finding RecommendationsProgress Status Firewall management inadequately designed and implemented: access between the Demilitarized Zone (DMZ) and the Department internal network is not effectively restricted by the firewall, for internet facing systems Management should ensure that the DMZ is segregated from the internal network and the internal environment should be well designed and adequately secured. The Firewall rules have been revised/optimised implementing the recommended restrictions/security measures to ensure the DMZ is effectively segregated from the internal network (optimisation report signed off by the GITO). A plan has been developed and approved to migrate internet facing systems to the DMZ. Partially Resolved To be fully resolved by 31 March 2016 New due data March

INFORMATION TECHNOLOGY SECURITY MANAGEMENT Key audit finding RecommendationsProgress Status Inadequate implementation of user account management on the local area network: The requirements to review access and logon violations has not been included in the user account management policy, access and logon violations as well as the activities of users with administrator activities were not being monitored on a regular basis and no regular reviews of access Management is encouraged to review the User Account Management policy and ensure that it makes provision for the review of access and logon violations. Enable the required audit trails and to regular monitor the access and logon violations and activities of the administrative users. User privileges should also be reviewed on a regular basis to ensure that users only have appropriate access in accordance with the User access management policy. The policy has been reviewed and makes provisioning for access and logon violation, approval underway to be concluded before 31 March Audit trails enabled on critical systems and monitoring of access/logon violations and activities of privileged users is done on a regular basis. The review of User privileges has commenced. Reports will be submitted on a quarterly basis to IT management. Partially Resolved To be fully resolved by 31 March

INFORMATION TECHNOLOGY SERVICES CONTINUITY Key audit finding RecommendationsProgress Status Outdated Business continuity plan (BCP) and Information technology disaster recovery plan: plans have not yet been updated to reflect the changes in the environment since the relocation to the new office building, which also includes the migration to Microsoft Active Directory Management is encouraged to update the current BCP and DRP with the changes in the environment due to the relocation to the new office building and migration projects from IT. The updated BCP including the DRP should periodically be tested to ensure that the plan is practical with regard to its execution/activation. The BCP has been updated by the respective Directorate with inputs from relevant Management structures to reflect the changes of the new environment and outlining all the continuity requirements. The IT Disaster Recovery Plan has been reviewed and updated to cater for the new environment and platforms in place, and it was approved by the Accounting Officer in July The DRP is tested twice annually, the first test has been concluded successfully. The second recovery test is scheduled before the financial year end (disaster recovery site commissioned at SITA Centurion). Resolved 8

IT GOVERNANCE Key audit finding RecommendationsProgress Status Inadequate Corporate Governance of ICT (CGICT) framework, charter and practices: framework was not customised for the Department unique environment, charter not showing all the structures, RACI and no evidence for the establishment of those. Delegation of relevant structures, roles or capacity. GITO not part of the executive committee. Findings continue on the next slide…. The Accounting Officer, in consultation with the Chief Director: GITO, should review the current CGICT framework and customise it to the environment within which the Department operations to ensure that it is implementable. Following the revision and customisation of the framework, a CGICT charter and policy should be revised and implemented. Included in this should be the establishment of the different structures and positions together with the assignment of the roles and responsibilities and reporting lines. The CGICT policy and charter was reviewed/updated to cater for all the requirements and customised to the Departments context, approved by the Accounting Officer in October The CGICT Policy and Charter is currently being implemented, noting that most of the structures/principles are implemented already. Relevant structures and capacity/roles have been revived/established/delegated/implement ed (GITO, Governance Champion, ICT Strategic (Governance & Administration)/Steering/Operational Committee, ICT managers). Resolved 9

INFORMATION TECHNOLOGY GOVERNANCE Key audit finding RecommendationsProgress Status GITO not reporting to the Accounting Officer. Risk Management policy not informed by COBIT. Information plan and security policy not addressing information classification requirements GITO should report to the Accounting Officer. Risk management policy should be informed by COBIT. Information plan and security policy should address information security requirements. GITO reporting to the COO, due to the current reporting scope for the Accounting Officer. GITO a permanent member of the Executive Strategic Committee (Governance and Administration cluster: sub committee of EXCO), and ICT is a standing agenda on that forum. The Enterprise Risk management policy is informed by the COSO Framework, as COBIT complements COSO. The reviewed IT security policy (approved December 2015) caters for information classification, and security requirements inline with the the Minimum Information Security Standard. The Information Plan that is part of the Master Systems Plan does not address information classification/security requirements for Information, but those are addressed in other IT documents such as the IT Security Plan, IT security Policy, EDMS policy and measures are in place to ensure that classified information is effectively protected on ICT systems. Resolved 10 Note: The updates provided for resolving of the Information plan, and the Risk Management practices have been forwarded to the Auditors for consideration (as the Framework calls for a flexible implementation as Departments are unique).

11 Thank you..