Subject:Report on the Review of the Information Technology Department Operations for six (6) months ended March 31, 2015.
021463000Date:June 25, 2015
In line with the approved Audit Plan for the year, the Information Technology (IT) Department operations for six (6) months ended March 31st, 2015 were reviewed on June 2nd to 13th, 2015 and the report is hereby presented for your consideration.
The audit team comprised of:
Samuel Obianke (MIA)-Team Lead
Yahaya Gobir (SOIA)-Member
Yusuf Kabir (SOIA)-Member
The audit objective was to review the management of the Commissions ICT assets as well as incident handling and log management procedures in place.
Also, the effectiveness of Vulnerabilities and Patch management practices were ascertained. Our goal is to ascertain whether controls to ensure adequate protection of Commissions ICT assets, data integrity and availability are in place and are operating effectively.
The audit areas included: Status of the Commissions ICT (Hardware & Software) Inventory, Onsite, Off-site and Online Backup procedures as well as Incident handling, Patch Management, Access Control and Log Management.
Also, covered in the review is the effectiveness of internal controls and compliance with existing ICT policy documents.
Observations / Findings
During the operations review of the IT department, the followings were noted:
A.Offsite and online backup management
The Commission maintains Onsite, Off-site and online data back. A disk-to-disk-to-tape backup strategy is adopted. To ensure data availability, data from disk are copied to tape for off-site storage on a regularly basis in line with the approved backup policy. In addition, the Commission maintained online backup (Real-Time Remote Backup) of some of the data due to their criticality to provide for data redundancy.
The software (HP Storage Works Backup Solution) used for backing up data from Disk to Tapes was recently upgraded to Version 8.1 from the previous version 6.1 in a bid to better meet the data backup need of the Commission.
In the course of the review, it was noted as follows that:
No Backup Tape was checked out for the month of May 2015, reason attributed to the challenges resulting from the upgrade of the Backup software while the most recent backup tape at the off-site location during the review period was that for the month of April 2015 which was taken to the off-site location on May 05, 2015. Also, of concern is the continued time lapse between Backup Tape Checkout and Safe storage at the Off-Site location. This practice may not guarantee full data recovery in the event of unforeseen incident affecting the Commissions Data Centre (Server Room). Below is a summary of tape movement as was contained in the off-site tape movement Register. See Appendix I.
Tape Checkout Date to Offsite Location
Approximate IntervalBetween Tape Backup and Safe Storage Offsite
Oct-14 3 November 2014 3
0Nov-14 1 December 2014 1
Dec-14 13 February 2015 44
Jan-15 13 February 2015 13
Feb-15 18 March 2015 18
Mar-15 7 April 2015 7
Table 1: Offsite Tape Checkout Summary
Also, of concern is the practice of recycling the Weekly backup tapes as noted in previous reviews in the Server Room pending when the Monthly Full Backup is completed before relocation to the Off-site storage. Considering the fact that not all of the Commissions data is backed up online, hence the need to ensure regular and timely storage of tapes at the Off-site location.
It is worthy of note that the backup schedule currently being implemented does not appear to agree with the minimum data recovery timeframe based on the Business Impact Analysis for data recovery (Disaster Recovery / Business Continuity Plan – 2010). It however, appears that the backup and tape checkout schedule in use does not take into consideration, the RPO (Recovery Point Objective) of some of the data generated by the Commission;
Note: RPO is determined based on the acceptable data loss in case of a disruption of operations. It indicates the earliest point in time that is acceptable to recover the data. The RPO effectively quantifies the permissible amount of data loss in case of interruption. – ISACA
Though, while it was noted that the Disk-to-Disk backup was effectively done, this however, may not provide adequate protection from disaster, hence the need for daily and weekly backups on disk to ideally be replicated to a second site;
The IT Department did not maintain any form of documentation to enable the Audit team verify test results for Off-site tapes carried out during the review period. Hence, the review team cannot provide assurance of full data recovery. More so, a copy of the backup policy is still not maintained Off-site;
A review of the backup log generated by the current HP Storage Works Backup Solution, Version 8.1, revealed some backup failures from Disk to Tape. In our opinion, inadequate change management control in the upgrade process may have to a reasonable extent contributed to some of the challenges observed in backup process to tape. Though, effort are ongoing by the IT Department and the vendor, Messrs. Interglobal Limited to fix the issues observed;
Also noted was knowledge gap in the usage of the HP Storage Works Backup Solution. Adequate knowledge of the software by the schedule officers is necessary, if the Commission is to derive the expected benefit from the Investment and above all guarantee successful backup to tape.
In summary, not storing backup tapes at the offsite location on a regular basis could pose a risk, to successful recovery in the event that a data recovery is required. Also, failure to test backup tapes does not provide for data assurance.
The Internal Audit department recommends that:
The IT Department should ensure timely and regular checkout of backup tapes to the Off-site storage in line with approved policy. Also, regular testing of Off-site tapes should be carried out and results from testing adequately documented for record purpose;
The IT Department should execute a SLA with the vendor. Also, training needs for scheduled officers is equally recommended for optimum benefits of the solution to the Commission;
The IT Department should maintain a copy of the approved and updated ICT polices at the offsite location for safe keeping.
B.ICT HARDWARE AND SOFTWARE Inventory MANAGEMENT
The IT Department maintains ICT inventory of both hardware equipment as well as software applications for the HQ and the Zones. While the current effort by the IT Department to maintain an up-to-date inventory was highly commendable, other minor issues noted that needed to be addressed include:
The review of the software inventory revealed some delay in the update of the inventory as noted in the previous review. A case in point is the Upgrade of the existing HP Storage Works Backup Solution from 6.1 to 8.1, which is yet to be reflected Software Inventory. Also, the LIRIS (Legal Information Registry Internet System) which attracts annual fee, payable to the vendor on a quarterly basis were not properly documented. See Appendix II
The ICT Hardware assigned to staffs and Network infrastructure were not centrally maintained. While the ICT Hardware inventory appears more detailed, same cannot be said of the Network infrastructure inventory with missing vital information such as Year deployed and in some cases the Serial Number, especially for the assets at the zonal offices. The team noted that adequate documentation was not carried out at the time of purchase / deployment;
Based on the assigned devices inventory summary made available, a total of 564 Desktops (inclusive of those assigned to staff and non-staff), 159 Laptops, 280 Printers and 473 UPS were deployed. See Appendix III. This is summarised in the graph below:
Figure 1: Assigned Devices Inventory Summary
The record of the obsolete system provided, was not detailed enough which made it somehow difficult to reconcile the data provided with the previous inventory record available;
It is worthy of note, that due to time constraint, the review team could not carryout physical verification of the ICT assets, hence cannot ascertain the veracity of the figures provided by the IT Department.
The Internal Audit Department recommends that the IT Department should centralise the management of all ICT assets in the Commission while also, ensuring timely and regular update of the ICT assets inventory to ensure availability of up-to-date inventory at all times.
C.TC (TELECOM) ROOMS
The TC Rooms accommodates Network and Communication equipment spread across Floor1 to Floor 9 in the Commission building. The IT Department take custody of the keys to the TC room which is accessed by third party from time to time, hence the need to ensure adequate security for the Network Operating equipment housed in the TC room.
In the course of the review, it was noted that access to the TC Room is not adequately controlled and monitored. Effort to review physical access to the TC room was not possible as no form of register was maintained for key sign-in and sign-out, which in our opinion is a minimum control required control that supposed to be in place considering the sensitive nature of the equipment stored in the TC Room coupled with unrestricted third party access to the TC Room.
Also, other issues noted that needs to be urgently addressed are as follows: (See Appendix .)
Temperature/ Air-Conditioning System: The air-conditioning system in virtually all the nine (9) floors (both in the Wing A and B) were either not available or non-functional. On Floor 9-Wing A section for example, it was observed that the A/C unit worked, but the reading on the temperature indicator reads 32 degree Celsius (°C) which appears too high for optimum functioning of the equipment installed;
Lightings: The lights in some of the TC rooms are not working;
Cables: The cables were not properly installed in both length and direction. Some cables were seen to be hanging down from the ceilings and some were over server racks. This is an indication of poor cable management which is capable of creating maintenance headache;
Tidiness: Some of the TC rooms appear untidy, with some equipment engulfed with dust, this in our opinion may hinder effective performance of equipment;
Access Control Management: There seems to be an internal control deficiency in the management of the TC rooms. While it was observed the Floor 1-Wing A (Near the clinic) is the only room with the access control system, it is imperative that the department maintains a record of who has access to the rooms including time and date.
The Internal Audit department recommends that:
A functional and sustained air-conditioning system should be installed URGENTLY. This is to ensure that the recommended operating temperature is maintained in the TC room for optimum performance of the equipment;
IT Department should carryout immediate cable maintenance and labelling for ease of maintenance and troubleshooting. Also, non-functioning lighting system in all the TC room should be restored;
A record of key movement should be introduce as well as other mechanism to control and monitor access to the TC room be adopted to ensure adequate protection of the TC room equipment;
Cleaning of the of the TC room under close supervision by the IT Department should be carried as at when required;
D.ICT accessories store management
In the course of the review of the management of the IT Access Store, it was noted as follows:
That the toner cartridges and other consumables were properly maintained in a secure environment, the temperature of the place was however observed to be high and inappropriate. Print cartridges should not be left in this condition for a long period of time even if they are in their packaging to prevent damage;
The inventory of ICT accessories in the store as being currently managed manually, making the whole process somehow cumbersome;
Also, it was noted from the stock balance that supplies to the store did not seem to reflect true rate of consumptions of each consumable. Products that are constantly in higher demand (such as the HP CE410A black) ought to be provided in higher quantities as opposed to those in lesser demand.
An air conditioner should be installed in the store in order to maintain the right temperature needed to prevent toner inks from drying up and by extension ensure value for money spent on the products;
An automated inventory control system/ barcode system should be installed to enable efficient counting of products, minimize risk of error and to timely alert desk officer on re-order level (quantity) for products. This system will ensure effective management of these ICT accessories;
The staff with the authority to initiate purchases should liaise with the Procurement department to ensure that purchases are restricted to necessary product.
F.Access control system
The Access Control System in the Commission presently being integrated with a Biometric system to double as both Staff Register and Access Control System in the Commission. It was noted that the deployment of the Biometric system as well as the integration with the existing Access Control System is being finalised, the system is currently being tested. The full benefit of the Access Control System remain largely utilized due to poor state of the access control doors as reported in previous reviews.
Though, no specific timeframe was set for the ongoing testing, this is capable of prolonging the project implementation longer than necessary. Also, noted was lack of documented Test plan in place.
Also, it was noted that the Security Unit in charge of monitoring the CCTV was moved to the office of the EVC while the installation of additional CCTV cameras in the Commission has commenced with the delivery of some of the equipment by the vendor.
The Internal Audit department recommends that:
The IT Department should ensure adequate documentation of the ongoing testing of the Biometric system while providing prompt resolutions of issues noted accordingly;
As stated in the previous reviews, Management may consider the outright replacement of all the access doors in the Commission as it may not be cost effective, to effect further repairs on the existing door;
G.incidenT handling and change management
In line with best practices, ability to manage and resolve incidents greatly depend on the incident handling and change management procedures in place in an organization.
In the course of the review exercise it was observed as follows:
The IT Department maintains a knowledge base to track and resolve computer related incident. While this effort is commendable, there is need to put in place a more detailed incident handling ppolicies and procedures in advance, to ensure adequate response in the event of a compromise;
Log are maintained but not reviewed. Also, logs are not centrally maintained while the retention periods are based on the available space, as such older logs are constantly deleted even when they are not reviewed;
The IT Department should put in place a step-by-step incident handling procedure and improve on its current incident escalation procedure;
The IT Department should put in place a centralized log management solution for proper log management.
G.web application security
A review of the web hosting service reveals as follows that:
Web Hosting SLA between NCC and Liquid Web is yet to be finalised as noted in the previous review of the departments operation;
No comprehensive tool exist to monitor, detect and prevent the Commissions web application from possible attack, especially with the increasing number of website attacks and defacement targeting large organization
The IT Department should expedite action to finalise the ongoing SLA between the Company and NCC
The IT Department should put in place mechanism to ensure regular monitoring of the Commissions web applications as well as ensuring that the platform in use is regularly patched and also, ensure secure coding of all its applications;
Vulnerability assessment and monitoring of the Commissions web applications should be carried out from time to time.
I.USER ACCESS ADMINISTRATION:
The Internal Audit Department noted that part of the procedure in place to manage access to the system do not appear to promote accountability. For example:
The IT Department maintained a shared account for all SIWES in the Department. In line with best practices, this is a concern as it is difficult to adequately track individual SIWES activity on the system, considering the fact that their privilege could allow them to modify system setting on users computers in the course issue resolution;
Shared account by SIWES in the department outlive the group account of which he/she was a member, this exposes the risk of unauthorized user gaining access to the system. This is possible owing to the fact that the shared account is not modified each time a member of the group leaves the Commission;
User profile that are not deleted or modified timely could increase the risk of unauthorized access to the system.
Users account including that of the system accounts LOCKOUT parameter are set to NEVER; the implication of this is that brute-force attack which is a trial and error method used by application programs to decode encrypted data such as passwords may be possible;
We noted a delay in movement of staff account in the Active Directory (AD), who has since been moved to another department. A case in point is a staff who was moved to Commission Secretary from Legal and Regulatory Service.Recommendations:
The Internal Audit Department recommends that IT Department maintains a separate user profile for each SIWES user attached to the department and that such account should be removed on exit of the SIWES from the Commission;
A review of logs of each SIWES access activities on the system should be carried out from time to time by assigned staff of the department;
That IT department configure the following password parameters on the system of user and administrators:
Account lockout threshold is to be set to three (3) attempts
Minimum Password Age (in days) for Administrators be set to Thirty (30) days.
J.Management of Obsolete ICT Tools:
The Internal Audit Department noted poor handling of the obsolete ICT Inventory.
Obsolete inventory records provided appears deficient. Records made available does not capture vital information such Purchased Date / Deployed Date, Type, Description of Item, Date Retrieved as well as reason for obsolescence. This made is difficult to ascertain if proper procedures were well followed as outlined in the approved Policy on the Disposal of Obsolete ICT Tools
The Team was informed that data in the removable drive were destroyed prior to relocation of the obsolete ICT tools to a container in DBI, Mbora.
The Internal Audit Department recommends that:
IT Department should update the obsolete inventory to include deficient information highlighted for ease of reference;
IT Department develop proper procedure based on the approved policy for the retrieval and deletion of data in all storage media prior to disposal;
The Internal Audit department should be duly informed prior to destruction of the hard drive and relocation of the obsolete items for assurance purpose.
This is submitted for your kind consideration and further directive, sir.