Western Australian Auditor General’s Report: Information Systems Audit Report pdf

This year’s audit looked at how agencies manage the physical security of laptops, mobile phones, media players and flash drives and at the security of information stored on those devices

Report 2: March 2010

inFormaTion sysTems audiT rePorT

I submit to Parliament my Information Systems Audit Report under the provisions of sections 24 and 25

of the Auditor General Act 2006

GLEN CLARKE

ACTING AUDITOR GENERAL

24 March 2010

Auditor General’s Overview 4

IS Compliance Audit: Security of Laptop and Portable Storage Devices 5

Application and General Computer Controls Audits 17

General Computer Controls and Capability Assessments for Agenices 24

performance benchmark for agencies

This report has two sections covering three items:

• Information systems compliance audit

m Security of laptop and portable storage devices

• Application and general computer controls audits

m Application controls

m General computer controls and capability assessments of agencies

The first item of the report, ‘Security of laptop and portable storage devices’, rounds out a four year focus

on various aspects of Information Systems security This year’s audit looked at how agencies manage the physical security of laptops, mobile phones, media players and flash drives and at the security of information stored on those devices

Laptops and other portable storage devices offer benefits through allowing flexible work arrangements and easy access, storage and transfer of large amounts of data However their portability also places them at greater risk of being lost or stolen Information stored on portable devices also needs to

be adequately protected None of the seven agencies we reviewed had adequately considered or addressed these risks

Our audit of four key business applications at four agencies, found weaknesses in security and data processing controls that could potentially impact delivery of key services to the public Our general computer control audits involved assessing 52 agencies and benchmarking 42 against good practice for

IS management Forty-five per cent of agencies failed to meet the benchmark

While we have seen some good practice and some signs of improvement, too many agencies continue to ignore the risks from not effectively managing their information systems The standards and frameworks

we audit against do not place unrealistic expectations on agencies and are generally accepted across all industries I strongly urge senior management of agencies to act on the recommendations of this report

Western Australian Government agencies own and use large numbers of laptop computers and other portable storage devices (PSDs) – including flash drives, portable hard drives and mobile phones These devices can hold large volumes of information The portability of laptops and PSDs allow flexible work arrangements and easy transfer of information However, their portability also increases the risk that they will be lost or stolen On average about 250 laptops are reported stolen by agencies each year Without adequate safeguards in place these losses can easily result in unauthorised access to sensitive information.

Agencies therefore have a responsibility to manage these items effectively This includes protecting the physical assets and ensuring appropriate security for the information stored on them The challenge facing agencies is to meet security needs without restricting the benefits that portable devices offer.This is the fourth and last in a series of information systems compliance audits we have carried out since 2007 that has focused on information security The previous examinations were: Protection of personal and sensitive information held in databases (Report 2, 2009); Information security: disposal of government hard drives (Report 1, 2008); and Security of wireless local area networks in government (Report 3, 2007)

This examination assessed whether seven government agencies were effectively managing their laptops and PSDs to reduce the risk of loss or theft and subsequent access to sensitive information The agencies were:

• Curriculum Council

• Department of Commerce

• Department of Education (Central Office)

• Department of Water

• Royal Perth Hospital

• Western Australia Police

• WorkCover WA

Conclusion

All seven agencies lacked comprehensive management, technical and physical controls over their laptops and PSDs to minimise the risk of them being lost or stolen and of sensitive information being accessed More serious weaknesses included:

• not knowing the number of laptops or PSDs owned, who had them, or where they were located

• ineffective controls to prevent information being accessed if a laptop was lost or stolen

• basic security weaknesses including inadequate access controls and failure to implement vendor security patches to fix known security flaws

• gaps in relevant policies and procedures including action to be taken in the event of a laptop or PSD being lost or stolen

Key Findings

• The Department of Commerce and Royal Perth Hospital did not have up-to-date registers to track laptops and so did not know how many laptops they owned The lack of this information increases the risk that laptops and information stored on them will be lost without agencies knowing It also limits effective asset planning and replacement

• None of the agencies had complete knowledge of the number of PSDs they owned or the potential security risks of their PSDs Only two agencies – Western Australia Police (WAP) and WorkCover WA – had registers to track portable hard drives

• WAP was the only agency that had addressed the risks associated with flash drives Staff are only allowed to use the encrypted devices they are issued

• All agencies used systems logons on their laptops However, all agencies had weaknesses in other fundamental access controls:

m Five agencies had not ensured that boot passwords were systematically used on laptops Department of Commerce and Royal Perth Hospital had activated ‘boot’ passwords on some individual and unit/branch computers When activated, boot passwords protect information

on computer hard drives from being accessed by unauthorised users, even if the hard drive is removed from the computer All laptops have this capability

m Four agencies – the Curriculum Council, the Department of Water, Royal Perth Hospital and the Department of Education (Central Office) – did not use screen lock-outs These require a password to unlock a computer if it is not used for a set period of time

• Six agencies had not used basic security controls on laptops to protect them from dangers associated with connecting to external networks This increased the risk of unauthorised access to sensitive data on the laptops and/or on networks systems

m Only WorkCover had enabled local firewalls on its laptops Local firewalls are necessary to protect laptops from external threats from the internet when they are connected outside their home networks Only WorkCover and WAP had controls in place to prohibit users from connecting their laptops to external networks

m Four agencies – the Curriculum Council, the Department of Water, the Department of Commerce and WAP had not updated software patches on their laptops While the Department of Commerce did have an automated patch update program, it was not working Product vendors release software patches regularly to fix critical security flaws

• Only WAP had comprehensive polices and procedures, including those dealing with the use and security of PSDs The Curriculum Council had weaknesses in all policy and procedure areas

What Should Be Done

• All agencies should ensure that they have adequate information about their portable IT assets In particular:

m they should maintain comprehensive registers for their laptops

m they should consider the best way to record information about PSDs

• All agencies should ensure that basic access controls - ‘boot’ passwords and screen lock-outs – are activated as standard

• Agencies should ensure that their external security controls and practices – including updating patches, and firewall strategies – meet their security needs

• All agencies should assess the threats and vulnerabilities to their laptops and PSDs and implement policies, procedures and practices to mitigate those risks This will likely include deciding about:

m accessing external networks

m different rules for different types of information and devices

m the need for laptops and PSDs

Agency Responses

Curriculum Council – An Information and Communications Technologies security policy and

procedures plan is being developed covering laptops, portable storage devices, security of data and physical security of equipment

Progress is being made for all laptops on:

• boot passwords and BIOS passwords

• removal of local administrator rights

department of Commerce – The Department agrees with the findings and has:

• implemented an IT Asset Management module to provide a single register for laptop information and to emulate the physical stocktake process

• updated software patches on all laptops which connect to the Department’s network

Other actions in progress are:

• development of policy and procedures dealing with PSDs, external network connections and missing assets

• risk assessment to determine information classification levels and the appropriateness of local firewalls and boot passwords

department of education – The Department of Education will consider the findings of the audit

and the recommendations of the Auditor General to determine the appropriate action to be taken Improvements in our security procedures for all portable storage devices are continually sought to ensure the security of the stored information

department of Water – The Department of Water has taken steps to address the issues and will continue

to implement changes to improve security for laptops

department of health – The Department of Health, on behalf of Royal Perth Hospital (RPH), accepts

the findings and implications set out in the OAG’s report of its examination Steps to address the most important of the examination’s recommendations have already been taken Action in relation

to the other recommendations is being assessed by RPH management and other areas of WA Health, particularly the Health Information Network, and will form part of WA Health’s ongoing endeavours to improve its information and communication technology governance framework

WorkCover Wa – WorkCover WA is actively working towards addressing the areas of concern identified

in the audit A comprehensive Portable Storage Device Policy that covers all aspects of use of PSDs

is in the final stages of management approval WorkCover WA will also be implementing the use of encrypted flash drives throughout the agency

Most agencies have an increasing number of laptops and use a variety of PSDs PSDs include mobile phones with storage, USB memory sticks (flash drives), media players, CDs, DVDs and portable hard drives Their portability assists with information access and sharing and can make working life easier and more effective However, their size and portability increases the risk of them being lost or stolen

In the last two years there have been a number of high profile incidents in the United Kingdom where the loss or theft of laptops and PSDs has led to serious data breaches There have also been cases reported

in Australia where laptops containing personal and sensitive information have been lost or stolen Fifty-six State Government agencies reported 750 laptops stolen or lost with a total value of $828 030

in the three years to 2009 In addition to the loss of the asset, many of these devices are likely to have contained sensitive data This creates a significant risk of data breaches through unauthorised access to the information stored on the devices

To mitigate these risks, agencies should have two basic types of controls in place The first are physical tracking and security controls to minimise the risk that laptops or PSDs will be lost or stolen The second are information security controls to prevent access to information stored on these devices if they are lost or stolen

Physical tracking and security controls include keeping good records of assets These should include listing where the assets are, who has them and if the assets have up-to-date patches and software licences

Information security controls include good lock-out measures – including differing levels of passwords and encryption These help limit opportunities for unauthorised people to access information on devices Figure 1 illustrates the types of devices and the controls that can be used

Figure 1: Types of portable storage devices

Information Security Controls:

• Appropriate data policies

• System and logon passwords

• Keypad locks

• Encryption

• External device controls

Physical tracking and security controls:

• Asset registers

• Safe storage and handling

to minimise risk of loss or theft

What Did We Do?

We examined seven agencies that have reported theft and loss of laptops These agencies maintain various types of sensitive information including financial, medical, legal and educational records Having suffered these losses, we expected that these agencies would have acted to put good controls

in place The agencies were:

• Curriculum Council

• Department of Commerce

• Department of Education (Central Office)

• Department of Water

• Royal Perth Hospital

• Western Australia Police

• WorkCover

The Department of Education reported 561 laptops lost or stolen from its total of more than 26 000 This is 75 per cent of all those reported lost or stolen in this period The Curriculum Council lost the next largest number – 24 – but 22 of those were lost in one break-in to their offices Only two other agencies reported double figures – 10 and 11 lost in the period The agencies in our examination represent 81 per cent of losses in this period Table 1 shows the agencies we examined and the numbers and value

of laptops they have reported lost

laptops in 2009 Number laptops reported lost/

stolen 2006-09

Insured value

of lost/stolen laptops

Table 1: Laptops reported lost

All agencies had reported some lost laptops in the past three years.

* Figures not available for these agencies (see below for detail).

** 22 laptops were lost in a single break-in to one Curriculum Council building.

Source: Insurance Commission of WA and OAG

Our objective was to determine whether agencies have implemented appropriate management, technical and physical controls over laptops and portable storage devices to reduce the risk of them being lost or stolen and of sensitive information being accessed.

Specifically we examined whether agencies had:

• appropriate policies and procedures

m defining the use and security of laptops and PSDs

m in the event of laptops and PSDs being lost or stolen

m covering sensitive or personal information stored on laptops and PSDs

• accurate registers detailing agency laptops and PSDs – information about how many assets they had, and who had them

• appropriate guidelines and controls to physically secure equipment inside and outside of the agency

• adequate controls in place to prevent unauthorised access to and removal of any sensitive or personal information stored on the equipment

We tested a sample of laptops and PSDs in each agency This involved testing whether they were subject

to logical and physical controls to restrict access by authorised users and to maintain the confidentiality

of the data stored on them We also examined the accuracy of asset records for these devices

At the Department of Education and WAP we tested policies generally, but only tested laptops and PSDs

at head office We tested Royal Perth Hospital devices and policies, but included general Department of Health policies, procedures and guidance where relevant

We conducted the audit in accordance with Australian Auditing Standards

What Did We Find?

Physical controls

We expected the agencies to have clear knowledge of their portable IT assets, particularly laptops We found that five of the agencies had reasonable registers of laptops, but only one had such knowledge across PSDs

Two agencies did not have accurate records of laptops

A basic requirement of good asset management is to have a clear understanding of the numbers and age of assets Without this, agencies are limited in their ability to protect the assets, and to plan for their replacement and maintenance Computer assets also need to be tracked for other reasons:

• to ensure software updates and patches are in place, and software licences are current

• to recognise and take appropriate action in the event of them being lost or stolen

• to comply with the intent of Treasurer’s Instruction 410 This requires that all portable or attractive assets should be appropriately managed, and suggests that such assets should be on a register

We found appropriate registers of laptops at five agencies, although three of the registers had some inaccuracies Each of these agencies had conducted stocktakes to test the registers.

Neither Royal Perth Hospital (RPH) nor the Department of Commerce (DoC) had accurate records of their laptops RPH had two lists recording the numbers of laptops One listed 601 laptops while the other listed 324 Further, RPH had not conducted stocktakes and did not have an ongoing process

to update laptop information As a result, RPH could not provide any assurance on the number of its laptops, where they were, or who had them

DoC also had an inadequate recordkeeping system for its IT equipment including laptops DoC ceased

to maintain a register of IT equipment in September 2008 when it changed its threshold for capitalising assets from $1 000 to $5 000

Without proper registers, RPH and DoC could not conduct stocktakes or be confident of knowing whether any of these assets have been lost or stolen They also could not ensure that they had the correct numbers of software licences or that the software patches were up-to-date

Only WAP had good controls regarding their PSDs

Our examination covered the three main types of PSD used in agencies:

• mobile phones (practically all of which now have memory and email/browsing capability)

• portable hard drives

Flash drives are the most common, most mobile, and arguably most easily lost or stolen of all PSDs Six of the seven agencies had no clear idea of how many they owned, or which staff had them These agencies also lacked policies and procedures about PSDs in general and flash drives in particular However, the WAP did have policies (see below) including a new policy to issue only encrypted flash drives to staff Even if they are lost or stolen, the information on such devices cannot be accessed by unauthorised users

Information controls

We expected that the seven agencies would have all basic security controls in place to protect information on portable IT devices from unauthorised use These controls include limiting access to the information held on the devices, and protecting the devices and ‘home’ networks from external threats

It is also possible to prevent data being copied from laptops to USB devices We found that all agencies employed basic access controls but other simple and effective access controls were not utilised We also found that only one of the seven agencies was adequately protecting laptops from the risks of connecting them to external networks such as the internet

The other key component of protection is comprehensive policies and procedures Only one agency had policies which explicitly dealt with PSDs All other agencies had weaknesses in some policy/procedure areas

All agencies had minimal access controls, but none had

comprehensive controls

A range of basic controls exist to protect information within laptops or information that can be accessed through them If in place, these controls make it difficult for individuals inside an organisation to access any unauthorised information and for outsiders to access information using a lost or stolen computer The key initial control to secure information is a ‘boot’ password This is employed when a laptop is first turned on It helps prevent unauthorised people from accessing the operating system and therefore from accessing information stored on the laptop These passwords also protect information from unauthorised access even if the computer hard drive is removed from the computer All modern laptops can use boot passwords

None of the seven agencies employed boot passwords as a normal precaution Some limited use of boot passwords was found in laptops at RPH and in one division at DoC DoC advised they had assessed the risk of information contained on their laptops and had implemented boot passwords on that basis While no agency used boot passwords effectively, all seven agencies had various other controls in place All agencies used network passwords These passwords prevent unauthorised users from easily accessing the information held on the computer However, they can be by-passed by technically adept individuals, and do not protect information if the hard drive is removed from the computer

Another standard control is a screen-lock This locks a computer from use if it is not used for a set period

of time It requires the user to re-enter a password to unlock the computer Five agencies used this control, but RPH and the Department of Education (Central Office) did not

We also found that three agencies, the Curriculum Council, RPH and Department of Education (Central Office) had given administrator rights to all their laptop users This is contrary to basic information security practice It allows individuals to install software and alter any computer settings without permission

or agency knowledge This increases the risks to information security for individual computers, and cumulatively poses even greater risks to agency networks and information

We found weaknesses in how a number of agencies managed passwords Some agencies had disabled password complexity settings (the length and number/letter mix) We also found cases where password expiry was not enforced Both of these weaknesses make it easier to ‘crack’ passwords, and do not comply with good security practices Table 2 shows the various access control issues at the agencies

password

Network password

Screen lock-out

Administrator rights

Table 2: adequacy of access controls

No agency had universally activated boot passwords Two agencies did not have screen lock-outs as a policy and two gave administrator rights to all users Each agency employed network passwords

Only WorkCover had appropriate security controls to protect laptops when connected to external networks

Security controls are required to protect laptops and information when users connect their laptops to external networks These controls assist in preventing attacks which may result in unauthorised access

to sensitive data on the laptops and/or on agency networks It is important that agencies have policies and education to support any technical controls

All agencies had ‘perimeter firewalls’ on their network systems, to protect their computer systems including laptops from external threats However, when laptops are disconnected from the home network and connected to un-trusted external ones, these firewalls are not available A major control over this risk is to activate local firewalls on laptops However, local firewalls are not always compatible with some business applications on laptops Therefore, agencies need to have clear guidelines and policies for using external networks that match their own settings and needs These will likely include banning access to external networks where necessary

Only WorkCover had enabled local firewalls on laptops to prevent security threats from external connections such as the internet It also had policies banning the use of external networks No other agency had enabled local firewalls WAP had not enabled its local firewalls, but had policies banning the use of external networks No other agency had policies about connecting to external networks

As noted above, laptop users at the Curriculum Council, RPH and Department of Education (Central Office) had administrator rights, which would allow them to configure and connect their laptops to any external network

We also found that four agencies – the Curriculum Council, the Department of Water, the Department

of Commerce and WAP had not installed software patches released by product vendors to fix critical security flaws The Department of Commerce had a Security Update Server configured to manage software patch updates across all laptops, however we found that it had not been functioning properly The lack of up-to-date security patches meant the agencies had security vulnerabilities on their laptops that could lead to unauthorised access to sensitive data or to damage laptop and network systems

Only WAP had comprehensive policies and procedures

We found that most agencies had some weaknesses in their policies and associated procedures Maintaining comprehensive policies is important for controlling information The key policy/procedures areas we examined were: PSD-specific, general acceptable use, sensitive data, disposing of storage devices, and dealing with missing assets Table 3 shows an assessment of agency policies and procedures

Only WAP had policies and procedures specifically dealing with PSDs In particular, it had made clear choices about the use of flash drives WAP assessed the risks posed by PSDs, and decided only to allow encrypted flash drives WAP was also the only agency that had encrypted sensitive information on hard drives and emails These activities make it practically impossible for information to be accessed even if devices are lost

The Department of Water, Curriculum Council and Department of Education (Central Office) had weaknesses with their acceptable use policies and procedures We found instances where ‘acceptable use’ policies only referred to internet and email activity, but ignored internal material and personal applications

WorkCover and the Curriculum Council did not have comprehensive policies on using sensitive data Some agencies deal with obviously sensitive information, but all agencies need to consider if the mobility provided by laptops and PSDs increases the risk of loss, and therefore if they require separate policies for these devices We also found that training on information security was inconsistent, both in content and in personnel coverage

Three agencies, the Curriculum Council, RPH and DoC did not have documented procedures for dealing with lost or stolen laptops While all three had reported lost assets, their procedures were not formalised Without formal guidance, the risks arising from lost or stolen assets may not be properly considered and dealt with This issue was exacerbated at RPH and DoC because they did know how many assets they possessed However, we were reassured to find that all sampled agencies required staff to present a Police report before a laptop could be replaced This should be required by all agencies

Agency

Use of PSDs acceptable General

use

Sensitive data

Dealing with missing assets

Table 3: detailed policy and procedures

Only WAP had comprehensive policies dealing with PSDs The Curriculum Council had weaknesses in all policy and procedure areas.

Computer controls can be defined as specific activities performed by people (manual) or by systems (automatic) to ensure the confidentiality and integrity of data and the ongoing availability of computer systems Computer controls are often divided into two categories: application controls that apply to specific software programs, and general computer controls (GCC) that apply to computing systems as

a whole

Application controls

Applications are the software programs that are used to facilitate key business processes of an organisation For example finance, human resource, licensing and billing are typical processes that are dependant on software applications Application controls are designed to ensure the complete and accurate processing of data from input to output

Each year we review a selection of key applications relied on by agencies to deliver services to the general public Failings or weaknesses in these applications have the potential to directly impact other organisations and members of the general public Impacts range from delays in service to possible fraudulent activity and financial loss This report describes the results of an audit of one key application

at each of four agencies

General computer controls and capability assessments of agencies

This year we focused on five general computer control categories: management of IT risks, information security, business continuity, change control and physical security

We use capability maturity models in conjunction with our GCC audits to help report the results of our work A capability maturity model is a way of assessing how well developed and capable the established controls are and how well developed or capable they should be Capability assessments were prepared for 42 of the 52 agencies examined The models provide a benchmark for agency performance and a means for comparing results from year to year

Conclusion

We found multiple information system control weaknesses at the vast majority of the agencies

we examined These weaknesses have the potential to compromise the confidentiality, integrity and availability of the computer systems we examined However, we are beginning to see signs of improvement in general computer controls at some agencies

Key Findings

Applications controls

All of the four business applications we reviewed had control weaknesses though change management and business continuity controls were relatively strong In total, we identified 29 control weaknesses of which:

• security weaknesses made up 55 per cent of the control weaknesses These included computer vulnerabilities such as easy to guess passwords, unauthorised user accounts and failure to remove accounts belonging to former staff

• data processing controls issues made up 28 per cent of our findings Weaknesses in these controls put the integrity of information processed at risk

• the remaining 17 per cent of weaknesses related to operational issues such as software licensing, asset management and vendor support and contractor management

General computer controls and capability assessments for agencies

We reported 333 general computer controls related issues to agencies in 2009 Two per cent of these issues were rated as significant, requiring immediate attention Sixty-three per cent were rated as moderate, requiring attention as soon as possible These results are similar to last year

Our capability assessments show there has been some improvement in general computer controls across the agencies we have reviewed Specifically, 26 per cent of agencies we reviewed last year using the capability assessments made improvements in at least one of the categories without regressing in any area Forty-one per cent of agencies showed no change The remainder may have made improvements

in one area but regressed in another

Despite some improvement, we still found many areas requiring attention Fifty-two per cent of the agencies we assessed using capability models had not established effective controls to manage IT risks, information security and business continuity Thirty-one per cent of agencies had not established effective change controls and 33 per cent had not established effective controls for management of physical security