英文IT审计报告，关于笔记本及便携式存储设备方面的

Information Systems Audit Report Report 2: March 2010 Western Australian Auditor General’s Report 2 Information Systems Audit Report l Western Australian Auditor General The PresidenT The sPeaker LegisLaTive CounCiL LegisLaTive assembLy inFormaTion sysTems audiT rePorT I submit to Parliament my Information Systems Audit Report under the provisions of sections 24 and 25 of the Auditor General Act 2006. GLEN CLARKE ACTING AUDITOR GENERAL 24 March 2010 Western Australian Auditor General l Information Systems Audit Report 3 Contents Auditor General’s Overview 4 IS Compliance Audit: Security of Laptop and Portable Storage Devices 5 Application and General Computer Controls Audits 17 Application Controls 20 General Computer Controls and Capability Assessments for Agenices 24 4 Information Systems Audit Report l Western Australian Auditor General This is the second annual Information Systems Audit Report tabled by this Office. Following the inaugural 2009 report, I have been encouraged by feedback that the reported results provide an important performance benchmark for agencies. This report has two sections covering three items: • Information systems compliance audit m Security of laptop and portable storage devices. • Application and general computer controls audits m Application controls m General computer controls and capability assessments of agencies. The first item of the report, ‘Security of laptop and portable storage devices’, rounds out a four year focus on various aspects of Information Systems security. This year’s audit looked at how agencies manage the physical security of laptops, mobile phones, media players and flash drives and at the security of information stored on those devices. Laptops and other portable storage devices offer benefits through allowing flexible work arrangements and easy access, storage and transfer of large amounts of data. However their portability also places them at greater risk of being lost or stolen. Information stored on portable devices also needs to be adequately protected. None of the seven agencies we reviewed had adequately considered or addressed these risks. Our audit of four key business applications at four agencies, found weaknesses in security and data processing controls that could potentially impact delivery of key services to the public. Our general computer control audits involved assessing 52 agencies and benchmarking 42 against good practice for IS management. Forty-five per cent of agencies failed to meet the benchmark. While we have seen some good practice and some signs of improvement, too many agencies continue to ignore the risks from not effectively managing their information systems. The standards and frameworks we audit against do not place unrealistic expectations on agencies and are generally accepted across all industries. I strongly urge senior management of agencies to act on the recommendations of this report. Auditor General’s Overview Western Australian Auditor General l Information Systems Audit Report 5 Overview Western Australian Government agencies own and use large numbers of laptop computers and other portable storage devices (PSDs) – including flash drives, portable hard drives and mobile phones. These devices can hold large volumes of information. The portability of laptops and PSDs allow flexible work arrangements and easy transfer of information. However, their portability also increases the risk that they will be lost or stolen. On average about 250 laptops are reported stolen by agencies each year. Without adequate safeguards in place these losses can easily result in unauthorised access to sensitive information. Agencies therefore have a responsibility to manage these items effectively. This includes protecting the physical assets and ensuring appropriate security for the information stored on them. The challenge facing agencies is to meet security needs without restricting the benefits that portable devices offer. This is the fourth and last in a series of information systems compliance audits we have carried out since 2007 that has focused on information security. The previous examinations were: Protection of personal and sensitive information held in databases (Report 2, 2009); Information security: disposal of government hard drives (Report 1, 2008); and Security of wireless local area networks in government (Report 3, 2007). This examination assessed whether seven government agencies were effectively managing their laptops and PSDs to reduce the risk of loss or theft and subsequent access to sensitive information. The agencies were: • Curriculum Council • Department of Commerce • Department of Education (Central Office) • Department of Water • Royal Perth Hospital • Western Australia Police • WorkCover WA Conclusion All seven agencies lacked comprehensive management, technical and physical controls over their laptops and PSDs to minimise the risk of them being lost or stolen and of sensitive information being accessed. More serious weaknesses included: • not knowing the number of laptops or PSDs owned, who had them, or where they were located • ineffective controls to prevent information being accessed if a laptop was lost or stolen • basic security weaknesses including inadequate access controls and failure to implement vendor security patches to fix known security flaws • gaps in relevant policies and procedures including action to be taken in the event of a laptop or PSD being lost or stolen. IS Compliance Audit: Security of Laptop and Portable Storage Devices 6 Information Systems Audit Report l Western Australian Auditor General Key Findings • The Department of Commerce and Royal Perth Hospital did not have up-to-date registers to track laptops and so did not know how many laptops they owned. The lack of this information increases the risk that laptops and information stored on them will be lost without agencies knowing. It also limits effective asset planning and replacement. • None of the agencies had complete knowledge of the number of PSDs they owned or the potential security risks of their PSDs. Only two agencies – Western Australia Police (WAP) and WorkCover WA – had registers to track portable hard drives. • WAP was the only agency that had addressed the risks associated with flash drives. Staff are only allowed to use the encrypted devices they are issued. • All agencies used systems logons on their laptops. However, all agencies had weaknesses in other fundamental access controls: m Five agencies had not ensured that boot passwords were systematically used on laptops. Department of Commerce and Royal Perth Hospital had activated ‘boot’ passwords on some individual and unit/branch computers. When activated, boot passwords protect information on computer hard drives from being accessed by unauthorised users, even if the hard drive is removed from the computer. All laptops have this capability. m Four agencies – the Curriculum Council, the Department of Water, Royal Perth Hospital and the Department of Education (Central Office) – did not use screen lock-outs. These require a password to unlock a computer if it is not used for a set period of time. • Six agencies had not used basic security controls on laptops to protect them from dangers associated with connecting to external networks. This increased the risk of unauthorised access to sensitive data on the laptops and/or on networks systems. m Only WorkCover had enabled local firewalls on its laptops. Local firewalls are necessary to protect laptops from external threats from the internet when they are connected outside their home networks. Only WorkCover and WAP had controls in place to prohibit users from connecting their laptops to external networks. m Four agencies – the Curriculum Council, the Department of Water, the Department of Commerce and WAP had not updated software patches on their laptops. While the Department of Commerce did have an automated patch update program, it was not working. Product vendors release software patches regularly to fix critical security flaws. • Only WAP had comprehensive polices and procedures, including those dealing with the use and security of PSDs. The Curriculum Council had weaknesses in all policy and procedure areas. IS Compliance Audit: Security of Laptop and Portable Storage Devices Western Australian Auditor General l Information Systems Audit Report 7 What Should Be Done • All agencies should ensure that they have adequate information about their portable IT assets. In particular: m they should maintain comprehensive registers for their laptops m they should consider the best way to record information about PSDs. • All agencies should ensure that basic access controls - ‘boot’ passwords and screen lock-outs – are activated as standard. • Agencies should ensure that their external security controls and practices – including updating patches, and firewall strategies – meet their security needs. • All agencies should assess the threats and vulnerabilities to their laptops and PSDs and implement policies, procedures and practices to mitigate those risks. This will likely include deciding about: m accessing external networks m different rules for different types of information and devices m the need for laptops and PSDs. IS Compliance Audit: Security of Laptop and Portable Storage Devices Agency Responses Curriculum Council – An Information and Communications Technologies security policy and procedures plan is being developed covering laptops, portable storage devices, security of data and physical security of equipment. Progress is being made for all laptops on: • boot passwords and BIOS passwords • removal of local administrator rights department of Commerce – The Department agrees with the findings and has: • implemented an IT Asset Management module to provide a single register for laptop information and to emulate the physical stocktake process • updated software patches on all laptops which connect to the Department’s network Other actions in progress are: • development of policy and procedures dealing with PSDs, external network connections and missing assets • risk assessment to determine information classification levels and the appropriateness of local firewalls and boot passwords. department of education – The Department of Education will consider the findings of the audit and the recommendations of the Auditor General to determine the appropriate action to be taken. Improvements in our security procedures for all portable storage devices are continually sought to ensure the security of the stored information. department of Water – The Department of Water has taken steps to address the issues and will continue to implement changes to improve security for laptops department of health – The Department of Health, on behalf of Royal Perth Hospital (RPH), accepts the findings and implications set out in the OAG’s report of its examination. Steps to address the most important of the examination’s recommendations have already been taken. Action in relation to the other recommendations is being assessed by RPH management and other areas of WA Health, particularly the Health Information Network, and will form part of WA Health’s ongoing endeavours to improve its information and communication technology governance framework. WorkCover Wa – WorkCover WA is actively working towards addressing the areas of concern identified in the audit. A comprehensive Portable Storage Device Policy that covers all aspects of use of PSDs is in the final stages of management approval. WorkCover WA will also be implementing the use of encrypted flash drives throughout the agency. 8 Information Systems Audit Report l Western Australian Auditor General IS Compliance Audit: Security of Laptop and Portable Storage Devices Western Australian Auditor General l Information Systems Audit Report 9 Background Most agencies have an increasing number of laptops and use a variety of PSDs. PSDs include mobile phones with storage, USB memory sticks (flash drives), media players, CDs, DVDs and portable hard drives. Their portability assists with information access and sharing and can make working life easier and more effective. However, their size and portability increases the risk of them being lost or stolen. In the last two years there have been a number of high profile incidents in the United Kingdom where the loss or theft of laptops and PSDs has led to serious data breaches. There have also been cases reported in Australia where laptops containing personal and sensitive information have been lost or stolen. Fifty-six State Government agencies reported 750 laptops stolen or lost with a total value of $828 030 in the three years to 2009. In addition to the loss of the asset, many of these devices are likely to have contained sensitive data. This creates a significant risk of data breaches through unauthorised access to the information stored on the devices. To mitigate these risks, agencies should have two basic types of controls in place. The first are physical tracking and security controls to minimise the risk that laptops or PSDs will be lost or stolen. The second are information security controls to prevent access to information stored on these devices if they are lost or stolen. Physical tracking and security controls include keeping good records of assets. These should include listing where the assets are, who has them and if the assets have up-to-date patches and software licences. Information security controls include good lock-out measures – including differing levels of passwords and encryption. These help limit opportunities for unauthorised people to access information on devices. Figure 1 illustrates the types of devices and the controls that can be used. Figure 1: Types of portable storage devices IS Compliance Audit: Security of Laptop and Portable Storage Devices Information Security Controls: • Appropriate data policies • System and logon passwords • Keypad locks • Encryption • External device controls Physical tracking and security controls: • Asset registers • Safe storage and handling to minimise risk of loss or theft 10 Information Systems Audit Report l Western Australian Auditor General What Did We Do? We examined seven agencies that have reported theft and loss of laptops. These agencies maintain various types of sensitive information including financial, medical, legal and educational records. Having suffered these losses, we expected that these agencies would have acted to put good controls in place. The agencies were: • Curriculum Council • Department of Commerce • Department of Education (Central Office) • Department of Water • Royal Perth Hospital • Western Australia Police • WorkCover The Department of Education reported 561 laptops lost or stolen from its total of more than 26 000. This is 75 per cent of all those reported lost or stolen in this period. The Curriculum Council lost the next largest number – 24 – but 22 of those were lost in one break-in to their offices. Only two other agencies reported double figures – 10 and 11 lost in the period. The agencies in our examination represent 81 per cent of losses in this period. Table 1 shows the agencies we examined and the numbers and value of laptops they have reported lost. Agency Total number of laptops in 2009 Number laptops reported lost/ stolen 2006-09 Insured value of lost/stolen laptops Curriculum Council 100 24** $31 036 Department of Commerce * 5 $7 166 Department of Education 26 278 561 $580 434 Department of Water 289 5 $7 464 Royal Perth Hospital * 4 $4 200 Western Australia Police 1 443 4 $9 509 WorkCover 40 5 $1 325 Total 28 150 608 $641 134 Table 1: Laptops reported lost All agencies had reported some lost laptops in the past three years. * Figures not available for these agencies (see below for detail). ** 22 laptops were lost in a single break-in to one Curriculum Council building. Source: Insurance Commission of WA and OAG IS Compliance Audit: Security of Laptop and Portable Storage Devices Western Australian Auditor General l Information Systems Audit Report 11 Our objective was to determine whether agencies have implemented appropriate management, technical and physical controls over laptops and portable storage devices to reduce the risk of them being lost or stolen and of sensitive information being accessed. Specifically we examined whether agencies had: • appropriate policies and procedures m defining the use and security of laptops and PSDs m in the event of laptops and PSDs being lost or stolen m covering sensitive or personal information stored on laptops and PSDs. • accurate registers detailing agency laptops and PSDs – information about how many assets they had, and who had them • appropriate guidelines and controls to physically secure equipment inside and outside of the agency • adequate controls in place to prevent unauthorised access to and removal of any sensitive or personal information stored on the equipment. We tested a sample of laptops and PSDs in each agency. This involved testing whether they were subject to logical and physical controls to restrict access by authorised users and to maintain the confidentiality of the data stored on them. We also examined the accuracy of asset records for these devices. At the Department of Education and WAP we tested policies generally, but only tested laptops and PSDs at head office. We tested Royal Perth Hospital devices and policies, but included general Department of Health policies, procedures and guidance where relevant. We conducted the audit in accordance with Australian Auditing Standards. What Did We Find? Physical controls We expected the agencies to have clear knowledge of their portable IT assets, particularly laptops. We found that five of the agencies had reasonable registers of laptops, but only one had such knowledge across PSDs. Two agencies did not have accurate records of laptops A basic requirement of good asset management is to have a clear understanding of the numbers and age of assets. Without this, agencies are limited in their ability to protect the assets, and to plan for their replacement and maintenance. Computer assets also need to be tracked for other reasons: • to ensure software updates and patches are in place, and software licences are current • to recognise and take appropriate action in the event of them being lost or stolen • to comply with the intent of Treasurer’s Instruction 410. This requires that all portable or attractive assets should be appropriately managed, and suggests that such assets should be on a register. IS Compliance Audit: Security of Laptop and Portable Storage Devices 12 Information Systems Audit Report l Western Australian Auditor General We found appropriate registers of laptops at five agencies, although three of the registers had some inaccuracies. Each of these agencies had conducted stocktakes to test the registers. Neither Royal Perth Hospital (RPH) nor the Department of Commerce (DoC) had accurate records of their laptops. RPH had two lists recording the numbers of laptops. One listed 601 laptops while the other listed 324. Further, RPH had not conducted stocktakes and did not have an ongoing process to update laptop information. As a result, RPH could not provide any assurance on the number of its laptops, where they were, or who had them. DoC also had an inadequate recordkeeping system for its IT equipment including lapto