| 2005 Audit Recommendations - Status Tracking | |||||||||||||||||||||||||||||||||||||||||||||||
| Document 2 | |||||||||||||||||||||||||||||||||||||||||||||||
| Audit: Internet Usage and Controls | (EMC Lead: S. Finnamore / Staff Lead: J. Harris-Campbell)[1] | ||||||||||||||||||||||||||||||||||||||||||||||
| Audit Recommendation | Management Response | Comments | Budget Implications 2007 or Beyond |
Related Council Motions | Status Update | ||||||||||||||||||||||||||||||||||||||||||
| Audit Management Response | Action Required Based on DCM Implementation Plan | Management Timelines (Q1- Q4) | (Risks, issues regarding implementation, etc) | ($$ if known) | |||||||||||||||||||||||||||||||||||||||||||
| 7b | That IT Services: b) identify log events that require "real time" detection and alerting and implement appropriate processes. |
Management
does not completely agree with these recommendations. Industry best practices do not support full logging on all devices at all times due to the high cost. IT Services implements additional logging and alerting on a selective basis, such as with certain high-risk devices or where there is a concern with a particular device. As part of the Enterprise Security Review project initiated in Q1 2005, IT Services has contracted a third party security company to perform a detailed review of logging and monitoring processes and systems, including an assessment of the cost impact of these recommendations. The review will be completed in Q1 2006. If additional logging is required, a budget pressure will be identified in the 2007 budget. IT Services has implemented alerting for device failure on all servers and network devices. IT Services has updated all firewalls to receive a synchronized time from NRC. |
IT Services does not support full logging devices at all times due to high costs. IT Services implements additional logging & alerting on a selective basis. | Q1-06 | Addressed in Allstream report. | None | No | Jan 2008 - In-Progress: Workplan under
development. Awaiting release of 2008 budget. Sept 2007 - Network Management System purchased. Implementation planning underway to ensure sound integration with network. |
|||||||||||||||||||||||||||||||||||||||
| 7f | f) consider feeding log and monitoring data into a Security Information Management (SIM) tool for automated event analysis and correlation, to better provide a near real-time City security posture. | A review of
regulatory and City policy requirements for logging data will be completed in
Q2 2006, following the detailed review of logging and monitoring processes
and systems in Q1 2006. Log data will be retained in accordance with the
City’s Records Management Policy and By-Law. The need for additional logging and Security Information Management (SIM) tool will be assessed in Q2 2006 and if required a budget pressure will be identified in the 2007 budget. Additional logging is estimated to cost between $75,000-$150,000. To purchase and implement a SIM is $150,000, with ongoing operating costs in excess of $200,000 per year. Ongoing FTE (or equivalent) requirements are unknown at this time. |
The need for additional logging and SIM tool will be assessed. | Q4 2006 | Assessed following delivery of the Allstream logging report. Where additional logging was recommended by Allstream, planned Network Management System, plus additional network intrusion monitoring, logging and alerting and outbound firewall controls will be implemented. | No | Jan
2008 - In Progress: See 7(b) Sept 2007 - In Progress - See 7(b). Based on discussions with the CAWG on March 6, 2007 and subsequent discussions with the Auditor General, ITS has initiated a modified workplan for 2007/08 that achieves the intent of this recommendation within existing approved budgets. The workplan involves a phased implementation that includes system logging on selected devices; investigation and deployment of intrusion detection/protection devices and services, and implementation of a network management system (see 7b) above). |
||||||||||||||||||||||||||||||||||||||||
| 7h | h) enable system logging on all devices. | Disagree with recommendation. Industry best practices do not support full logging on all devices at all times due to the high cost. | Q1-06 | Allstream recommendations confirmed logging of all devices would not be cost efficient or provide adequate return on investment. | None | No | Jan 2008 - In-Progress: See 7(b) Sept 2007 - In-Progress - See 7(b) System logging to be included in deployment of Network Monitoring System. As a result of discussions at the March 6 meeting of CAWG and subsequent discussions with the Auditor General, the following work plan was deemed acceptable: To be completed in 2007: Q3-Q4: Procure a system-logging server to act as the repository for log data. Q4: Adjust levels of logging on network devices and begin feeding log data to the system-logging server. To be completed in 2008: Q1-Q2: Evaluate and procure available log auditing and analyis tools. Both in-house and outsourced solutions will be evaluated. Q2-Q3: Develop formal log analysis and auditing procedures. Q4: Implement formal log analysis and auditing procedures. |
||||||||||||||||||||||||||||||||||||||||
| 14 | That IT Services develop an Encryption Policy to address key aspects of encryption related to the City's operations and requirements. | Management
agrees with this recommendation. Encryption technologies are currently used to safeguard specific systems, but these de facto standards are not presently in one reference document. Existing encryption standards will be collected and documented by Q2 2006. |
Existing encryption standards will be collected and documented and incorporated into the IT Security procedures and standards. | Q4 2006 | None currently anticipated. Will be determined after existing procedures and standards are reviewed. | No | Jan 2008 -
In-Progress: Completion targetted for March 2008. Sept 2007: In-Progress - IM/IT Security Standards document in development. Completion targeted for Q1, 2008. May 31, 2007: Standards underdevelopment as part of a larger IM/IT Security Standards project. Expected completion is Q4 2007. Encryption standards are under development and will be included in the IT security procedures and standards (revised completion date Q1 2007). |
||||||||||||||||||||||||||||||||||||||||
| 15 | That IT Services identify tools for encryption of sensitive e-mail content. | Management
disagrees with this recommendation. The revised Responsible Computing Policy, section 7.1, as approved by City management in September 2005 stipulates that sensitive information is not to be transmitted via the corporate e-mail system. An enterprise wide e-mail encryption solution would be for internal use only and would not necessarily be compatible with external partners, as there is no national or international standard for e-mail encryption. Should an enterprise-wide e-mail encryption solution be required, it is estimated to cost $100,000 and require 2 FTEs (or equivalent) to administer. A budget pressure would be identified for the 2007 budget. |
Management disagrees with this recommendation. The revised Computing Policy stipulates that sensitive information should not be transmitted via e-mail. An enterprise wide e-mail encryption solution would be for internal use only and would not be compatible with external partners. | Q4 2007-Q1 2008 | Should this be required, it is estimated that it will cost $100,000 and require 2 FTEs to administer. | None | No | Jan 2008 -
In-Progress Sept 2007 - In-Progress - Service evaluation complete. Implementation scheduled for Q1, 2008. May 31, 2007: service evaluation underway. March 13, 2007 - The ITS Branch is evaluating a secure file exchange service that can be used with City business partners to exchange sensitive documents. It is anticipated that this service will be available in Q4 2007-Q1 2008. |
|||||||||||||||||||||||||||||||||||||||
| 17a | That IT
Services: a) create a program with annual user IT Security policy review with mandatory quarterly/semi-annually IT Security awareness briefings. |
Management agrees with these
recommendations. A formal IT Security Awareness program already exists. Awareness articles are issued through City Briefs on a monthly basis, Management Bulletins are also issued as necessary, and IT Security awareness briefings occur to address strategic issues or groups. Awareness activities have been part of the annual planning cycle since 2003. Flash e-mail awareness campaigns will continue. A third party review to measure and assess the current awareness targets and associated delivery strategy was scheduled to begin October 2005 as part of the Corporate IT Security Awareness Program. This review was deferred to 2006 due to a City-wide budget freeze, and will include specific recommendations and a workplan identifying the priority messaging targets. |
Will be addressed through the Corporate IT Security Awareness program. Conducting an environmental scan to evaluate awareness. | Q4 - 06 | None | No | Jan 2008 - In-Progress: Revised intranet
content ready to be published in March 2008. Frequency of weekly policy
reminder under consideration. Sept 2007 - In-Progess - IT Security intranet page in development. (Draft content complete since last update). May 31, 2007: IT Security intranet web page and content under development. Environmental scan completed. Implemented mandatory internet "tip of the week" on user login to the internet. Further enhancements to the IT security awareness program will be implemented as part of the revised IT security strategy in 2007. |
||||||||||||||||||||||||||||||||||||||||
| 17c | c) improve the effectiveness of the IT Security awareness campaign. | A third party will review the effectiveness of the awareness campaigns. | Q4-06 | None | No | Jan 2008 -
In-Progress: Pending go live of new IT Security intranet content. Sept 2007 - In-Progress - as above 17(a). |
|||||||||||||||||||||||||||||||||||||||||