cyber security - audit perspectives item 11a... · comhairle nan eilean siar internal audit final...

Comhairle nan Eilean Siar

Internal Audit Review

CYBER SECURITY – Audit Perspective

Final Report – 2017/18- 28

17 November 2017

COMHAIRLE NAN EILEAN SIAR

INTERNAL AUDIT FINAL REPORT

CYBER SECURITY – Audit Perspective 2017/18

17 November 2017

CONTENTS

Page

SECTION 1 - EXECUTIVE SUMMARY 1 - 6

SECTION 2 - DETAILED FINDINGS AND RECOMMENDATIONS 7 - 13

SECTION 3 - ACTION PLAN 14

APPENDIX A - RESPECTIVE RESPONSIBILITIES OF MANAGEMENT AND

INTERNAL AUDIT 15

APPENDIX B - ISOLATED EXCEPTIONS 16

APPENDIX C - 10 SECURITY CONTROLS FOR CYBER DEFENCE (NCSC) 17 - 18

Date of Visit

September & October 2017

Draft Report Issued

23rd

October 2017

Management Response Received

16th

November 2017

Final Report Issued

17th

November 2017

Issued to:

Chief Executive Malcolm Burr

Director Robert Emmott

IT Manager Malcolm Nicol

HR Manager

Katherine Mackinnon




17 November 2017 1

SECTION 1: EXECUTIVE SUMMARY

Introduction

1.1 This report has been prepared following an internal audit review of Cyber Security from an IT

Audit Perspective as part of the operational annual internal audit plan for 2017/18. The purpose of

this report is to provide an overview of the Comhairle’s arrangements for managing cyber security

and in terms of the objectives noted below.

Background information

1.2 Police Scotland recently reported 47%+ of UK crimes as cyber related. These are defined as cyber -

enabled crime, or the use of the internet as a means to commit the crime and also as cyber-

dependent crime, where a digital system, infrastructure or ICT device is the target as well as the

principal or sole method of attack.

The latest Internet Security Report by WatchGuard for the second quarter of 2017 reports a common

theme of login access being a top priority for criminals. Credential theft can take different forms;

attack techniques include pass-the-hash, key logging, passing tickets, token impersonation, and

man-in-the-middle attacks. Malware not detected by older legacy antivirus also increased to 47%

during 2017 with Malicious JavaScript being used to deliver malware and create fake phishing sites

for example. Organisations are advised to harden exposed servers, consider multi-factor

authentication, train users to identify phishing attacks and implement advanced threat prevention

solutions to protect their data.

The government provides a Cyber Essentials scheme designed to help organisations protect

themselves against common cyber-attacks. This scheme includes 10 steps for improving protection

in cyberspace and mitigation of risk from common internet based threats1. These include

management of the cyber risk at Board level; secure configuration of systems; network security;

managing user privileges; user education and awareness; incident management; malware

prevention; system monitoring to confirm acceptable use policies are applied and awareness of any

unusual activity; removable media controls and controls on home and mobile working.

A number of these cyber essential areas overlap with the scope of assurance requirements for the

Comhairle’s certification to use the UK Wide Government Public Services Network or PSN. For

example, security requirements for connection to PSN include controls to ensure the Comhairle’s

technical security infrastructure meets PSN compliance, with adequate and appropriate procedures

in place to protect all Comhairle data. The Comhairle’s compliance certificate for PSN connection

covers the period 22 December 2016 to 22 December 2017. This certification provides assurance

through the PSN annual security IT health-checks and confirms compliance to Code of Connection

requirements for accessing the PSN through maintenance of appropriate security policies including

acceptable use and lockdown policies monitoring of controls on infrastructure security. Therefore,

1 10 Steps To Cyber Security is at https://www.ncsc.gov.uk/guidance/10-steps-executive-summary

https://www.ncsc.gov.uk/guidance/10-steps-executive-summary




17 November 2017 2

SECTION 1: EXECUTIVE SUMMARY (CONTINUED)

the scope of this cyber security review will primarily focus on the human resource element,

including user education and awareness.

Sources of information for best practice include guidance from Police Scotland, the National Cyber

Security Centre or NCSC, the HM Government Cyber security essentials scheme and CIIA and

ISACA cyber security and cyber risk information. The Information Commissioner’s Office also

offers guidance as the new General Data Protection Regulation (GDPR) coming into force in May

2018 specifically refers to aspects of cyber security in Article 32 Security of personal data.

Internal audit objective

1.3 In accordance with the remit outlined within the operational annual internal audit plan for 2017/18

and further documented within the agreed terms of reference, the internal audit work was designed

to obtain assurance on the Comhairle’s arrangements for cyber security from an auditor’s

perspective. The primary objectives in the review are risk awareness and assessment of emerging

cyber security threats and vulnerabilities; user training, skills and awareness of cyber threats

including advanced persistent threats, data breaches, hoax or phishing emails and ransomware;

guidance on social media; use of security controls and encryption and how to respond to any suspect

activity. As users have a critical role to play in their organisation’s security, security rules and

awareness training to enable users to do their job securely are vital.

In practice, we assessed whether the overall objective was being achieved by:

Ascertaining the management and risk assessment of cyber threats and security controls

Identifying user training and awareness of cyber security

Appraising front line staff processes to confirm cyber security awareness and best practice

in place

Reference is made to the Comhairle’s policies, including the IT Security Policy and the Code of

Practice on the use of internet, email and IT resources within the staff handbook.

Excluded from the cyber review are areas already covered in other audit work, including those

covered in the assurances provided by the Comhairle’s certification for connection to the Public

Sector Network or PSN. PSN accreditation includes assessment of controls to expected PSN

standards in areas including external network connections; wireless networks access controls;

patch management; boundary controls/ gateways, personnel security and education; access

controls; incident management processes; malware protection; removable media and mobile /

home working security controls. In addition, assurances from the Internal Audit Follow-Up

Review - Additional Follow-Up of Disaster Recovery Final Report – FU08 – 15/16 are not

repeated.




17 November 2017 3


1.4 Areas of good practice

Regular risk assessment with IT Manager advice to management;

IT Policies in the staff handbook;

Staff training to be rolled out ;

Alerts to staff by the IT Service; and

Public Services Network (PSN) connection certification until 22 December 2017

1.5 Concluding remarks

This is a high level review and findings are included in the body of this report. We would point

out that the most significant issue/s arising from our review which require management attention

are:

Policy on social media exists, however, speed of change in this environment (Para 2.3)

Specific cyber training for staff on cyber security has still to be rolled out (Para 2.4)

A benefit of the security controls found in this review is that security of personal data is

improved, as is recommended by the Information Commissioner's Office or ICO; some

aspects of cyber security get specific mention in Article 32 of the General Data Protection

Regulation (GDPR) which comes into force in May 2018, including encryption, disaster

recovery, testing and on-going monitoring.




17 November 2017 4


1.6 We have graded our detailed findings and recommendations, based on the likelihood of the

identified weakness occurring and the impact on the Comhairle if it should occur, using the

following criteria:

Grade 1

- “Critical” – High likelihood, High impact (HH)

“The weakness is almost bound to happen or is already happening

(likelihood) and could have a significant impact on the Comhairle’s services,

reputation, control, financial position, statutory, regulatory or constitutional

compliance if not contained”

Grade 2 - “Contingent/Insurable Risk” - Low likelihood, High impact (LH)

“The weakness is unlikely to happen, but would have a significant impact on

the Comhairle’s services, reputation, control, financial position, statutory,

regulatory or constitutional compliance if it did occur”

Grade 3 - “Housekeeping” – High likelihood, Low impact (HL)

“The weakness is almost bound to happen or is already happening but is

unlikely to have a material impact on the Comhairle’s services, reputation,

control, financial position, statutory, regulatory or constitutional compliance,

and can be contained”

Grade 4

- “Value for Money” – High likelihood, Value for money impact (HV)

“The weakness is almost bound to happen or is already happening but if

contained would have a positive impact on economy, efficiency and

effectiveness in the use of resources”

Where we have identified isolated exceptions in our sample testing, and we consider that: -

They are unlikely to recur; and

Would have no significant impact if they should occur,

We have classified them as low likelihood and low impact (LL), discussed them with relevant

officers and detailed them in Appendix B to this report.




17 November 2017 5


1.7 Our recommendations can be summarised and prioritised as follows:

Recommendation Overall grading

4 3 2 1

2.1 The Director of Finance and Corporate Resources

and the IT Manager should assess cyber risk and

consider if specific use of the term ‘cyber’ within IT

risk is necessary. This environment is constantly

evolving

2.2 The Director of Finance and Corporate Resources

and the IT Manager should assess cloud risk within

IT risk assessments

2.3 The Head of HR should regularly review policy and

user guidance for risks of social media.

Users to be reminded of the latest policy as this is

revised for social media responsibilities.

2.4 The IT Manager should ensure the training is rolled

out for Corporate users, with a process for

monitoring that all users complete this training. There

is also free introductory on-line training available

through the Open University - Introduction to cyber

security: stay safe online that could be promoted if

considered useful.

2.5 The Director of Finance and Corporate Resources,

Finance & IT Managers to continue to review

processes for managing suspect emails and notifying

IT Helpdesk.

2.6 The IT Manager should ensure cyber incident

response and communications planning is

documented within IT procedures.

Where this action overlaps with actions already

agreed and followed up in the Internal Audit Report

Follow Up Review - Additional Follow Up Disaster

Recovery, this can be noted and cross referenced.




17 November 2017 6


1.8 We would like to thank all staff for the co-operation and goodwill we received during the course

of our internal audit fieldwork.

For Comhairle nan Eilean Siar Internal Audit

Comhairle nan Eilean Siar

Sandwick Road

Stornoway

Isle of Lewis

HS1 2BW

17th

November 2017




17 November 2017 7

SECTION 2 - DETAILED FINDINGS AND RECOMMENDATIONS

FINDINGS AND IMPLICATIONS RISK RANKING RECOMMENDATION GRADE MANAGEMENT

COMMENT L I

Control objective 1: Risk awareness and risk assessment of emerging cyber threats and security controls.

2.1 Risk awareness and assessment: The risk

of ‘Operational loss of data - FRCSIT01’ is

reported which covers potential cyber risk

areas; ‘cyber’ is not specifically included

as a risk. Cyber threats continue to evolve.

The latest Internet Security Report of the

top security threats for 2017 by

WatchGuard showed credential theft

increasing; attackers are stealing and

replacing Windows credentials using

malware. Although malware detections

increased, the total malware not detected

by older legacy antivirus also increased to

47%. Malicious JavaScript is increasingly

being used to deliver malware and create

fake phishing sites. To protect against the

use of Malicious JavaScript in email, the

report recommends that email security

controls block JavaScript attachments.

Web servers and clients are also continuing

to be targets; therefore security services of

web traffic should be a top priority2.

H L The Director of Finance and

Corporate Resources and the IT

Manager should assess cyber risk

and consider if specific use of the

term cyber within IT risk is

necessary. This environment is

constantly evolving.

3 The Director of Finance &

Corporate Resources and IT

Manager will review IT risks.

2 https://www.watchguard.com/wgrd-resource-center/security-report

https://www.watchguard.com/wgrd-resource-center/security-report




17 November 2017 8

SECTION 2 - DETAILED FINDINGS AND RECOMMENDATIONS (CONTINUED)


COMMENT L I

Control objective 1: Risk awareness and risk assessment of emerging cyber threats and security controls

2.2 IT Policy, Corporate alignment through IT

Service and the cloud:

CNES Policy requires users to include IT

Service in advance of using new

software/assets on the CNES network. In

practice increasing use of the cloud

presents new challenges to IT.

Key controls recommended by US-CERT

to protect against ransomware infection

include application white-listing so only

approved programs are run; maintain up to

date antivirus software and scan downloads

from the internet prior to executing;

restricting users’ ability to install and run

unwanted software applications and

applying the ‘least privilege’ principle;

avoid enabling macros from email

attachments; patch management of

software & operation systems; employing a

data backup & recovery plan for all critical

information

H

L The Director of Finance and

Corporate Resources and the IT

Manager should ensure cloud

risks are within IT risk

assessments

3 The review of IT security risks

will include cloud computing.




17 November 2017 9



COMMENT L I

Control objective 2: User awareness, training and skills

2.3 Policy and Social Media:

The Acceptable Use for Social Media

Policy in the staff handbook says staff

should not include comments on work on

social media personal accounts.

Police Scotland [PS] guidance on cyber

threats includes social media, LinkedIn and

online presence of staff as vulnerabilities3.

PS recommended for cyber-resilience that

staff be vigilant about information placed

on social media. Criminals can target staff

in the organisation with data on social

networks, for example to send a hoax

email to carry out an attack or introduce

malware into the system. Staff are named

on the website because of their work,

however, the more information posted on

the internet and social media sites, the

easier this is available for anyone to find,

including hackers and criminals.

L

H

The Head of HR should regularly

review policy and user guidance

for risks of social media.

Users to be updated on the latest

policy version as this is revised

for social media responsibilities.

2

The Policy relating to Social

Media will be reviewed as a

priority.

Employees will be advised of

the revised guidelines.

3 Vulnerabilities listed - Online presence of Company/Staff; LinkedIn; Website: Social Media; Social Engineering; RDP; Weak usernames and passwords; Lack

of awareness; Inside threat – Police Scotland presentation to SLACAIG CASG August 2017




17 November 2017 10



COMMENT L I

Control objective 2: User awareness training and skills

2.4 Training:

An online training module has been created

and planned for roll out in October 2017 to

Corporate users including teachers and

Education admin staff, but not pupils;

students have their own specialist training

processes. Training includes areas -

malicious software, email security,

hackers, password security, social

networks, physical security, wireless

networks, incident management and the

Comhairle’s policies.

Advice on social engineering risks includes

phone calls being made direct to users to

‘con’ them into volunteering personal

information such as passwords. Other risks

include divulging information on social

networking sites.

Cont.

L

H

The IT Manager should ensure

the training is rolled out for

Corporate users, with a process

for monitoring that all users

complete this training, if possible

within this financial year.

There is also free introductory on-

line training available through the

Open University - Introduction to

cyber security: stay safe online 4

that could be promoted if found

to be useful.

2

Training will be rolled out to

all system users.

4 http://www.open.edu/openlearn/science-maths-technology/introduction-cyber-security-stay-safe-online/content-section-overview

http://www.open.edu/openlearn/science-maths-technology/introduction-cyber-security-stay-safe-online/content-section-overview




17 November 2017 11



COMMENT L I

Control objective 2: User awareness training and skills

2.4 Continued.

The Comhairle training module is a very

positive step and will be beneficial for all

online users to complete. The IT Manager

plans to ensure all new staff complete the

training before they are allowed to start

working on any council systems or work.

In addition, IT Service regularly provides

advice to users of risk areas including

ransomware and phishing emails.

The NCSC 10 steps to cyber security

include user education and awareness5.

NCSC suggests monitoring the

effectiveness and value of security training

to users.

5 https://www.ncsc.gov.uk/guidance/10-steps-user-education-and-awareness

https://www.ncsc.gov.uk/guidance/10-steps-user-education-and-awareness




17 November 2017 12



COMMENT L I

Control objective 3: Front line processes

2.5 Email usage policy and risks of phishing or

hoax emails:

There is an email usage policy for staff to

apply. An audit sample of users whose

work can include receiving email requests

to change bank accounts for payments, and

thus be potential targets of phishing and

hoax emails, found that different Finance

functions manage specific risks in different

ways with processes in place to manage

requests.

As in 2.1, the risk of Malicious JavaScript

in email is reported to be increasing during

2017.

H

L

The Director of Finance and

Corporate Resources, Finance &

IT Managers to continue to

review processes for managing

suspect emails and notifying IT

Helpdesk

3

This is incorporated into the

training module and specific

issues will be addressed as they

arise.




17 November 2017 13



COMMENT L I

Control objective 3: Front line processes

2.6 Cyber incident Response Planning:

IT Team have planned processes to manage

IT incidents including cyber incidents but

not fully documented.

H

L

The IT Manager should ensure

that cyber incident response and

communications planning is

documented within IT

procedures.

Where this action overlaps with

actions already agreed and

followed up in the Internal Audit

Report Follow Up Review -

Additional Follow Up Disaster

Recovery, this can be noted and

cross referenced.

3

The IT Manager will address

this in Business Continuity

Arrangements and Disaster

Recovery Plans.

14

SECTION 3 - ACTION PLAN

Ref. RECOMMENDATION RESPONSIBLE

OFFICER

DATE OF

IMPLEMENTATION

3.1 The Director of Finance and Corporate

Resources and the IT Manager should assess

cyber risk and consider if specific use of the

term cyber within IT risk is necessary. This

environment is constantly evolving.

The Director of

Finance and

Corporate

Resources and the

IT Manager

December 2017


Resources and the IT Manager should ensure

cloud risks are within IT risk assessments.

The Director of

Finance and

Corporate

Resources and the

IT Manager

December 2017

3.3 The Head of HR should regularly review policy

and user guidance for risks of social media.

Users to be updated on the latest policy version

as this is revised for social media

responsibilities.

The Head of Human

Resources

June 2018

3.4 The IT Manager should ensure the training is

rolled out for Corporate users, with a process

for monitoring that all users complete this

training, if possible within this financial year.

There is also free introductory on-line training

available through the Open University -

Introduction to cyber security.

that could be promoted if found to be useful

The IT Manager December 2017


Resources and IT Manager to continue to

review processes for managing suspect emails

and notifying IT Helpdesk.

The Director of

Finance and

Corporate

Resources and the

IT Manager

December 2017

3.6 The IT Manager should ensure that cyber

incident response and communications

planning is documented within IT procedures.

Where this action overlaps with actions already

agreed and followed up in the Internal Audit

Report Follow Up Review - Additional Follow

Up Disaster Recovery, this can be noted and

cross referenced.

The IT Manager March 2018

15

APPENDIX A: RESPECTIVE RESPONSIBILITIES OF MANAGEMENT AND INTERNAL

AUDIT

Responsibility in relation to internal controls

It is the responsibility of the Comhairle’s management to maintain adequate and effective financial

systems and to arrange for a system of internal controls. Our responsibility as internal auditors is to

evaluate the financial systems and associated internal controls. In practice, we cannot examine every

financial implication and accounting procedure within an activity, and we cannot substitute for

management’s responsibility to maintain adequate systems of internal controls over financial systems.

We therefore may not identify all weaknesses that exist in this regard.

Responsibilities in relation to fraud and corruption

The prime responsibility for the prevention and detection of fraud and irregularities rests with

management. They also have a duty to take reasonable steps to limit the opportunity for corrupt

practices. It is our responsibility to review the adequacy of these arrangements, but our work does not

remove the possibility that fraud, corruption or irregularity may have occurred and remained

undetected.

We nevertheless endeavour to plan our internal audit work so that we have reasonable expectation of

detecting material fraud, but our examination should not be relied upon to disclose all such material

frauds that may exist.

16

APPENDIX B: ISOLATED EXCEPTIONS TO EXPECTED PROCEDURES AND

CONTROLS

ITEM ISOLATED EXCEPTION RESPONSIBLE

OFFICER

AGREED

Y/N

DATE OF

DISCUSSION

17

APPENDIX C: NCSC CYBER SECURITY CONTROLS

An overall 'defence in depth' approach is recommended by the National Cyber Security Centre or

NCSC. The 10 steps for improved protection for organisations in cyber-space are:

1 Management of the cyber risk at Board level

Pro-active management of the cyber risk at Board level is critical for protection of key information

assets. Questions to be considered include -.Does the Board receive regular intelligence from the Chief

Information Officer/Head of Security on who may be targeting our company, their methods and their

motivations? Does the Board encourage technical staff to enter into information-sharing exchanges

with other companies in our sector and/or across the economy in order to benchmark, learn from others

and help identify emerging threats?

2. Secure configuration of systems

Develop a strategy to remove or disable unnecessary functionality from systems, and to quickly fix

known vulnerabilities, usually via patching. Failure to do so may result in increased risk of

compromise of systems and information; unauthorised changes to systems; attackers may attempt to

exploit unpatched systems to provide them with unauthorised access to system resources and

information and An attacker could also exploit a system that has been poorly configured.

3. Network security

Defining a fixed network boundary is difficult as organisation's networks often span many sites, and

the use of mobile / remote working, and cloud services, makes this area complex. In addition to

physical connections, consider where your data is stored and processed, and where an attacker would

have the opportunity to interfere with it. Manage the perimeter with access to ports, protocols and

applications by filtering and inspecting all traffic at the network perimeter to ensure that only traffic

which is required to support the business is being exchanged. Control and manage all inbound and

outbound network connections and deploy technical controls to scan for malicious content. Protect the

internal network by segregating networks as sets; secure wireless access; enable secure administration;

configure the exception handling processes; Monitor the network with network intrusion detection and

prevention tools; Conduct regular penetration tests of the network architecture.

4. Managing user privileges

Users should be provided with a reasonable minimal level of system privileges and rights needed for

their role. The granting of highly elevated system privileges should be carefully controlled and

managed. Establish effective account management processes; establish policies and standards for user

authentication and access control; limit user privileges and the use of higher privileged accounts.

Monitor user activity, particularly access to sensitive information and the use of privileged account

actions; limit access to the audit system and the system activity logs; all users should be aware of the

policy regarding acceptable account usage.

5 User education and awareness

Users have a critical role to play in their organisation’s security so a systematic delivery of awareness

programmes and training help to establish a security-conscious culture. Develop a user security policy.

New users, including contractors and third party users should be made aware of their personal

responsibility to comply with the corporate security policies. Regular refresher training on the security

risks to the organisation will keep users up to date. Staff in security roles should be encouraged to

develop their skills. Test the effectiveness and value of the security training provided. Promote an

incident reporting culture and establish a formal disciplinary process.

18

6 Incident management

Establishing effective incident management policies and processes will help to improve resilience,

support business continuity, improve customer and stakeholder confidence and potentially reduce any

impact. Establish an incident response capability; provide specialist training; define the required roles

and responsibilities; establish a data recovery capability; test the incident management plans; decide

what information will be shared and with whom. Collect and analyse post-incident evidence and

complete a lessons learned review.

7. Malware prevention

Malicious software, or malware includes code or content that could have a malicious, undesirable

impact on systems. Exchange of information carries a degree of risk that malware might be exchanged.

The risk can be managed by developing and implementing anti-malware policies; scanning all data for

malicious content at the network perimeter; blacklisting malicious web sites; stand-alone workstations

can be equipped with appropriate anti-virus products; establish malware defences with end user device

protection. Users should understand the risks from malware and the day-to-day processes they can

follow to help prevent a malware infection from occurring

8. Monitoring to confirm acceptable use policies are applied

System monitoring provides a capability that aims to detect actual or attempted attacks on systems and

business services. Good monitoring is essential in order to effectively respond to attacks. In addition,

monitoring allows you to ensure that systems are being used appropriately in accordance with

organisational policies. Monitoring is often a key capability needed to comply with legal or regulatory

requirements. Develop and implement a monitoring strategy based on business need and an assessment

of risk. Ensure that all networks, systems and services are included in the monitoring strategy. This

may include the use of the use of network, host based and wireless Intrusion Detection Systems (IDS).

Monitor inbound and outbound network traffic. Monitor user activity. Establish a centralised collection

and analysis capability. Provide resilient and synchronised timing. Align the incident management

policies.

9. Removable media controls

Removable media provide a common route for the introduction of malware and the accidental or

deliberate export of sensitive data, therefore policies should be applied to control the use of removable

media. Limit the use of removable media to business need; scan all media for malware. Formally issue

media to users and encrypt information held on media. Actively manage the re-use and disposal of

removable media. Educate users and maintain awareness for following a removable media security

policy.

10. Controls on home and mobile working

Establish risk based policies and procedures that support mobile working or remote access to systems

that are applicable to users, as well as service providers. Assess the risks and create a mobile working

policy; educate users and maintain awareness. Apply a secure baseline build and configuration for all

types of mobile device used by the organisation. Protect data at rest and encrypt if possible. Protect

data in transit. Review the corporate incident management plans and ensure they have sufficient

flexibility to deal with security incidents that could occur.

cyber security - audit perspectives item 11a... · comhairle nan eilean siar internal audit final...

Documents