XXX Division

Information Systems Review

Cover Memo

This report presents the results of Audit Servicesí review of the XXX Divisionís information systems, which was conducted as part of the recent audit of the division.

We found a number of conditions that expose the XXX Divisionís info systems to events, which could threaten or compromise system operations, integrity of information resources and computing hardware.

The report includes, for your consideration, recommendations directed toward strengthening the systems security and control environment. Your response to the recommendations is attached to the report.


Background and Audit Scope

As a part of our audit of the XXX Division (Audit Report #XXXA), we conducted a limited review of the divisionís information systems. The scope of the review included a walk-through of existing systems, a review of related documents and interviews with the divisionís computer network technologist.

The major assets of computing systems are hardware, software, and data. There are four kinds of threats to the security of a computing system:

  1. Interruption: An asset becomes lost, unavailable, or unusable (e.g., malicious destruction of hardware, erasure of a program or data files, or a malfunction of an operating systemís file manager so that it cannot find a particular disk file or resource).
  2. Interception: A means used by an unauthorized party (a person or a program) to gain access to an asset (e.g., unauthorized copying of program or data files, or a wiretapping to obtain data in a network).
  3. Modification: A means used by an unauthorized party to access and tamper with an asset (e.g., change the values in a data base, alter program so that it performs inappropriate activities, alter data being transmitted electronically, and alter hardware so that it behaves erratically).
  4. Fabrication: A means used by an unauthorized party to fabricate or counterfeit objects on a computing system (e.g., an intruder inserts spurious transactions to a network communication system, or improperly adds records to an existing database).

These threats exploit the vulnerabilities of the assets in computing systems. Our review indicated that the hardware, software and data resources at the XXX Division were vulnerable to such threats for reasons detailed in the following section of this report.



We found a number of conditions that expose the XXX Divisionís information systems to events that could threaten or compromise system operations, integrity of information resources and computing hardware. These conditions and recommendations directed toward developing appropriate solutions are detailed in the following section of this report.


Computing Hardware


Network Servers

Computers used as network servers were situated in an open, unlocked area a few feet away from an exit door. Lock-down devices were not in place to secure the servers from theft. Temperature in the area was not regulated. These conditions expose the network hardware to threats of interception, modification and fabrication.

Additionally, not all divisional computers were equipped with protection from potential damage and interruption of service due to power surges.



We recommend that physical access controls be provided over computer equipment by 1) locating network servers in an enclosed, secure room with a well regulated temperature, 2) using lock-down devices to protect hardware from theft, and 3) using surge suppressors to protect equipment from service interruptions and damage.



Network Cables

Network cables were unorganized and not well protected from accidental or intentional interference. The cables in the network area were loose and exposed. These cables could be easily unplugged or severed, resulting in unavailable network services. The integrity of the network cabling had not been formally tested or analyzed. We could not independently determine whether the cables currently used in the office were susceptible to static interference due to the limited time spent on the premises.



We recommend that network cabling throughout the office be properly organized, labeled, and protected from accidental or intentional interference. We also recommend that the integrity of the cabling be tested and the results documented.





Network Operating System

The XXX Division has three different network operating systems: 1) Linux-UNIX (used for Intranet and e-mail activities), 2) Novell NetWare (used for various PC applications), and Windows NT (housing the divisionís Internet web server). A lack of adequate audit and control facilities in these operating systems make it difficult to trace causes of system breakdowns and break-ins, which the current systems administrator stated have occurred. Thus, existing network vulnerabilities could be exploited, rendering the entire network resources unavailable for a period of time.

Using multiple network operating systems in a division introduces chaos, complexity and operating inefficiencies in a network management environment. For instance, Linux is an operating with many known security holes. It requires a knowledgeable UNIX system administrator to patch security holes in order to adequately protect system resources from unauthorized access or sabotage. Novell and Windows NT require different system administration expertise. Network management should be efficient, simple and appropriate in order to provide effective network controls.



We recommend that network management activities be simplified by using one network operating system, such as the Windows NT server (version 4.0) which comes with adequate audit and control features (e.g., intrusion detection and access logs analysis capabilities). We also recommend that the server memory capacity be increased to improve network performance and fault tolerance. These measures would help improve network security and save operating costs through increased efficiency.



E-mail System

The post office protocol (POP) server currently residing on the Linux operating system provides e-mail services to the XXX Division. E-mail accounts were being established for employees without written requests and authorization. A current list of active e-mail accounts was not readily available. Also, effective procedures for terminating the accounts of former divisional employees were not in place. Thus, there is no assurance that e-mail resources are being used by authorized employees only.



We recommend that controls over the XXX Division e-mail system be strengthened by 1) requiring written management approval of new accounts, 2) maintaining up to date documentation of authorized users, and 3) implementing procedures to remove users at the time of employment separation. We also recommend that a list of all currently established e-mail accounts be prepared and provided to management for review and approval.



Software Inventory and Licensing

A current software inventory was not being maintained. Without such documentation, we were unable to determine whether the division is in compliance with licensing agreements. Violation of software copyright agreements may expose the XXXX to legal action by software licensers.



We recommend that the division maintain a current inventory of authorized software and that the operating management establish the policy that only authorized software be installed on the divisionís computers.



Year 2000 Compliance

The XXX Division had not reviewed its software systems to determine if they are vulnerable to Year 2000 problems. If the software is not Year 2000 compliant, the system may not function properly or at all as of January 1, 2000.



We recommend that the XXX Division give high priority to assessing the vulnerability of its mission critical software to Year 2000 problems and to developing an action plan to upgrade or replace systems as necessary to ensure continuity of operations in the Year 2000.



Application Development and Maintenance Efforts

Records of computer applications developed by divisional employees were not complete and accurate. Application development efforts were not being closely monitored. Also, appropriate controls had not been established to protect application programs from unauthorized modification.



We recommend that controls be established to ensure productive development of computer applications and to ensure that all program changes are properly authorized and documented.



Systems Administration Accountability

Control procedures had not been established to ensure proper accountability for systems administration activities. Systems administration policies and guidelines had not been developed. The informal process for granting superuser access privileges to the three operating systems was not sufficiently restrictive.

Individuals with superuser access privileges were not taking prudent steps to safeguard network resources from unauthorized access. For instance, we noted that the administratorís access to the Linux operating system was not properly closed when the system was left unattended. This would allow an intruder to locally or remotely access network resources, resulting in tampering with or damaging network resources, improper disclosure of confidential information, or interruption of network services.

System problems could be attributable to negligent activities or uncontrolled "experiments" conducted by a systems administrator.



We recommend that control procedures be established to ensure accountability for systems administration activities. This includes 1) implementing a formal and restrictive process for granting superuser access privileges, 2) developing effective systems administration policy and guidelines, and 3) maintaining an adequate audit trail of systems administration activities.


Data / Information Resources


Back-up Procedures

Back-up copies of critical files were not being stored in a secure, fire-protected area. Also, the integrity of back-up media had not been tested. These conditions could compromise recovery efforts in the event of a destructive occurrence.



We recommend that back-up copies of critical computer files be stored in a secure area remote from the production sources of computer files. To improve the reliability of back-up procedures, we also recommend that the integrity of back-up files be tested periodically.



Database Security

Access to the various database files used by the XXX Division to maintain its financial and customer records was not password protected. The main database program did not provide adequate security features to protect these files from unauthorized access, modification, and fabrication. Also, adequate database dictionary or system documentation was not being maintained to better manage the files.



We recommend that the current database files be moved to a more secure relational database management system (DBMS). We also recommend that adequate database documentation be maintained to facilitate effective file management



Disaster Recovery Plan

A documented disaster recovery or business continuity plan had not been developed and tested. Such a plan is essential for effective and efficient recovery of computing resources in the event of a destructive occurrence.



We recommend that a detailed disaster recovery plan be developed and tested at least annually. We also recommend that periodic test results be used to update the plan and improve its overall effectiveness.


Overall Security Implications

Information systems security consists of four characteristics:

We believe that the recommendations included in this report would assist operating management in achieving these security objectives. Implementing proactive security measures is generally less expensive than the costs of implementing corrective actions (e.g., labor, recovery efforts, and system downtime).