WIXLIB

recoverysystemssolutionsInformation and CommunicationsTechnology Controls GuideForewordThis guide has been developed to assist organisations with identifying areas for improvement regarding their information andcommunications technology (ICT) controls. It draws on the work undertaken in ICT controls-based audits across theVictorian public sector. It is designed to promote more robust practices and to enhance the ICT control environments atpublic sector organisations. ICT controls should form part of each organisations’ broader security considerations, thatshould address both internal and external threats and risks. This guide does not replace the standards and guidelines whichVictorian public sector organisations must comply with, but rather it complements them.Public sector organisations are encouraged to assess their ICT control environments against this better practice guide, anduse the results to improve their practices.Dr Peter FrostActing Auditor-GeneralFebruary 2016

ICT controlsbackupsecurityThe importance of ICT controlsICT systemsPublic sector organisations increasingly use complex andinterconnected ICT systems to deliver services to Victorians,and therefore it is vital that they have effective and appropriatecontrols in place. A conceptual example is illustrated below.An ICT system is a collection of computer hardware andprograms that work together to support business andoperational processes. ICT systems are primarily made up ofthree core components: Operating system—core programs that run on the ICThardware that enable other programs to work. Examplesof operating systems include Microsoft Windows, Unixand IBM OS/400. Databases—programs that organise and store data.Examples of database software include Oracle databaseand Microsoft SQL Server. Applications—programs that deliver business andoperational requirements. Examples of applicationsinclude Oracle E-business suite, SAP and TechnologyOne.These components are typically supported by anorganisation’s network infrastructure.ICT controlsICT controls are policies, procedures and activities put inplace by an organisation to ensure the confidentiality, integrityand availability of its ICT systems and data.ICT controls include the establishment and adherence toappropriate structures for managing: organisational governance system security ICT operations and architecture change and release system development and implementation backup and recovery.Information and Communications Technology Controls GuidePublished by the Victorian Auditor-General’s Office,Level 24, 35 Collins Street, Melbourne.www.audit.vic.gov.auISBN 978 1 925226 49 2February 20162Victorian Auditor-General’s Office

recoverysystemssolutionsICT controls checklistOrganisational governanceIndustry / recommended practice[control]The organisation is aware of its current andupcoming ICT compliance obligations, whereapplicable.Practice metAction planTarget dateYesPartiallyNo(e.g. Victorian Protective Data SecurityStandards, Australian Government InformationSecurity Manual (ISM), ISO/IEC 27001 Information security management, Payment CardIndustry Data Security Standard (PCI-DSS) etc.)The organisation has appropriate and detailedstrategies, policies, procedures andstandards in place that: provide guidance on the management of itsICT operations and processesYesPartiallyNo adhere to compliance requirements and/orinclude robust standards.The organisation’s strategies, policies,procedures and standards include, but are notlimited to, coverage over:YesPartiallyNo ICT security management user access management patch management change and release management network operations, auditing and monitoringmanagement backup and disaster recovery management.The organisation’s strategies, policies,procedures and standards are:Yes approved by senior managementNoPartially reviewed periodically to ensure they remaincurrent and applicable.The organisation has current contracts in placewith its ICT vendors and service providers.YesPartiallyNoInformation and Communications Technology Controls Guide3

ICT controlsbackupsecurityOrganisational governance – continuedIndustry / recommended practice[control]All ICT risks to the organisation and/orinstances of noncompliance with its policyrequirements are rated and included in a riskregister. Also:Practice metAction planTarget dateYesPartiallyNo action plans and owners are assigned toeach risk the risk register is reviewed periodically.An ICT Steering Committee (or equivalent)convenes periodically to oversee theorganisation’s strategic initiatives, operations,and the ongoing management and mitigation ofits risks.YesPartiallyNoThis group is also an escalation point as part ofthe organisation’s incident management process.System securityICT systems refer to any technical utilities that hosts, maintains, and/or transmits data. These include, but are not limited toapplications, databases, operating systems, networks and hardware.Industry / recommended practice[control]Password and account lockout settings foraccess to ICT systems are implemented inaccordance with the organisation’s policies andcompliance requirements (where applicable).Practice metYesPartiallyNoThese requirements are enforceable over allaccounts.Access to ICT system and data areappropriately restricted. In particular:Yes privileged access is limited to only user,system and service accounts requiring thisaccess in line with their current rolesNoPartially system and service accounts are configuredto be non interactive (i.e. these accountscannot be used to log in to the system).User onboarding—access to the system isconfigured in line with the user’s current role, andauthorised by appropriate management prior to itbeing provided to the user.4Victorian Auditor-General’s OfficeYesPartiallyNoAction planTarget date

recoverysystemssolutionsSystem security – continuedICT systems refer to any technical utilities that hosts, maintains, and/or transmits data. These include, but are not limited toapplications, databases, operating systems, networks and hardware.Industry / recommended practice[control]Practice metUser offboarding—access to the system isremoved at the point at which the user no longerrequires access, or terminates their employmentwith the organisation.YesFormal user access reviews for the systemare conducted periodically, and signed off by anappropriate management representative.YesActive user IDs and system accounts areuniquely identifiable and can be attributed toan appropriate user, system or service.YesWhen a shared account is used, accountabilityover the use of it can be effectively attributed to aspecific user.YesAudit logs for privileged account activities,sensitive operations and processes aremaintained and appropriately restricted.YesAudit logs for privileged account activities,sensitive operations and processes areperiodically reviewed, particularly to detectanomalous activity.YesPatches and firmware are applied to ensurethat the ICT system is appropriately maintained inline with organisational requirements and thevendor’s recommendations.YesAction planTarget dateAction planTarget rtiallyNoPartiallyNoPartiallyNoICT operations and architectureIndustry / recommended practice[control]Practice metThe organisation is subject to periodic internaland external facing penetration tests,compliance assessments, and ICT securityaudits. The results of these initiatives areincluded in the risk register.YesThe organisation’s network is appropriatelysegmented both internally and from externaltraffic (e.g. through the implementations offirewall-type technologies, demilitarised zones).YesPartiallyNoPartiallyNoInformation and Communications Technology Controls Guide5

ICT controlsbackupsecurityICT operations and architecture – continuedIndustry / recommended practice[control]Organisation-wide network monitoring,analysis, management and securitysolutions are in place, appropriately configuredand maintained, and actively monitored. Theseinclude:Practice metAction planTarget dateYesPartiallyNo systems operations management utilities intrusion detection and prevention systems(IDPS) anti-virus and malware solutions—installed onall systems mail and web threat protection solutions data loss prevention (DLP) solution.Business and system data is protected in transitand at rest by robust encryption technologies(e.g. web application-based traffic, database andnetwork repository content).YesInsecure, unused, and non-required systemservices and ports are disabled throughout theenvironment (e.g. Telnet and File TransferProtocol).YesKey interfaces are monitored to ensure thecompleteness and integrity of data.YesPartiallyNoPartiallyNoPartiallyNoAccess to view and modify interfaces andbatch job schedules is restricted toauthorised personnel. This access is periodicallyreviewed.YesChanges to interfaces and batch jobschedules are subject to the changemanagement process.YesEnd-user computers have ‘locked-down’builds, which restrict users from performingprivileged operations within the rly, users are not assigned localadministrator access to their workstations.The data centre (server room) isappropriately equipped, managed,monitored and secured.YesPartiallyNoAccess to this environment is restricted only topersonnel who require it, and is reviewedperiodically.6Victorian Auditor-General’s Office5

recoverysystemssolutionsChange and releaseIndustry / recommended practice[control]All changes to the organisation’s systems(including emergency and patch-relatedchanges) are performed in accordance with itspolicies and compliance requirements.Practice metAction planTarget dateYesPartiallyNoThese requirements are enforceable over allsystems.A centralised change managementrepository is in place, where all changes to theorganisation’s systems are logged.YesProduction systems are appropriatelysegregated from non-production systems (e.g.development and test).YesAccess to modify the production systems isrestricted only to personnel who support it aspart of their current role.YesPartiallyNoPartiallyNoPartiallyNoIn particular, personnel who develop proposedsolutions do not have access to the productionsystems.Changes to systems are appropriatelyapproved prior to any development activitiesbeing initiated.YesAll proposed solutions are subject to formaland robust acceptance testing, prior to beingimplemented into production. These include unit,system, and user acceptance testing.YesOnly appropriately approved changes areimplemented into the production rmal post-implementation testing isundertaken to confirm that the changesintroduced into production appropriately satisfiedthe business requirements, and also did notnegatively impact current system functionalityand performance.YesA configuration management database(CMDB) has been established.YesAll modifications to configuration items areattributed to an appropriately authorised changerequest.NoPartiallyNoPartiallyInformation and Communications Technology Controls Guide7