Audit: General Security Controls and Support

Education ICT underwent an audit conducted by Deloittes, the scope of which was to ‘review and assess whether Education ICT service has implemented adequate and effective controls over the general IT security environment within the schools’ infrastructure’.

Outline

The audit examined the following:

  1. That effective plans are in place to meet the business objectives
  2. Adequate processes are in place to plan and manage data integrity and duties are appropriately segregated
  3. Formal policies and procedures are in place
  4. The systems and other IT equipment are adequately protected both physically and environmentally
  5. Logical controls are in place over the schools’ software systems
  6. Adequate procedures are in place to recover data and systems in the event of a disaster
  7. The organisation complies with key legislation

Audit Opinion Substantial Assurance: AMBER

The audit identified 18 different strengths as part of the audit and recommended some Medium Priority recommendations and two Low Priority Recommendations as outlined below. The audit was complex as some of the scope examined was actually responsibilities of the school and outside of the control of Education ICT. Some of the recommendations, therefore, are actions to which we must bring the attention of Head Teachers and schools.

Medium Priority Recommendations

1. By the end of November 2009, Education ICT management should design and implement a formal electronic procedure for:

  • Requesting and granting access.
  • Amending user roles/permissions.
  • Deleting leavers.
  • Agreeing the roles and responsibilities between Education ICT and schools in undertaking user management functions.

2. By the end of March 2010 to meet audit recommendations, Education ICT will have amended logical access settings for users in the Windows Group Policy with regard to:

  • Enforce password history = 13 or greater.
  • Maximum password age = 30-60 days.
  • Password must meet complexity = Enable; Store passwords using reversible encryption = Disable.

3. By the end of March 2010, Education ICT should amend user lockout settings in Windows Group Policy to ensure:

  • Lockout Duration = 30; Reset account lockout counter after 1440.
  • Establish a procedure to log, report and regularly review system logs to detect exceptional or unusual login events.

4. By the end of November 2009 Education ICT should advise schools on the possibility of implementing the following environmental controls for server storage:

  • To install servers in a dedicated room.
  • To ensure that the computer environment has adequate temperature and humidity controls (i.e. air conditioning).
  • To install fire detection equipment.
  • To install an automatic fire suppression system.
  • To provide manual fire extinguishers.
  • To provide an alternative power supply.
  • To store paper and other flammable material in a separate room.
  • To check the rooms for pipes to prevent water damage.

5. By the end of November 2009 Education ICT should continue to:

  • Ensure all new server purchases include remote backup service, details of which have been made aware to schools.

6. By the end of November 2009 Education ICT will:

  • Implement CentraStage on all supported servers to monitor and report server disc space, hardware specifications and performance, software installations and the rollout of Windows Updates etc using this feedback to provide pro-active support and to inform schools of status of equipment.

7. By the end of November 2009 Education ICT should provide guidance and reminders to HTs that regular test restores are carried out to ensure that backups are valid.

Low Priority Recommendations

8. By the end of December 2009, Education ICT will have offered advice to Head Teacher Representatives:

  • Recommending the implementation of a logon banner on user systems warning users that only authorised employees should continue further and gain access to systems.
  • Making staff aware of the issues under the Computer Misuse Act etc that a defendant could claim in defence that security barriers (unauthorised use or access) were not evident.

9. By the end of December 2009 Education ICT will advise Head Teachers of their responsibility with regard to software licensing and recommend that the school either:

  • Undertakes software audits; or Engages Education ICT to perform audits periodically.