Audit of

Security for Enterprise Data and Programs

July 19, 2004

Report 2004-09

MISSION STATEMENT

The School Board of Palm Beach County is committed to excellence in education and preparation of all our students with the knowledge, skills,

and ethics required for responsible citizenship and productive employment.

Arthur C. Johnson, Ph.D. * Superintendent of Schools

School Board Members

Tom Lynch, Chair William C. Graham Vice Chair* Paulette Burdick* Monroe Benaim, M.D. Mark Hansen Sandra Richmond Debra Robinson, M.D.

*Ex-Officio Audit Committee Members

Audit Committee Members

Cindy Adair, Chair Richard Roberts, Vice Chair Georgette B. Carroll Max Davis Kevin James Noah Silver Arthur Sinai J ulieAnn Rico Allison * Pam Popaca*

Audit of

Security for Enterprise Data and Programs

Table of Contents

Page

1 EXECUTIVE SUMMARY

PURPOSE AND AUTHORITY 2

SCOPE AND METHODOLOGY

CONCLUSIONS

2

BACKGROUND 3

1. Obsolete User IDs Not Removed 4 2. Controls for Remote Access 4 3. Access to Computer Room 5 4. Disaster Recovery Documentation 5 5. Concerns Also Raised in Other Audits 6

APPENDIX

Management's Response 8

Audit of Security for Enterprise Data and Programs

Executive Summary

The audit examined the District's procedures in protecting the security of transmittal, processing, and storage ofinfonnation for an enterprise-wide system.

The District had not established and communicated a fonnal policy related to remote access. Documentation for users requesting remote access was not available for 196 of 330 users.

Obsolete User IDs for the MAXIMO system were found for two temporary employees and a discontinued project. Also, the Maintenance and Plant Operations department was not following accepted security procedures of periodically requiring users to change their passwords.

Documents regarding the District's Disaster Recovery needed to be updated to include non­mainframe applications such as MAXIMO and Fleet Anywhere. Also, a comprehensive Risk Assessment was needed.

Inconsistent practices were used between mainframe and network platfonns to request, establish, and tenninate user names and access. Management did not periodically evaluate computer access rights for network users, as they did for mainframe users.

Several comments from a 2002 audit perfonned by outside auditors were still relevant during this audit:

• The lack of a District-wide security policy. • Security awareness program needed improvement. • No comprehensive incident response program to address breaches in system security. • A separate intrusion detection system (IDS) had not been deployed to assist management in

discovering violations of the network perimeter.

Management concurred with all ofthe audit findings.

1

THE SCHOOL DISTRICT OF PALM BEACH COUNTY, FLORIDA

LUNG CHIU, CPA DISTRICT AUDITOR

ARTHUR C. JOHNSON, Ph.D. SUPERINTENDENT

OFFICE OF DISTRICTAUDITOR 3346 FOREST HILL BOULEVARD, SUITE 8-302 WEST PALM BEACH, FL 33406

(561) 434·7335 FAX: (561) 434-8652

MEMORANDUM

TO:

FROM:

Honorable Chair and Members of the School Board Arthur C. Johnson, Ph.D., Superintendent of Schools Chair and Members of Audit Committee

\'<t.t-­Lung Chiu, CPA, District Auditor

DATE: July 19,2004

SUBJECT: Audit of Security for Enterprise Data and Programs

PURPOSE AND AUTHORITY

Pursuant to the District's Audit Plan 0/2003-2004, we have audited the District's Security for Enterprise Data and Programs. The primary objective of the audit was to assess the adequacy of the District's security controls for operations and development of its automated information systems.

SCOPE AND METHODOLOGY

The audit was performed by Ellen Steinhoff, CISA, during April through May 2004, in accordance with Government Auditing Standards.

The audit examined the District's procedures in protecting the security of transmittal, processing, and storage of information for an enterprise-wide system. The audit focused on: (1) the assessment of risk; (2) physical security; (3) intrusion control and information access management; (4) system access methodology; and (5) disaster recovery. For security control, the audit specifically examined:

• Two selected mainframe applications, ie. Student and Budget , • Four Network applications, i.e. EXCHANGE, MAXIMO, FleetAnywhere, and IDW • Security process for users' remote access to the District's computer system, i.e. Remote

Access

AN EQUAL OPPO~TUNITY EMPLOYER

The audit also reviewed:

• Procedures to grant and remove access to new hires, department transfers, and vendors. • Access to several computer applications and the monitoring of this access. • Physical access to computer rooms. • Logging controls, disaster recovery, laptops, general firewalls and LAN, e-mail, remote

access, and passwords. • Interviewing staff ofInformation Technology, School Police, and Maintenance. • Information security organizational charts, job descriptions, internal policies and procedures

manuals. • Long and short term IT plans relating to information systems security.

The conclusions were brought to the attention of staff during the audit so that necessary corrective actions could be implemented immediately. The draft report was sent to Information Technology for review and comments, and the response is included in the Appendix. We would like to thank staff for their cooperation and courtesy extended to us during the audit. The final draft report was presented to the Audit Committee at its July 19,2004 meeting.

BACKGROUND

The District maintains seven mainframe applications, five web/intranet applications, six web­based instructional applications and at least ten network applications. The security control for the District's information technology processing systems involved the mainframe and the network systems. See the following schedule for details for both systems.

Systems Approximate

Number User IDs

Approximate Number

Applications

Sample Applications

Staff Assigned to Administer Access and percentage of

their job duties Mainframe 4,000 7 TERMS Student,

TERMS Finance, CHIPS Payroll

3 fhll time staff

Network Client/Server and WeblIntranet

19,000 25 EXCHANGE, MAXIMO, FleetAnywhere, IDWIEDW

3 Network staff (part time) and staff at each school and department.

Most of the District's hardware servers are located in the Fulton Holland Educational Center's computer room. Access to this room is controlled by the electronic cards assigned to employees. The special room is equipped with an intrusion alarm, a Halon fire system, and an uninterrupted power supply system.

3

CONCLUSIONS

1. Obsolete User IDs. The District's maintenance work order processing system, MAXIMO, had 247 registered user IDs. Our review ofthese IDs revealed that three obsolete IDs were still maintained as active. Two ofthese obsolete IDs were established for temporary employees, and the remaining one was created for a discontinued project. In addition, the MAXIMO system does not require users to periodically change their passwords. To ensure all access is limited to authorized individuals, obsolete user IDs should be removed promptly from the system. Access passwords should be changed periodically.

Management's Response: Concur. The Ids have been removed. MAXIMO Patch 06 was recently installed which allows for periodic password changes. The preliminary steps to activate this functionality have been taken and all that remains is to determine an appropriate password change time period. This subject is an item on the agenda ofa M&PO meeting scheduled for June 23, 2004. (Please see page 8.)

2. Controls For Remote Access. 330 users are granted remote dial-in access to the District's mainframe computer system, which maintains crucial information for the District's students, FTE reporting, finance, personnel, and payroll systems. The remote dial-in access allows users to access certain systems from other locations through telephone lines. Our review of these 330 users' records revealed that:

• Access for four former employees and two former School Board members had not been removed from the system.

• 196 users did not have documentation for their requests and authorization for remote access.

• Five expired remote access user IDs were not removed. • Five users had duplicate user IDs, (three of them were for charter schools).

Additionally, no formal procedures have been established for administering remote access for employees. Information Technology should:

• Develop procedures for managing remote access for employees. • Remove the access rights of former employees and persons who no longer need to access

the system. • Determine the needs of remote access for the remaining 196 users, whose access approval

was not documented. All access should only be granted to those who have legitimate need.

• Implement a time-out feature to automatically remove a user's access after a specified period of inactivity.

• Implement a time-delay mechanism for remote logon so that user has to wait an extended period of time prior to retry after a certain number of unsuccessful login attempts.

4

Management's Response: Concur. The IT/Security Dept will be reorganized by July 2004. At that time a Security Administrator position will be established, who will address these issues.

A draft remote access procedure has been prepared and will be given to the new Security Administratorfor evaluation, revision, and implementation. Access has been removed for the inactive users. A new Total Control system is being implemented. At that time, all remote users will be reviewed and required to submit an access form. Management approved the 196 users in question however, in some cases, the formal documentation was inconsistent.

Staffwill investigate the feasibility ofimplementing a time-out feature to automatically remove a user's access after a specified period ofinactivity and will recommend a solution to the new Security Administrator. Staffhas implemented a time-delay mechanismfor remote login that inactivates the user for 1 hour after 5 unsuccessful login attempts. (Please see page 8.)

3. Access to Computer Rooms. The Computer Operations Center houses the hardware equipment for the District's mainframe computer and servers. Access to the Operations Center is monitored by the electronic card access system administered by the School Police Department. Our review of the authorized card users revealed that:

• Three former employees' access to the Operations Center had not been removed. • One employee had two cards with access to the Operations Center. • Seven employees who did not need to access to the Operations Center were provided

with the access.

We informed staff of the above weaknesses and all the unneeded access was removed accordingly. Also, the computer operations manager had changed hours for the access for certain employees.

Managemenrs Response: Concur. Access has been removed (please see page 8.)

4. Disaster Recovery Documentation. According to Information Technology's disaster recovery documentation, the backup and restore procedures had been successfully tested for systems that resided on the District's mainframe computer. However, our review of the Information Technology Disaster Recovery Plan revealed the following:

• Certain non-mainframe systems were not included in the Disaster Recovery Plan, such as the maintenance work order processing system (MAXIMO) and the transportation management system (FleetAnywhere).

• A comprehensive information system risk assessment had not been performed.

Information Technology should conduct a comprehensive risk assessment to identify all mission critical computer systems, with details in software, hardware, location, and

5

prioritization in case of a disaster. The disaster recovery plan should also be updated accordingly to include all mission critical computer systems. Additionally, the disaster recovery plan should be periodically updated and tested to ensure all the District's needs are met.

Management's Response: Concur. A risk assessment will be performed by March 2005 to identifY all mission critical non-mainframe computer systems. The disaster recovery plan will be revised to include mission critical computer systems by July 2005. The disaster recovery plan is fully tested locally at least one a year and periodically at a hot site in Philadelphia. (Please see page 8.)

5. Concerns Also Raised In Other Audits. The District has not developed a comprehensive technology security policy. The lack of a District-wide security policy allows inconsistent procedures implemented by different sections within Information Technology. See the following exhibit for examples of inconsistencies.

Activities Procedures Needed

Centralized Information Processing Department

Network Services Department

Request for access to systems Based on Mainframe Access Request (Form #PBSD 1362) submitted by department/school.

Based on E-Mail from department! school.

Specific authority for access • At school, based on employee position

• For administrator, based on department's request.

Based on requests submitted by department! school.

Update of users' records due to transfer! termination

Based on:

• Personnel changes indicated on CHIPS reports, or

• Form #PBSD1362 submitted by department!school

Based on E-Mail from department!school.

Periodic Review of Users' Access

Review annually. No review.

User ill • Comprised of employee's Last name + First Initial (maximum 7 characters), and

• User ill is tied to employee's SSN

• Comprised ofemployee's Last name + First Initial (maximum 32 characters), and

• User ill is tied to Employee's department number.

The District's outside auditor, KPMG, also presented similar findings in its Management Letters since 2001. These exceptions were still valid during our audit:

• The lack of a District-wide security policy allows for inconsistent procedures to be developed and results in potential conflicts

6

• Security awareness program needs improvement • Lack of comprehensive incident response procedures • A separate intrusion detection system (IDS) has not been deployed to assist management in

discovering violations of the network perimeter.

Information Technology should address the above concerns, prioritize and develop an implementation plan for these items.

Management's Response: Concur. The IT/Security Dept will be reorganized by July 2004. At that time a Security Administrator position will be established, who will address these issues. Staff is in the process ofevaluating IDS and IPS systems. An intrusion detection system (IDS) has been incorporated into the projected FY05 budget and will be implemented iffunded. (Please see page 8.)

- End of Report ­

7

Appendix

Management's Response

THE SCHOOL DISTRICT OF ARTHUR C. JOHNSON, PALM BEACH COUffI'Y, FLORIDA SUPERINTENDeNT

INFORMAll0N TECHNOLOGY DEPARTMENT OF NElWORK SERVICES 3300 FOREST HILL BOULEVARD, 8-332 WEST PALM BEACH, FL 33406-5869

(561) 434-8773

I~~!~ MEMORANDUM DISTRICT AUDITOR

TO: Lung Chiu, District Auditor

FROM'~'M&noro, ClriefTodmology Offi""

DATE: June 28, 2004

SUBJECT: Draft Report - Audit of Security for Enterprise Data and Programs

In response to your Memorandum ofJune 1,2004 entitled "Draft Report - Audit of Security for Enterprise Data and Programs" please find the attached management reply.

Cc: Joseph Moore, Chief Operating Officer Larry Padgett, Director, Network Services

AN EQUAL OPPORTUNITY EMPLOYER

8

51

'-0

Management Response to Lung Chiu Memorandum of June 1, 2004 (Audit of Security for Enterprise Data and Programs)

- FINDING I···········AU~IT RECOMMENDATION CORRECTIVE ACTIONS TO BE TAKEN \ C6~Rp~~~7gN ._.. (Management's Response) + DATE 1. Obsolete User Ids Not I' :

Removed. I

Obsolete IDs should be removed promptly C Th Id h b d Completedfrom the system. oncur e save een remove .

~~~~~~~------~~~~~~~--~---....+--------­

2. Controls For Remote Access Needs Improvement.

Access passwords should be changed periodically.

procedures for managing remote for employees.

Remove the access rights of former

Concur

was periodic password changes. The preliminary steps to activate this functionality have been taken and all that remains is to determine an appropriate password change time period. This I

subject is an item on the agenda of a M&PO meeting scheduled for June 23, 2004.

The IT/Security Dept will be reorganized by July 2004. At that time a Security Administrator pOSition will be established, who

Concur Iwill address these issues. A draft remote access procedure has been prepared and will be given to the new Security Administrator for evaluation, revision, and implementation.

employees and persons who no longer need tolConcur IAccess has been removed for the inactive users. access the system.

Determine the needs of remote access for the remaining 196 users, whose access approval was not documented. All access should only be granted to those who have legitimate need.

"1-'''''' "om a time-out feature to automatically a user's access after a specified

of inactivity.

Implement a time-delay mechanism for remote logon so that user has to wait an extended period of time prior to retry after an unsuccessful login attempt.

Concur

Concur

The IT/Security Dept will be reorganized by July 2004. At that time a Security Administrator position will be established, who will address these issues. A new Total Control system is being implemented. At that time, all remote users will be reviewed and required to submit an access form. Management approved the 196 users in question however, in some cases, the formal documentation was inconsistent.

Staff will investigate the feasibility of implementing a time-out feature to automatically rellJove a user's access after a specified period of inactivity and will recommend a solution to the new Security Administrator.

Staff has implemented a time-delay mechanism for remote Concur Ilogin that inactivates the user for 1 hour after 5 unsuccessful

login attempts.

TBD

TBD

Completed

TBD

TBD

Completed

I>~ f') 1:1

I~f') IJ'Q ~

~ 1:1..,. r:n'" ~ ~ r:n

"CI Q 1:1r:n ~

I>~

[3:Acc::essto r.nmnllt..r

iRooms 11m". --- 1---

Three former employees' access to the iAccess vor"I-"""O"Concur ,,,,,,vv,,,u.

Center had not been removed. ------

lOne """P'Vlv had two cards with access to Concur Access has been removed.

--Ithe Operations Center. Seven employees who did not nee~ to ac~ess

Cu" 'I-""''''Uto the Operations Center were provided with Concur IAccess '''''''VV'''". the access.

4. Disaster Recovery -

Documentation Need Improvement.

~-- ---- ----'Information Technology should conduct a Icomprehensive risk assessment to identify all

Concur A risk assessment will be performed by March 2005 to identify

March,2005Imission critical computer sy~tems, with details all mission critical non-mainframe computer systems.

in software, hardware. location. and 'prioritization in case of a disaster. The disaster recovery plan should also be

The disaster recovery plan will be revised to include mission updated accordingly to include all mission Concur

critical computer systems by July 2005. July, 2005

critical comouter systems . ---1-----Additionally, the disaster recovery plan should

The disaster recovery plan is fully tested locally at least once a Completedbe periodically updated and tested to ensure Concur

year and periodically at a hot site in Philadelphia.all the District's needs are met.

T.Concerns Also Raised In other Audits.

the lack of District-wide security policy allows the IT/Security Dept will be reorganized by July 2004. At that - ------

-~ for inconsistent procedures to be developed Concur time a Security Administrator position will be established, who and results in potential conflicts. will address these issues.

The IT/Security Dept will be reorganized by July 2004. At that Security awareness program needs Concur time a Security Administrator position will be established, who improvement

will address these issues. The IT/Security Dept will be reorganized by July 2004. At that ,Lack of comprehensive incident response

Concur time a Security Administrator position will be established, who TBDiprocedures will address these issues. ------

A separate intrusion detection system (IDS) SI'" t, t" Ihe pm"'" of .,,,'''''""' 'OS "d IPS ,,,tern,. An I

TBDhas not been deployed to assist management

Concur intrusion detection system (IDS) has been incorporated into the in discovering violations of the network

projected FY05 budget and will be implemented if funded. Iperimeter

=1:1 = I~(I'Q ('I) ~ a a /;1').'"

:;:l ~

"'C:j <=1:1 /;I'). ('I)

....... o