VIEWS: 5 PAGES: 5 POSTED ON: 3/21/2010
SUMMARY OF PROGRESS MADE IN IMPLEMENTING AUDIT RECOMMENDATIONS The status column is categorised on the following basis:- 1 = Implemented/resolved 2 = Being Implemented / deadline not exceeded 3 = Not Implemented 4 = Superseded Rec No Recommendation Risk Categorisation Original Management Responsible Officer / Impl'n Date Status Management * Comments / Implications Status Management * Comments / Implications October 09 Status Management * Comments / Implications November 09 Response August 09 as at 31/8/09 as at 23/10/09 as at XX/11/09 The current position of these issues and agreed Details of what remains to be done (and who by) to Back up & Disaster Recovery actions and why they have not been resolved as yet/ resolve the issues and when this will be achieved. why timescales have slipped. 3.1.1 3.1.4 In order to provide adequate Action Agreed M. Allen 31st July 08 2 Per M Allen14/9/09 - The decision to hold 2 As per August 09 2 These are now ready to be finalised now that the final Update the documentation now the last backup guidance and operational support, Action Agreed M. Allen 31st July 08 documentation has been reviewed. It has now upgrade to the backup software has taken place. upgrade has been completed. This will be consideration should be given to formally been decided to hold this outside of Assyst so it Parts of the documentation have been ready for complete for the 31st December 2009 by the DBA documenting the local processes for is available should Assyst be unavailable. The some months now the delays encountered in Team. managing, backing up and recovering the documentation is being reviewed as a result of upgrading the backup software (which was in fact 2 various Oracle systems.-------------------------- recent upgrades to the backup software upgrades) have held up finalising this -----------------------------------------------3 infrastructure. recommendation. .1.5 The documentation suggested in Moderate recommendation 3.1.4 above should form part of a wider library of operational documentation, which is subject to periodic review and maintenance. 3.4.1 3.4.3 Using the testing environment, Moderate Action Agreed I. Cooper /M. AllenSubject to suitable 2 Contracts have been provided by the Company 2 As per August 09. 2 Now that the site and distance are known for the DR KC to install appropriate Network links and Fujitsu the processes involved in the recovery of DR/BC premises being obtained.31st and are with Legal in readiness for signing. equipment location it has allowed us to move on to move the equipment. This is expected to all databases from backed-up data should be October 08 (Provisional) When the kit has been relocated a full test will be some of the technical issues. Meetings have been complete during January 2010. fully tested and documented as a means of undertaken and documented and regular tests held with external suppliers to determine the proving the ability to recover from an scheduled. maximum amount of replication that can be achieved incident. over the known distance. This information, which 3.4.4 In addition, a full fail over test should should be complete w/c 7th December 2009, will be conducted of the duplexed systems as allow us to order the necessary network links from a means of providing greater assurance in KC. Normal lead time from KC is 30 days although the event of an incident. we may be able to 'speed' this up. The physical move of the equipment can be carried out at short notice. 3.4.2 3.4.5 Consideration should be given to Moderate Action Agreed I. Cooper /M. AllenSubject to suitable 2 As per 3.4.1 2 As per August 09. 2 As per 3.4.1 . In addition work is starting in producing As per 3.4.1 Above. establishing formal documentation for DR/BC premises being obtained.31st the documention as appropriate. restoring all key systems in line with the October 08 (Provisional) current location of the DR equipment and the optimum sequence of application recovery. 3.6.3 3.6.6 A documented DR plan should be Moderate Action Agreed I. Cooper /M. AllenSubject to suitable 2 BCP plans currently being reviewed in Service 2 As per August 09. 2 As part of 'moving' the equipment to ARCO the As per 3.4.1 above. created that defines responsibilities and DR/BC premises being obtained.31st Areas. ICT is awaiting feedback once this has procedures and resposibilities will be finalised in actions in accordance with the priorities of October 08 (Provisional) been finalised. terms of the existing systems that have been catered restoring systems. This plan should be for in DR including prioritising the order systems are securely stored and subject to periodic brought up. As part of the restructure further review in order that is remains appropriate, emaphasis will be placed on Business Continuity / adequate and effective. The plan should DR. contain, inter alia, the following elements: • A nominated officer responsible for the overall management of the plan; • Lists of contact telephone numbers; • Key activities in the event of a disaster; • The location of a disaster command centre; • Notification of insurers; • Details of the obligations of hardware and software suppliers; • The clear allocation of roles and responsibilities for the key areas of the recovery process; • Specific responsibility for handling media and public relations; and • Cross references to documentation covering the discrete system recovery and restore processes. 3.7.1 3.7.6 It is suggested that ICT management, Moderate Action Agreed Ian Cooper/Mark Allen 31/8/08 2 As per 3.6.3 above 2 As per August 09 2 As per 3.6.3 above. As per 3.4.1 above. as part of the process of developing an appropriate overall DR solution, should actively encourage the definition and application of a method of prioritising systems within the BCP process. Also see 3.7.7 below. 3.7.4 3.7.9 Once the DR plan has been Moderate Action Agreed I. Cooper /M. AllenSubject to suitable 2 As per 3.6.3 above 2 As per August 09 2 Once the equipment is moved and documented a As per 3.4.1 above. documented, it should be subject to DR/BC premises being obtained.31st process around 'testing' will be agreed with ARCO. periodic testing and management review of October 08 (Provisional) the outcomes with any issues arising actively followed-up and resolved. Physical Environment Controls 3.7.1 3.7.4 The performance and effectiveness Moderate Action Agreed. Fujitsu Siemens I Cooper 31/8/08 2 Has been incorporated into the review of ICT 2 Further consideration is currently being given to a separate 2 A range of options are being considered by NPS of the Air Conditioning plant within the being commissioned to conduct premises currently being undertaken. If relocation plan of improvements. Meetings have been held with3rd including the building of a new Data Centre. computer room should be independently review of ICT & E-Government is not feasible then a Party vendors. Final plan detailing options is expected for Discussion are currently underway as to the investigated and any shortcomings in separate plan of improvements will be agreed December 09. specification. effective cooling should be promptly and implemented. rectified. 3.8.1 3.8.4 As a matter of urgency, ICT Moderate Action Agreed. Fujitsu Siemens I Cooper 31/8/08 2 Now pending the outcome of the review of 2 As per 3.7.1 above. 2 See 3.7.1 above in respect of the overall power management should liaise with Shared being commissioned to conduct premises for ICT & E-Government. capacity. However substantial work has been Services to promptly resolve the known review undertaken since the original Audit to upgrade the issues about the adequacy of the power UPS system which has been done. supply arrangements for the computer room so as to ensure the continuity and integrity of the ICT service. ICT Organisational & Administrative Controls 3.3.1 In line with the ongoing establishment of Moderate Action Agreed S Clarke/SLAs 31/8/08 2 Currently working with Housing as a pilot area. 2 As per August 09. We have identified 2 ways of collecting 2 service level agreements, ICT this information and these are currently being evaluated. management should develop a reliable and accurate measure of system availability across the key operational systems and introduce it into use as soon as possible. SUMMARY OF PROGRESS MADE IN IMPLEMENTING AUDIT RECOMMENDATIONS The status column is categorised on the following basis:- 1 = Implemented/resolved 2 = Being Implemented / deadline not exceeded 3 = Not Implemented 4 = Superseded Rec No Recommendation Risk Categorisation Original Responsible Officer / Status Management * Comments Status Management * Comments / Status Management * Comments / Implications November 09 Management Impl'n Date / Implications August 09 Implications October 09 Response as at 31/8/09 as at as at The current position of these issues and agreed Details of what remains to be done (and who by) 23/10/09 XX/11/09 actions and why they have not been resolved as to resolve the issues and when this will be yet/ why timescales have slipped. achieved. ICT Network & Communications Per M Allen 10/8/09 3.1.1 The intended restructuring of ICT Moderate Security roles to be I.Cooper December 3 Outstanding. 3 Outstanding. 2 Restructure part of the Phase II restructure and Phase II Management Restructure to be Services should address the issue clarified through job 2008 has been delayed. As a result of Government completed. of responsibility for network and descriptions in new Restructure is still under Restructure is still under review. Connect all ICT Staff have undertaken a ICT security. Responsibilities structure review. security briefing and signed declarations should be clarified, defined and confirming their role in this process. It is the included in appropriate job intention that there will be a 'security' element in descriptions. all Job Descriptions when the Restructure is complete. The proposed ICT Restructure was superceeded by the overall Corporate Management restructure which has led to the delays in this being completed. SUMMARY OF PROGRESS MADE IN IMPLEMENTING AUDIT RECOMMENDATIONS The status column is categorised on the following basis:- 1 = Implemented/resolved 2 = Being Implemented / deadline not exceeded 3 = Not Implemented 4 = Superseded Rec No Recommendation Risk Origina Responsible Officer / Status Management * Comments / Status Management * Comments / Status Management * Comments / Implications November 09 Categorisation l Impl'n Date Implications August 09 Implications October 09 Manag ement Respon se as at 31/8/09 as at as at The current position of these issues and agreed actions and Details of what remains to be done (and who by) to Per M Allen 11/9/09 23/10/09 XX/11/09 why they have not been resolved as yet/ why timescales have resolve the issues and when this will be achieved. slipped. ICT - Change Control 3.1.2 The risk associated with the inability to High Y M. Allen 2 A product has been identified that would 2 As per August 09 2 Oracle's 'Change Management Pack' has been obtained and Install the software in the LIVE system by the DBA monitor unauthorised activity is recognized. 31st Dec. 2008 facilitate this. Currently in the process of is currently being installed in TEST E-Business and will be Team and set up appropriate monthly 'check' The Council identifies if there are any obtaining costs so a Business Case can migrated to the LIVE system during late December 2009 processes. products available that will enable the be put together to roll out across major early January 2010. The difficulty has been in identifying a detection of unauthorised changes. systems. Business case should be suitable product that works across all the Council's database completed by December 2009 and then platforms. This worked out not to be feasable so it was funding will sought to implement. decided to look at Oracle's product which will at least cover most of the key systems in the Authority. 3.1.3 All emergency changes are retrospectively High Y M. Allen 2 See above. 2 As per August 09 2 The software identified above will enable this. Installation of software as identified in 3.1.2 documented. As per 3.1.2 The 31st Dec. 2008 identification of software and/or the use of SQL that will enable the logging of changes to the system to be monitored. 3.1.5 The Council establishes a protocol that High Y G. Baker 2 All 3rd Party suppliers have signed new 2 2 This has been implemented for all third party suppliers who Implement Phase II of Government Connect and requires the 3rd party to notify ICT if they 31st Dec. 2008 agreements earlier in the year and need to access systems on the 'Secure Network'. They now rollout 2 factor authentication to all appropriate third are undertaking maintenance work on their passwords were disable until they had. need to log a call on the Service Desk before the connection parties. The main parts of this will be done by the system if 24/7 access cannot be removed. As part of Government Connect 24x7 is enabled for that session. This process will be rolled out Networks Team. This phase needs to be completed access has to cease. This will be October across all other suppliers as part of Phase 2 of Government by the 31st March 2010. 2009. Connect. In addition 2 factor authentication devices are being obtained to add an additional layer security beyond the original recommendation. The major factor in the delay of implementing this has been the added requirements of Government Connect which came about after the original Audit Report. 3.1.7 The configuration set up and tailoring of Moderate Y I. Cooper 3 This will be addressed as part of a major 3 As per August 09 2 Progress has been made on documenting the customisations Undertake the major Assyst upgrade and assyst is documented and is shared with 31st Dec. 2008 upgrade on Assyst being conducted to Assyst. Knowledge has been passed on to other ICT Staff. revise/update documentation. This will be undertaken other appropriate ICT staff. during October and November 2009. A major upgrade to Assyst was originally scheduled mid year by the Third Party. Completion timescales are which would have seen this task completed. The upgrade will currently being discussed with them but it is bring in major changes and which will need to be factored envisaged this will be done by the end of March 2010. into the documentation. SUMMARY OF PROGRESS MADE IN IMPLEMENTING AUDIT RECOMMENDATIONS The status column is categorised on the following basis:- 1 = Implemented/resolved 2 = Being Implemented or deadline not exceeded 3 = Not Implemented 4 = Superseded Rec No Recommendation Risk Original Management Response Responsible Officer / Status Management * Comments / Implications Status Management * Comments / Implications Status Management * Comments / Implications November 09 Categorisation Impl'n Date August 09 October 09 as at 31/8/09 as at as at The current position of these issues and agreed Details of what remains to be done (and who by) to Per M Allen 11/9/09 23/10/09 XX/11/09 actions and why they have not been resolved as yet/ resolve the issues and when this will be achieved. why timescales have slipped. ICT - Reporting Tools 3.1.1 The application password is changed. Users are High Action(s): M. Allen 2 Investigation into changing this has found 2 Government Connect has superceeded this 2 Work is nearly finalised in identifying where the main E- Change the password in the TEST system w/c 14th provided with individual user ids and passwords. Change Application password and restrict access to 30th June 09 …………………… that this username and password is and now ICT are in the process of changing Business password is 'hard coded' in Hull's December and the the LIVE system late December These passwords are deactivated when an it. This will require investigation into interfaces and …………………… imbedded in all interfaces and a significant these 'imbedded' username and passwords. customisations. The password will be changed in the 2009 / early January 2010. Development Team, employee changes their role or leaves the Council. reports that have already been implemented and …………………… number of the custom processes within E- This will be completed in E-Business by TEST system during December 09. Pending the Oracle Functional Team and the DBA Team. configured so that existing Business Processes are …………………… Business. A full review has been completed December 09 and all other systems by outcome of this test it is expected the change will be not impacted when the password is changed. …………………… of all the interfaces and we are about to go March 2010. made in the LIVE system towards the end of …………………… out to tender for a new interface system. December 2009 early January 2010. The delay in …………………… When the replacement system is obtained all implementing this has in the main part been due to the ................................................................................. …………………… interfaces will be rewritten without embedded complexity of the task which was not known at the ...................................................................Impleme …………………………… …………………… passwords. time. All the feeds and customisations have had to be nt process to deactivate logins/passwords when staff ……………………………. …………… 1 ............................................................... examined along with numerous reports. leave/change roles. 12th June 09 Following a full licence review with Oracle process are now run monthly against the E- 3.1.3 ICT need to identify a method of monitoring Moderate Action(s): M. Allen 2 This is also covered by 3.1.2 on the Change 2 As per August 09. 2 Oracle's 'Change Management Pack' has been Install the software in the LIVE system by the DBA changes to the database made by Toad. The issue Investigation into products that allow monitoring of 30th June 09 Control Action Plan. Investigation complete obtained and is currently being installed in TEST E- Team. of management monitoring database changes has database/application changes. Report on and costs are currently being obtained Business and will be migrated to the LIVE system been raised in 2 previous audits Database findings/options will be produced and discussed with around the software for preparation of a during late December 2009 early January 2010. This Management Controls and the Change Control Internal Audit and further action/project plan to Business Case which should be completed recommendation is also covered in 3.1.2 of the audit is being progressed by ICT. implement agreed solutions. by December 2009. 'Change Control Audit'. Identification/procurement of appropriate products may require separate Business Case/Funding. Continue progress in implementing ‘Change 30th June 09 Management’ in major systems. Resource(s): 1 x DBA 1 x Third Party Application Support 3.1.4 A review is undertaken of all staff that have access High Action(s): M. Allen 2 All installations have been identified and 2 As per August 09. This will also be done in 2 Access is now restricted to appropriate ICT Staff. to Toad to identify the version on the PC and the All installations of Toad to be identified and action 12th June 09 media for the most up to date version conjunction with 3.1.1 above. Toad has been removed from people outside of ICT location of that PC. taken to ensure that they are relevant and on the obtained. Currently preparing a plan to who do not need this tool. Essentially this is complete. In accordance with best practice ICT staff should same version remove all old versions and replace with the not have access to live data and systems and new version where this is properly required. management should consider reviewing not only Review to be undertaken as to the appropriateness 12th June 09 This has been delayed due to resource who has access to these reporting tools and utilities of the environments being accessed and the correct commitments around Government Connect but the environment that user can access with the level of monitoring required. and the Thin Client Project. It is anticipated product. that resources will be freed during October Resource(s): and this action can then be fully resolved by 1 x DBA November 2009 1 x Service Desk / Application Support 1 x Developer 3.1.5 A review is undertaken of staff with access to these Moderate Action(s): M. Allen 3 For the majority of staff using these tools this 2 Training has been done for all staff on the 2 All Staff within Revenues & Benefits and ICT & E- All briefings sessions should be completed by 31st report writers. Staff are reminded about data Staff identified and email sent reinforcing Data Protection 30th June 09 will be dealt with by the mandatory training 'Secure' network as part of Phase 1 of \Government have attended briefing sessions and March 2010 for all Council Staff. These are being protection and information security. The product if and Information Security issues. for Government Connect. Those staff not Government Connect. This will be rolled out signed personal statements as part of Phase 1. Work undertaken by the Councils's Training & Development possible is configured so that users can only access affected will be dealt with after Government in stages to the rest of the Authority by is underway with Children & Young People's to bring Team. Reporting tools used assessed as to whether they can be the same information they can through the normal 30th June 09 Connect implementation. This should all be March 2010. them on to the secure network. Delays have been configured in this manner system access log on addressed by the end of October 2009. brought about by the extra requirements of Resource(s): Government Connect and this has meant the original 1 x Service Desk/Application Support Audit recommendations has 'grown'. Service Level Management 3.2.2 A review is undertaken of software in use to ensure the Moderate Action(s): M. Allen 2 Investigation has been completed and 2 The Software Asset Management Module 2 This has been installed and the client installed on all Once all the information has been imported the next Council has the correct number of licences. The review Investigation into what products have been installed additional modules for Certero are currently has been purchased and is cureently being Council PC's. Certero (Third Party Provider) are stage is to setup up the monitoring reports to monitor also considers if all software installed is required to and where which will then be reconciled with any 30th June 09 being costed for approval. This will give the installed and configured. currently importing all licence information which has usage across the install base. This should deliver the identify if the Council is paying for licences for products renewal notices from the supplier in the past 12 ability to map software to licences and more been provided by Microsoft and other organisations. relevant information during the next 3 months to that are no longer in use. months from invoices held in E-Business. The readily identify those installs that need The delay in implementing this has in the main part identify those install that are rarely used and may results of this investigation will then be used to removing. been done to finding the right tool and making sure it best be used elsewhere. This will ultimately be an formulate an action plan to ensure any unlicensed can integrate with Assyst and the Asset Management ongoing process managed by ICT Business Support. software is removed and that appropriate ‘metering’ database (IT). arrangements are in place. Resource(s): ICT Business Support Service Level Management.