0708 outstanding by tyndale

VIEWS: 5 PAGES: 5

									SUMMARY OF PROGRESS MADE IN IMPLEMENTING AUDIT RECOMMENDATIONS
                                                                                                                                           The status column is categorised on the following basis:-
                                                                                                                                           1 = Implemented/resolved
                                                                                                                                           2 = Being Implemented / deadline not exceeded
                                                                                                                                           3 = Not Implemented
                                                                                                                                           4 = Superseded

Rec No   Recommendation                                 Risk Categorisation Original Management   Responsible Officer / Impl'n Date        Status          Management * Comments / Implications                Status           Management * Comments / Implications October 09   Status                                 Management * Comments / Implications November 09
                                                                            Response                                                                       August 09
                                                                                                                                           as at 31/8/09                                                       as at 23/10/09                                                     as at XX/11/09 The current position of these issues and agreed          Details of what remains to be done (and who by) to
         Back up & Disaster Recovery                                                                                                                                                                                                                                                             actions and why they have not been resolved as yet/      resolve the issues and when this will be achieved.
                                                                                                                                                                                                                                                                                                 why timescales have slipped.
3.1.1    3.1.4       In order to provide adequate                          Action Agreed          M. Allen     31st July 08                2               Per M Allen14/9/09 - The decision to hold           2                As per August 09                                               2 These are now ready to be finalised now that the final   Update the documentation now the last backup
         guidance and operational support,                                 Action Agreed          M. Allen     31st July 08                                documentation has been reviewed. It has now                                                                                           upgrade to the backup software has taken place.          upgrade has been completed. This will be
         consideration should be given to formally                                                                                                         been decided to hold this outside of Assyst so it                                                                                     Parts of the documentation have been ready for           complete for the 31st December 2009 by the DBA
         documenting the local processes for                                                                                                               is available should Assyst be unavailable. The                                                                                        some months now the delays encountered in                Team.
         managing, backing up and recovering the                                                                                                           documentation is being reviewed as a result of                                                                                        upgrading the backup software (which was in fact 2
         various Oracle systems.--------------------------                                                                                                 recent upgrades to the backup software                                                                                                upgrades) have held up finalising this
         -----------------------------------------------3                                                                                                  infrastructure.                                                                                                                       recommendation.
         .1.5      The documentation suggested in          Moderate
         recommendation 3.1.4 above should form
         part of a wider library of operational
         documentation, which is subject to periodic
         review and maintenance.



3.4.1    3.4.3      Using the testing environment,       Moderate          Action Agreed          I. Cooper /M. AllenSubject to suitable   2               Contracts have been provided by the Company 2                        As per August 09.                                              2 Now that the site and distance are known for the DR KC to install appropriate Network links and Fujitsu
         the processes involved in the recovery of                                                DR/BC premises being obtained.31st                       and are with Legal in readiness for signing.                                                                                          equipment location it has allowed us to move on      to move the equipment. This is expected to all
         databases from backed-up data should be                                                  October 08 (Provisional)                                 When the kit has been relocated a full test will be                                                                                   some of the technical issues. Meetings have been     complete during January 2010.
         fully tested and documented as a means of                                                                                                         undertaken and documented and regular tests                                                                                           held with external suppliers to determine the
         proving the ability to recover from an                                                                                                            scheduled.                                                                                                                            maximum amount of replication that can be achieved
         incident.                                                                                                                                                                                                                                                                               over the known distance. This information, which
         3.4.4 In addition, a full fail over test should                                                                                                                                                                                                                                         should be complete w/c 7th December 2009, will
         be conducted of the duplexed systems as                                                                                                                                                                                                                                                 allow us to order the necessary network links from
         a means of providing greater assurance in                                                                                                                                                                                                                                               KC. Normal lead time from KC is 30 days although
         the event of an incident.                                                                                                                                                                                                                                                               we may be able to 'speed' this up. The physical move
                                                                                                                                                                                                                                                                                                 of the equipment can be carried out at short notice.


3.4.2    3.4.5 Consideration should be given to         Moderate           Action Agreed          I. Cooper /M. AllenSubject to suitable   2               As per 3.4.1                                        2                As per August 09.                                              2 As per 3.4.1 . In addition work is starting in producing As per 3.4.1 Above.
         establishing formal documentation for                                                    DR/BC premises being obtained.31st                                                                                                                                                             the documention as appropriate.
         restoring all key systems in line with the                                               October 08 (Provisional)
         current location of the DR equipment and
         the optimum sequence of application
         recovery.




3.6.3    3.6.6 A documented DR plan should be         Moderate             Action Agreed          I. Cooper /M. AllenSubject to suitable   2               BCP plans currently being reviewed in Service       2                As per August 09.                                              2 As part of 'moving' the equipment to ARCO the          As per 3.4.1 above.
         created that defines responsibilities and                                                DR/BC premises being obtained.31st                       Areas. ICT is awaiting feedback once this has                                                                                         procedures and resposibilities will be finalised in
         actions in accordance with the priorities of                                             October 08 (Provisional)                                 been finalised.                                                                                                                       terms of the existing systems that have been catered
         restoring systems. This plan should be                                                                                                                                                                                                                                                  for in DR including prioritising the order systems are
         securely stored and subject to periodic                                                                                                                                                                                                                                                 brought up. As part of the restructure further
         review in order that is remains appropriate,                                                                                                                                                                                                                                            emaphasis will be placed on Business Continuity /
         adequate and effective. The plan should                                                                                                                                                                                                                                                 DR.
         contain, inter alia, the following elements:
         • A nominated officer responsible for the
         overall management of the plan;
         • Lists of contact telephone numbers;
         • Key activities in the event of a disaster;
         • The location of a disaster command
         centre;
         • Notification of insurers;
         • Details of the obligations of hardware and
         software suppliers;
         • The clear allocation of roles and
         responsibilities for the key areas of the
         recovery process;
         • Specific responsibility for handling media
         and public relations; and
         • Cross references to documentation
         covering the discrete system recovery and
         restore processes.



3.7.1    3.7.6 It is suggested that ICT management, Moderate               Action Agreed          Ian Cooper/Mark Allen 31/8/08            2               As per 3.6.3 above                                  2                As per August 09                                               2 As per 3.6.3 above.                                      As per 3.4.1 above.
         as part of the process of developing an
         appropriate overall DR solution, should
         actively encourage the definition and
         application of a method of prioritising
         systems within the BCP process. Also see
         3.7.7 below.

3.7.4    3.7.9 Once the DR plan has been           Moderate                Action Agreed          I. Cooper /M. AllenSubject to suitable   2               As per 3.6.3 above                                  2                As per August 09                                               2 Once the equipment is moved and documented a             As per 3.4.1 above.
         documented, it should be subject to                                                      DR/BC premises being obtained.31st                                                                                                                                                             process around 'testing' will be agreed with ARCO.
         periodic testing and management review of                                                October 08 (Provisional)
         the outcomes with any issues arising
         actively followed-up and resolved.




Physical Environment Controls
3.7.1   3.7.4 The performance and effectiveness    Moderate   Action Agreed. Fujitsu Siemens I Cooper 31/8/08        2   Has been incorporated into the review of ICT       2   Further consideration is currently being given to a separate   2 A range of options are being considered by NPS
        of the Air Conditioning plant within the              being commissioned to conduct                              premises currently being undertaken. If relocation     plan of improvements. Meetings have been held with3rd            including the building of a new Data Centre.
        computer room should be independently                 review                                                     of ICT & E-Government is not feasible then a           Party vendors. Final plan detailing options is expected for      Discussion are currently underway as to the
        investigated and any shortcomings in                                                                             separate plan of improvements will be agreed           December 09.                                                     specification.
        effective cooling should be promptly                                                                             and implemented.
        rectified.


3.8.1   3.8.4 As a matter of urgency, ICT          Moderate   Action Agreed. Fujitsu Siemens I Cooper 31/8/08        2   Now pending the outcome of the review of          2    As per 3.7.1 above.                                            2 See 3.7.1 above in respect of the overall power
        management should liaise with Shared                  being commissioned to conduct                              premises for ICT & E-Government.                                                                                        capacity. However substantial work has been
        Services to promptly resolve the known                review                                                                                                                                                                             undertaken since the original Audit to upgrade the
        issues about the adequacy of the power                                                                                                                                                                                                   UPS system which has been done.
        supply arrangements for the computer
        room so as to ensure the continuity and
        integrity of the ICT service.




ICT Organisational & Administrative Controls
3.3.1   In line with the ongoing establishment of  Moderate   Action Agreed                  S Clarke/SLAs 31/8/08   2   Currently working with Housing as a pilot area.   2    As per August 09. We have identified 2 ways of collecting      2
        service level agreements, ICT                                                                                                                                           this information and these are currently being evaluated.
        management should develop a reliable and
        accurate measure of system availability
        across the key operational systems and
        introduce it into use as soon as possible.
SUMMARY OF PROGRESS MADE IN IMPLEMENTING AUDIT RECOMMENDATIONS
                                                                                                             The status column is categorised on the following basis:-
                                                                                                             1 = Implemented/resolved
                                                                                                             2 = Being Implemented / deadline not exceeded
                                                                                                             3 = Not Implemented
                                                                                                             4 = Superseded

 Rec No   Recommendation                      Risk Categorisation   Original           Responsible Officer / Status                Management * Comments Status            Management * Comments /                 Status                     Management * Comments / Implications November 09
                                                                    Management         Impl'n Date                                 / Implications August 09                Implications October 09
                                                                    Response
                                                                                                             as at 31/8/09                                      as at                                           as at    The current position of these issues and agreed Details of what remains to be done (and who by)
                                                                                                                                                                23/10/09                                        XX/11/09 actions and why they have not been resolved as to resolve the issues and when this will be
                                                                                                                                                                                                                         yet/ why timescales have slipped.               achieved.

          ICT Network & Communications                                                                       Per M Allen 10/8/09

3.1.1     The intended restructuring of ICT   Moderate              Security roles to be I.Cooper December   3                     Outstanding.                 3          Outstanding.                                 2 Restructure part of the Phase II restructure and Phase II Management Restructure to be
          Services should address the issue                         clarified through job 2008                                                                                                                            has been delayed. As a result of Government          completed.
          of responsibility for network and                         descriptions in new                                            Restructure is still under              Restructure is still under review.             Connect all ICT Staff have undertaken a
          ICT security. Responsibilities                            structure                                                      review.                                                                                security briefing and signed declarations
          should be clarified, defined and                                                                                                                                                                                confirming their role in this process. It is the
          included in appropriate job                                                                                                                                                                                     intention that there will be a 'security' element in
          descriptions.                                                                                                                                                                                                   all Job Descriptions when the Restructure is
                                                                                                                                                                                                                          complete. The proposed ICT Restructure was
                                                                                                                                                                                                                          superceeded by the overall Corporate
                                                                                                                                                                                                                          Management restructure which has led to the
                                                                                                                                                                                                                          delays in this being completed.
SUMMARY OF PROGRESS MADE IN IMPLEMENTING AUDIT RECOMMENDATIONS
                                                                                                     The status column is categorised on the following basis:-
                                                                                                     1 = Implemented/resolved
                                                                                                     2 = Being Implemented / deadline not exceeded
                                                                                                     3 = Not Implemented
                                                                                                     4 = Superseded

 Rec No Recommendation                              Risk             Origina Responsible Officer /   Status            Management * Comments /                        Status     Management * Comments /   Status                                  Management * Comments / Implications November 09
                                                    Categorisation   l       Impl'n Date                               Implications August 09                                    Implications October 09
                                                                     Manag
                                                                     ement
                                                                     Respon
                                                                     se
                                                                                                     as at 31/8/09                                                    as at                                as at    The current position of these issues and agreed actions and Details of what remains to be done (and who by) to
                                                                                                                                   Per M Allen 11/9/09                23/10/09                             XX/11/09 why they have not been resolved as yet/ why timescales have resolve the issues and when this will be achieved.
                                                                                                                                                                                                                    slipped.
         ICT - Change Control
3.1.2   The risk associated with the inability to    High            Y       M. Allen                2                 A product has been identified that would       2          As per August 09          2         Oracle's 'Change Management Pack' has been obtained and Install the software in the LIVE system by the DBA
        monitor unauthorised activity is recognized.                         31st Dec. 2008                            facilitate this. Currently in the process of                                                  is currently being installed in TEST E-Business and will be   Team and set up appropriate monthly 'check'
        The Council identifies if there are any                                                                        obtaining costs so a Business Case can                                                        migrated to the LIVE system during late December 2009         processes.
        products available that will enable the                                                                        be put together to roll out across major                                                      early January 2010. The difficulty has been in identifying a
        detection of unauthorised changes.                                                                             systems. Business case should be                                                              suitable product that works across all the Council's database
                                                                                                                       completed by December 2009 and then                                                           platforms. This worked out not to be feasable so it was
                                                                                                                       funding will sought to implement.                                                             decided to look at Oracle's product which will at least cover
                                                                                                                                                                                                                     most of the key systems in the Authority.

3.1.3   All emergency changes are retrospectively High               Y       M. Allen                2                 See above.                                     2          As per August 09          2         The software identified above will enable this.                  Installation of software as identified in 3.1.2
        documented. As per 3.1.2 The                                         31st Dec. 2008
        identification of software and/or the use of
        SQL that will enable the logging of changes
        to the system to be monitored.

3.1.5   The Council establishes a protocol that      High            Y       G. Baker                2                 All 3rd Party suppliers have signed new   2                                         2         This has been implemented for all third party suppliers who      Implement Phase II of Government Connect and
        requires the 3rd party to notify ICT if they                         31st Dec. 2008                            agreements earlier in the year and                                                            need to access systems on the 'Secure Network'. They now         rollout 2 factor authentication to all appropriate third
        are undertaking maintenance work on their                                                                      passwords were disable until they had.                                                        need to log a call on the Service Desk before the connection     parties. The main parts of this will be done by the
        system if 24/7 access cannot be removed.                                                                       As part of Government Connect 24x7                                                            is enabled for that session. This process will be rolled out     Networks Team. This phase needs to be completed
                                                                                                                       access has to cease. This will be October                                                     across all other suppliers as part of Phase 2 of Government      by the 31st March 2010.
                                                                                                                       2009.                                                                                         Connect. In addition 2 factor authentication devices are being
                                                                                                                                                                                                                     obtained to add an additional layer security beyond the
                                                                                                                                                                                                                     original recommendation. The major factor in the delay of
                                                                                                                                                                                                                     implementing this has been the added requirements of
                                                                                                                                                                                                                     Government Connect which came about after the original
                                                                                                                                                                                                                     Audit Report.

3.1.7   The configuration set up and tailoring of   Moderate         Y       I. Cooper               3                 This will be addressed as part of a major 3               As per August 09          2         Progress has been made on documenting the customisations         Undertake the major Assyst upgrade and
        assyst is documented and is shared with                              31st Dec. 2008                            upgrade on Assyst being conducted                                                             to Assyst. Knowledge has been passed on to other ICT Staff.      revise/update documentation. This will be undertaken
        other appropriate ICT staff.                                                                                   during October and November 2009.                                                             A major upgrade to Assyst was originally scheduled mid year      by the Third Party. Completion timescales are
                                                                                                                                                                                                                     which would have seen this task completed. The upgrade will      currently being discussed with them but it is
                                                                                                                                                                                                                     bring in major changes and which will need to be factored        envisaged this will be done by the end of March 2010.
                                                                                                                                                                                                                     into the documentation.
SUMMARY OF PROGRESS MADE IN IMPLEMENTING AUDIT RECOMMENDATIONS
                                                                                                                                                                               The status column is categorised on the following basis:-
                                                                                                                                                                               1 = Implemented/resolved
                                                                                                                                                                               2 = Being Implemented or deadline not exceeded
                                                                                                                                                                               3 = Not Implemented
                                                                                                                                                                               4 = Superseded

 Rec No   Recommendation                                                Risk             Original Management Response                                  Responsible Officer /   Status              Management * Comments / Implications                           Status     Management * Comments / Implications          Status                                 Management * Comments / Implications November 09
                                                                        Categorisation                                                                 Impl'n Date                                 August 09                                                                 October 09
                                                                                                                                                                               as at 31/8/09                                                                      as at                                                    as at        The current position of these issues and agreed            Details of what remains to be done (and who by) to
                                                                                                                                                                                                                    Per M Allen 11/9/09                           23/10/09                                                 XX/11/09     actions and why they have not been resolved as yet/        resolve the issues and when this will be achieved.
                                                                                                                                                                                                                                                                                                                                        why timescales have slipped.
           ICT - Reporting Tools
3.1.1     The application password is changed. Users are                High              Action(s):                                             M. Allen                               2          Investigation into changing this has found                      2         Government Connect has superceeded this                  2 Work is nearly finalised in identifying where the main E- Change the password in the TEST system w/c 14th
          provided with individual user ids and passwords.                               Change Application password and restrict access to 30th June 09                                ……………………   that this username and password is                                        and now ICT are in the process of changing                 Business password is 'hard coded' in Hull's               December and the the LIVE system late December
          These passwords are deactivated when an                                        it. This will require investigation into interfaces and                                        ……………………   imbedded in all interfaces and a significant                              these 'imbedded' username and passwords.                   customisations. The password will be changed in the 2009 / early January 2010. Development Team,
          employee changes their role or leaves the Council.                             reports that have already been implemented and                                                 ……………………   number of the custom processes within E-                                  This will be completed in E-Business by                    TEST system during December 09. Pending the               Oracle Functional Team and the DBA Team.
                                                                                         configured so that existing Business Processes are                                             ……………………   Business. A full review has been completed                                December 09 and all other systems by                       outcome of this test it is expected the change will be
                                                                                         not impacted when the password is changed.                                                     ……………………   of all the interfaces and we are about to go                              March 2010.                                                made in the LIVE system towards the end of
                                                                                                                                                                                        ……………………   out to tender for a new interface system.                                                                                            December 2009 early January 2010. The delay in
                                                                                                                                                                                        ……………………   When the replacement system is obtained all                                                                                          implementing this has in the main part been due to the
                                                                                         .................................................................................              ……………………   interfaces will be rewritten without embedded                                                                                        complexity of the task which was not known at the
                                                                                         ...................................................................Impleme …………………………… ……………………           passwords.                                                                                                                           time. All the feeds and customisations have had to be
                                                                                         nt process to deactivate logins/passwords when staff ……………………………. …………… 1                                 ...............................................................                                                                      examined along with numerous reports.
                                                                                         leave/change roles.                                                               12th June 09            Following a full licence review with Oracle
                                                                                                                                                                                                   process are now run monthly against the E-
3.1.3     ICT need to identify a method of monitoring     Moderate                        Action(s):                                           M. Allen                        2                   This is also covered by 3.1.2 on the Change 2                             As per August 09.                                        2 Oracle's 'Change Management Pack' has been                 Install the software in the LIVE system by the DBA
          changes to the database made by Toad. The issue                                Investigation into products that allow monitoring of 30th June 09                                         Control Action Plan. Investigation complete                                                                                          obtained and is currently being installed in TEST E-       Team.
          of management monitoring database changes has                                  database/application changes. Report on                                                                   and costs are currently being obtained                                                                                               Business and will be migrated to the LIVE system
          been raised in 2 previous audits Database                                      findings/options will be produced and discussed with                                                      around the software for preparation of a                                                                                             during late December 2009 early January 2010. This
          Management Controls and the Change Control                                     Internal Audit and further action/project plan to                                                         Business Case which should be completed                                                                                              recommendation is also covered in 3.1.2 of the
          audit is being progressed by ICT.                                              implement agreed solutions.                                                                               by December 2009.                                                                                                                    'Change Control Audit'.
                                                                                         Identification/procurement of appropriate products
                                                                                         may require separate Business Case/Funding.

                                                                                         Continue progress in implementing ‘Change                     30th June 09
                                                                                         Management’ in major systems.

                                                                                         Resource(s):
                                                                                         1 x DBA
                                                                                         1 x Third Party Application Support


3.1.4     A review is undertaken of all staff that have access High                       Action(s):                                                    M. Allen               2                   All installations have been identified and                     2          As per August 09. This will also be done in              2 Access is now restricted to appropriate ICT Staff.
          to Toad to identify the version on the PC and the                              All installations of Toad to be identified and action         12th June 09                                media for the most up to date version                                     conjunction with 3.1.1 above.                              Toad has been removed from people outside of ICT
          location of that PC.                                                           taken to ensure that they are relevant and on the                                                         obtained. Currently preparing a plan to                                                                                              who do not need this tool. Essentially this is complete.
          In accordance with best practice ICT staff should                              same version                                                                                              remove all old versions and replace with the
          not have access to live data and systems and                                                                                                                                             new version where this is properly required.
          management should consider reviewing not only                                  Review to be undertaken as to the appropriateness 12th June 09                                            This has been delayed due to resource
          who has access to these reporting tools and utilities                          of the environments being accessed and the correct                                                        commitments around Government Connect
          but the environment that user can access with the                              level of monitoring required.                                                                             and the Thin Client Project. It is anticipated
          product.                                                                                                                                                                                 that resources will be freed during October
                                                                                         Resource(s):                                                                                              and this action can then be fully resolved by
                                                                                         1 x DBA                                                                                                   November 2009
                                                                                         1 x Service Desk / Application Support
                                                                                         1 x Developer


3.1.5     A review is undertaken of staff with access to these Moderate                   Action(s):                                                    M. Allen               3                   For the majority of staff using these tools this 2                        Training has been done for all staff on the              2 All Staff within Revenues & Benefits and ICT & E-          All briefings sessions should be completed by 31st
          report writers. Staff are reminded about data                                  Staff identified and email sent reinforcing Data Protection   30th June 09                                will be dealt with by the mandatory training                              'Secure' network as part of Phase 1 of                     \Government have attended briefing sessions and            March 2010 for all Council Staff. These are being
          protection and information security. The product if                            and Information Security issues.                                                                          for Government Connect. Those staff not                                   Government Connect. This will be rolled out                signed personal statements as part of Phase 1. Work        undertaken by the Councils's Training & Development
          possible is configured so that users can only access                                                                                                                                     affected will be dealt with after Government                              in stages to the rest of the Authority by                  is underway with Children & Young People's to bring        Team.
                                                                                         Reporting tools used assessed as to whether they can be
          the same information they can through the normal                                                                                             30th June 09                                Connect implementation. This should all be                                March 2010.                                                them on to the secure network. Delays have been
                                                                                         configured in this manner
          system access log on                                                                                                                                                                     addressed by the end of October 2009.                                                                                                brought about by the extra requirements of
                                                                                         Resource(s):                                                                                                                                                                                                                                   Government Connect and this has meant the original
                                                                                         1 x Service Desk/Application Support                                                                                                                                                                                                           Audit recommendations has 'grown'.
                                                                                         Service Level Management


3.2.2     A review is undertaken of software in use to ensure the       Moderate         Action(s):                                           M. Allen                         2                   Investigation has been completed and                           2          The Software Asset Management Module                     2 This has been installed and the client installed on all    Once all the information has been imported the next
          Council has the correct number of licences. The review                         Investigation into what products have been installed                                                      additional modules for Certero are currently                              has been purchased and is cureently being                  Council PC's. Certero (Third Party Provider) are           stage is to setup up the monitoring reports to monitor
          also considers if all software installed is required to                        and where which will then be reconciled with any     30th June 09                                         being costed for approval. This will give the                             installed and configured.                                  currently importing all licence information which has      usage across the install base. This should deliver the
          identify if the Council is paying for licences for products
                                                                                         renewal notices from the supplier in the past 12                                                          ability to map software to licences and more                                                                                         been provided by Microsoft and other organisations.        relevant information during the next 3 months to
          that are no longer in use.
                                                                                         months from invoices held in E-Business. The                                                              readily identify those installs that need                                                                                            The delay in implementing this has in the main part        identify those install that are rarely used and may
                                                                                         results of this investigation will then be used to                                                        removing.                                                                                                                            been done to finding the right tool and making sure it     best be used elsewhere. This will ultimately be an
                                                                                         formulate an action plan to ensure any unlicensed                                                                                                                                                                                              can integrate with Assyst and the Asset Management         ongoing process managed by ICT Business Support.
                                                                                         software is removed and that appropriate ‘metering’                                                                                                                                                                                            database (IT).
                                                                                         arrangements are in place.

                                                                                         Resource(s):
                                                                                         ICT Business Support
                                                                                         Service Level Management.

								
To top