jump to navigation

Houston, Is This A Problem? March 24, 2013

Posted by Audit Monkey in The Joy & Pain of Internal Audit.
Tags: , , , , , , , ,
trackback

I have news; Audit Monkey has been doing some IT Audit work and has come across the following weaknesses. However, I’m unsure whether these are weaknesses and the implications. So, to assist me, I’m going to let you, the reader, decide. In no particular order:

1. Third parties who can access the whole of the network when they logon. This includes network folders where the main software programs are held. Is this a problem?

2. The network is not segregated and is on one domain. Is this a problem?

3. There is no standard computer configuration for third party users who access the firm’s network. IT rely on the end-user having up to date Anti-Virus software. Is this a problem?

4. Although users do not have access to certain folders on the network, they are dumping documents in the Shared Drive (or Shared Folders) on the network. There is no rhyme or reason for the documents being placed there. Is this a problem?

5. A legacy system is being used for some routine processing. A bespoke computer program is being written in-house by an IT Specialist. To my knowledge, there are no tags in the code or system documentation. To date, no Project Specification has been produced. The IT Specialist will leave when the project is complete but the remaining staff have no expertise in programming or the code the program is written in. Is this a problem?

6. The IT Support Team have no idea whether they have breached the Microsoft Licencing Agreements. Is this a problem?

7. Some of the servers have seen better days, are poorly configured and have failed. Data has been lost. A year-end backup wasn’t taken. Is this a problem?

8. The purchasing of IT kit, software, hardware, etc, is reactive. There is no IT Asset Management policy. It is divided up between the Purchasing Department (who don’t have a background in IT) and IT. Is this a problem?

9. The software to restrict Internet usage is poorly configured and illogical. Pure numerical IP addresses are included in the exception list. The exception list also includes non-business websites which seem to cater to employees’ particular outside interests or hobbies. Is this a problem?

10. There is no proper patch management process. It’s as and when. Is this a problem?

I would welcome any comments from my regular Blog readers, all two of you. To my knowledge, everything is hunky dory and there is no need for concern. A ‘green’ Audit Report will be issued in due course.

Advertisements

Comments»

1. ITauditSecurity - March 26, 2013

My dear monkey,
Welcome to IT audit!

You are no doubt pulling my tail.

Let me return the favor by noting that most of these IT issues are NOT problems because business-side controls will catch and fix most of the fraud or illicit changes to financial data. That’s why they do reconciliations!

And the firewall will fix most of the other problems.

Oh, and you don’t want to patch systems because the business processing is so critical that you can’t take systems down to patch them! And even if you patch them today, you’ll just have to patch them again in the future, so why waste your time?

And vendors need access to fix everything because IT is busy creating value-adds for the business.

I sure hope this audit jumpstarts an exciting, new career for you!

Cheers.

2. Audit Monkey - March 27, 2013

No tail pulling here. This is for real.

ITauditSecurity - March 30, 2013

I don’t believe you.
But here’s a serious reply anyway (stretching my neck out….)

It depends, except for a few of them….

It depends on the risk appetite of the company. For example, if the company takes credit cards and the network is not segregated, that is a problem. But if they are not PCI-relevant, it may not matter.

Also, 3rd parties having access to everything…do 3rd parties do all the real work of the company? If so, that isn’t a problem.

Usually, all of these are problems for the average company.

#6 is always a problem regardless of any circumstances.

The real question is, why would a company with all these problems, allow an IT auditor to review the practices? Obviously, someone knew that some problems existed already (lost data), but did nothing. That’s the real question. Find that answer and the rest should fall into place quite nicely.

3. ITmonkey101 - March 31, 2013

1. Third parties who can access the whole of the network when they logon. This includes network folders where the main software programs are held. Is this a problem?
Not sure I follow. This seems to contradict item 4. However, principal of least access should apply I would have thought.

2. The network is not segregated and is on one domain. Is this a problem?
Domains aren’t a problem AFAIK (but it’s not my specialist area). Network folder security, documentation management and VPN firewall access should all be in place to keep sensitive data away from prying eyes.

3. There is no standard computer configuration for third party users who access the firm’s network. IT rely on the end-user having up to date Anti-Virus software. Is this a problem?
Poor. Very poor. They could be letting any old nasties onto their network.

4. Although users do not have access to certain folders on the network, they are dumping documents in the Shared Drive (or Shared Folders) on the network. There is no rhyme or reason for the documents being placed there. Is this a problem?
I guess the textbook answer is that they should be sent by encrypted mail or stored in a document management system. Both are cumbersome and annoying.
As long as there is security on the network folders then it should be OK I would have thought?

5. A legacy system is being used for some routine processing. A bespoke computer program is being written in-house by an IT Specialist. To my knowledge, there are no tags in the code or system documentation. To date, no Project Specification has been produced. The IT Specialist will leave when the project is complete but the remaining staff have no expertise in programming or the code the program is written in. Is this a problem?
Red light flashing!! Seriously? I give it a month before it falls in a heap and they’re paying this guy extortionate rates to come back and fix the problem. This is a textbook awful situation.

6. The IT Support Team have no idea whether they have breached the Microsoft Licencing Agreements. Is this a problem?
Nah – Microsoft have loads of money.

7. Some of the servers have seen better days, are poorly configured and have failed. Data has been lost. A year-end backup wasn’t taken. Is this a problem?
Maintenance, support, end of life for hardware and software. All important. What happens if one of these systems blows up, or a restore is needed and the backups are broken? Business impact?

8. The purchasing of IT kit, software, hardware, etc, is reactive. There is no IT Asset Management policy. It is divided up between the Purchasing Department (who don’t have a background in IT) and IT. Is this a problem?
Eh? Who sorts out the support contracts?

9. The software to restrict Internet usage is poorly configured and illogical. Pure numerical IP addresses are included in the exception list. The exception list also includes non-business websites which seem to cater to employees’ particular outside interests or hobbies. Is this a problem?
I don’t approve of internet usage nannying. If people break the rules then discipline them. Don’t stop them surfing web sites that might be beneficial to their job.

10. There is no proper patch management process. It’s as and when. Is this a problem?
There are 2 schools of thought. The first one says if it breaks, then patch to fix. The second one is proactive patching. If you are in a financial services environment then proactive patching should be the way to go to head off any security breaches before they occur.

This place sounds like a shambles. I bet your audit report makes for interesting reading..

Audit Monkey - March 31, 2013

Just curious, why are document management systems annoying? As I see it, it’s a free for fall at the moment, with documents stored on the network in illogical folders, personal folders, shared folders, etc. No problem per se but some of it is sensitive.

ITmonkey101 - April 1, 2013

Downside of document management systems – unintelligable hierarchy, annoying permissions, documents still owned by leavers, clunky to upload new versions of docs, useless search facility.

Still all better than a random heap of junk on a shared folder though. At least you can point to “official” versions of docs for change requests, etc.

Personally I prefer a wiki type format. Works better for 90% of docs as it is easy to update and involves minimal monkeying around with Microsoft products (Word, Excel, etc).

4. laveti - April 1, 2013

Reblogged this on Information Security Blog and commented:
Interesting discussion on IT Audit findings.

5. HOUSTON, IS THIS A PROBLEM? | Information Security Blog - April 1, 2013

[…]  Reblogged from Auditmonkey’s Blog: I have news; Audit Monkey has been doing some IT Audit work and has come across the following weaknesses. However, I’m unsure whether these are weaknesses and the implications. So, to assist me, I’m going to let you, the reader, decide. In no particular order: Read more… 374 more words Interesting discussion on IT Audit findings, worth reading! […]

ITauditSecurity - April 7, 2013

Hey, reblogged! I’m impressed!

6. HOUSTON, IS THIS A PROBLEM? | truetech-blog - April 18, 2013

[…] Reblogged from Auditmonkey’s Blog: […]


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: