AccessControlSimulation
Download
Report
Transcript AccessControlSimulation
ACG 6415
Access Control Simulation
AICPA 2012 Top 10 Technology Initiatives
I.R.S.
Access Control Simulations
Getting Started
Tutorial
•
Enter here to:
•
Watch Slideshow of “what
to do”
•
Get Key card for Access
•
Play around with office and
other objects
Inside
•
Wall has slides that
automatically advance
•
Receptionist can provide
you with objects needed
for simulation
Touch/Click Receptionist
•
To acquire key-card
•
Red or Blue
•
Equipment Form
Get Key Card
•
Click Keep
Wear Key Card step 1
•
Open Inventory
•
Briefcase icon
•
Open Objects folder
•
Find Security_CardBlue
•
Find Security_CardRed
Wear Key Card Step 2
•
Click Wear button
•
Note the Inventory object
description changes to show
it is now (worn on Chest)
•
You can now access the blue
or red building
•
Make sure this control is
working; try accessing the
wrong building
click around and Play
Choose Your Starting Point
You’ve got This Far what
Should I do?
•
Walk around Building and Grounds
•
Enter Offices, Computer Rooms, Network Rooms, etc.
•
Click things (computer screens, cabinets, “people”, etc.).
•
Use the Camera (option on Mac, Ctrl on PC) to zoom in on desktops and other objects
•
Keep Notes
•
Controls in Place
•
Weaknesses (how can they be fixed)
•
Usability Issues (this is beta after all)
•
What’s easy / hard
•
How long did it take you
•
Overall Comments
AICPA 2012
Top 10 Technology Initiatives
Bonus Question
What’s #1?
1
2
3
4
Securing the IT environment
Managing and retaining data
Managing risk and compliance
Ensuring privacy
5
Leveraging emerging
technologies
6
Managing system
implementation
7
Enabling decision support and
managing performance
8
Governing and managing IT
investment/spending
9
Preventing and responding to
fraud
10
Managing vendors and service
providers
New This year
•
Confidence that their organization or client are taking
necessary actions related to initiative
•
What were respondents least confident in?
•
Protecting all mobile devices (laptops, tablets, mobile
phone, etc.) to prevent a data breach
•
Ensuring that data will be safe in event of a cyber-attack
or mobile device loss.
Biggest Impact
1
2
IT Security
Remote Access
3
Control and use of mobile
devices
4
Business process improvement
with technology
5
Data retention policies and
structure
6
7
8
Privacy policies and compliance
9
Overall data proliferation and
control
10
Portals (vendor and
client/customer)
Staff and management training
Spreadsheet management
IRS Needs to Further Enhance Internal Control over Financial Reporting and Taxpayer Data
GAO-12-393, Mar 16, 2012
What GAO Found
•
Control weaknesses jeopardize
•
Confidentiality, Integrity and Availability of
•
Financial & Sensitive taxpayer information
Weaknesses
•
Did not implement controls for identifying and authenticating users
•
Did not require users to set new passwords after a prescribed period of time
•
Did not appropriately restrict access to certain servers
•
Did not ensure that sensitive data were encrypted when transmitted
•
Did not audit and monitor systems to ensure that unauthorized activities would be detected
•
Did not ensure management validation of access to restricted areas.
•
Left unpatched and outdated software exposed IRS to known vulnerabilities
•
Did not enforce backup procedures for a key system.
Not a Good Opinion
•
“Considered collectively, these deficiencies, both new and unresolved from previous GAO
audits, along with a lack of fully effective compensating and mitigating controls, impair IRS's
ability to ensure that its financial and taxpayer information is secure from internal threats.
This reduces IRS's assurance that its financial statements and other financial information
are fairly presented or reliable and that sensitive IRS and taxpayer information is being
sufficiently safeguarded from unauthorized disclosure or modification. These deficiencies
are the basis of GAO’s determination that IRS had a material weakness in internal control
over financial reporting related to information security in fiscal year 2011.”
Access Controls
•
User Identification
•
Authorization
•
Cryptography
•
Audit and Monitoring
•
Physical Security
Identification and Authorization
•
Authentication
•
IRS requires “strong” password 8 characters minimum
•
one special character; at least one upper & lowercase
•
Can’t reuse a password within 10 password changes
•
IRS did not set appropriate password reuse maximum time or ensure complex password verification checking for its procurement system.
•
systems used to process tax and financial information did not fully prevent access by unauthorized users or excessive levels of access for
authorized users.
•
IRS has implemented an access authorization control for a system used to process electronic tax payment information; however, users had
the capability to circumvent this control and gain access to this system’s server.
•
During its monthly compliance check in August 2011, the agency identified 16 users who had been granted access to the procurement system
without receiving approval from the agency’s authorization system.
•
data in a shared work area used to support accounting operations were fully accessible by network administration staff although they did not
need such access.
•
IRS has not taken actions to appropriately restrict services and user access, and to remove active application accounts in a timely manner for
employees who had separated or no longer needed access.
Cryptography
•
the agency configured a server that transfers tax and financial data
between internal systems to use protocols that allowed unencrypted
transmission of sensitive data.
•
IRS also had not rectified its use of unencrypted protocols for a
sensitive tax-processing application, potentially exposing user ID
and password combinations.
Audit and Monitoring
•
the agency had not delivered system audit reports covering a 4-month period for one financial application
•
the agency had enabled and configured audit logging for UNIX operating systems on 31 servers reviewed.
However, it had not enabled and configured monitoring activity for its authorization system
•
IRS did not properly enable auditing features on its Oracle databases supporting three systems we reviewed
•
IRS’s ability to establish individual accountability, monitor compliance with security policies, and
investigate security violations was limited.
Physical Security
•
Physical security controls are important for protecting computer facilities and resources from espionage, sabotage,
damage, and theft.
•
IRS did not always consistently authorize employees’ access to restricted areas or inventory physical access cards.
•
the guard forces at two of the three computing centers we visited did not always sign, thus providing accountability for,
the inventory of physical access cards.
•
one of three guard shifts did not detect an anomaly in the inventory for 4 of the 5 days we reviewed at one computing
center.
•
physical security weaknesses identified during previous audits remain unresolved.
•
management validation of access to restricted areas
•
proximity cards allowing inappropriate access
•
unlocked cabinets containing network devices.
Configuration Management
•
verify the correctness of the security settings in the operating systems, applications, or computing and network
devices
•
obtain reasonable assurance that systems are configured and operating securely and as intended.
•
IRS had never installed numerous patch releases for the UNIX operating system supporting another system
we reviewed, although this operating system has existed since March 2009.
•
10 uninstalled security-related patch releases were considered “critical” by the vendor.
•
The agency also used outdated software on all three reviewed servers used for remote access.
•
IRS was using unsupported versions of software on most network devices reviewed