Legislative Audit Division State of Montana Report to the Legislature Information System Audit June 2006 Data Center Review Department of Administration This report contains five multi-part recommendations addressing: (cid:23) Implementing an overall process to ensure threats to the data center are addressed. (cid:23) Implementing safeguards over physical security to deter unauthorized access. (cid:23) Strengthening safeguards to mitigate water and earthquake-related threats. (cid:23) Coordinating disaster recovery efforts. (cid:23) Defining responsibilities for data center security and coordination. Direct comments/inquiries to: Legislative Audit Division Room 160, State Capitol PO Box 201705 06DP-05 Helena MT 59620-1705 Help eliminate fraud, waste, and abuse in state government. Call the Fraud Hotline at 1-800-222-4446 statewide or 444-4446 in Helena. INFORMATION SYSTEM AUDITS Information System (IS) audits conducted by the Legislative Audit Division are designed to assess controls in an IS environment. IS controls provide assurance over the accuracy, reliability, and integrity of the information processed. From the audit work, a determination is made as to whether controls exist and are operating as designed. In performing the audit work, the audit staff uses audit standards set forth by the United States Government Accountability Office. Members of the IS audit staff hold degrees in disciplines appropriate to the audit process. Areas of expertise include business, accounting and computer science. IS audits are performed as stand-alone audits of IS controls or in conjunction with financial- compliance and/or performance audits conducted by the office. These audits are done under the oversight of the Legislative Audit Committee which is a bicameral and bipartisan standing committee of the Montana Legislature. The committee consists of six members of the Senate and six members of the House of Representatives. MEMBERS OF THE LEGISLATIVE AUDIT COMMITTEE Senator Joe Balyeat, Vice Chair Representative Dee Brown Senator John Brueggeman Representative Hal Jacobson Senator Jim Elliott Representative Christine Kaufmann Senator Dan Harrington Representative Scott Mendenhall Senator Lynda Moss Representative John Musgrove, Chair Senator Corey Stapleton Representative Janna Taylor LEGISLATIVE AUDIT DIVISION Scott A. Seacat, Legislative Auditor Deputy Legislative Auditors: Tori Hunthausen, James Gillett Chief Deputy Legislative Auditor Jim Pellegrini June 2006 The Legislative Audit Committee of the Montana State Legislature: We conducted an information systems audit of Data Center operations at the Department of Administration. Our audit focused on the management and protection of the central data center against physical, logical and environmental threats. This report contains multi-part recommendations addressing: implementing an overall process to ensure threats to the data center are addressed; implementing safeguards over physical security to deter unauthorized access; strengthening safeguards to mitigate water and earthquake-related threats; coordinating disaster recovery efforts; and defining responsibilities for data center security and coordination. We wish to express our appreciation to the department for their cooperation and assistance. Respectfully submitted, /s/ Scott A. Seacat Scott A. Seacat Legislative Auditor Room 160, State Capitol Building, PO Box 201705, Helena, MT 59620-1705 Phone (406) 444-3122 FAX (406) 444-9784 E-Mail [email protected] Legislative Audit Division Information System Audit Data Center Review Department of Administration Members of the audit staff involved in this audit were David P. Nowacki and Dale Stout. Table of Contents Appointed and Administrative Officials...................................................ii Executive Summary...............................................................................S-1 Chapter I – Introduction and Background...............................................................................................1 Introduction...............................................................................................1 Scope and Objectives................................................................................1 Methodology.............................................................................................2 Chapter II – Findings and Recommendations.........................................................................................5 Introduction...............................................................................................5 Planning and Management........................................................................5 Identification of Resources, Threats, Risks, Cost Effectiveness Analysis.........................................................................5 Lacking Overall Approach..................................................................6 Physical Security....................................................................................7 Perimeter Security...............................................................................7 Background Checks.............................................................................8 Authorization Documentation.............................................................8 Periodic Review of Access..................................................................9 Key Card Logs Monitoring..................................................................9 Visitor Logs.......................................................................................10 Operator Awareness..........................................................................10 Environmental Security..........................................................................11 Earthquakes.......................................................................................11 Water.................................................................................................12 Recovery and Incident Response............................................................12 Disaster Recovery..............................................................................13 Why are Security Measures not given a Priority?..................................14 Services vs. Security..........................................................................14 Security Through Obscurity..............................................................14 Summary............................................................................................14 Department Response..............................................................................................................................A-1 Page i Appointed and Administrative Officials Department of Janet Kelly, Director Administration Dick Clark, Chief Information Officer Pat Boles, Cyber Protection Officer Jeff Brandt, Deputy Chief Information Officer Steve Bender, Deputy Chief Information Officer Page ii Executive Summary Executive Summary A data center is a facility used for housing and protecting computers and communications equipment that stores and processes the data necessary to support business operations. The Department of Administration (DofA) maintains a central data center as a service to state agencies. Information resources residing within the data center are critical servers, systems, and data including the Statewide Accounting, Budgeting and Human Resources System, the Department of Revenue’s IRIS system, and Department of Public Health and Human Services systems. DofA approximates the total value of equipment in the data center at $14 million. The audit included determining whether DofA has identified logical, physical and environmental threats to the data center, assessed the risk or impact presented by the threats, determined the feasibility of implementing controls to address the risks, implemented appropriate controls, and re-assess risks periodically. Audit work included interviews with DofA personnel, walkthroughs and inspections of the facilities, observations, and review of documentation and equipment configurations. We reviewed safeguards used to prevent unauthorized access to server operating systems and reviewed procedures to update and patch server operating systems. We reviewed physical controls, doorways, card key locks and access systems, monitoring functions, and the physical layout of the data center. Audit work included reviewing controls over environmental threats such as moisture and flooding, fire and heat, earthquakes, power surges and outages, and man-made threats such as food, beverages, physical contact or disruption. Overall, there is not a process in place to ensure the continuity of data center operations or for management to make an informed decision about the appropriateness, cost effectiveness, and necessity of implementing data center controls. DofA has taken a minimal approach to securing the existing data center, preferring to focus efforts and resources on obtaining a new facility they represent will solve the major problems. DofA performs damage control and remediation as problems arise, but does not eliminate or reduce all known threats proactively. This report contains recommendations Page S-1 Executive Summary addressing: implementing an overall process to ensure threats to the data center are addressed; implementing safeguards over physical security to deter unauthorized access; strengthening safeguards to mitigate water and earthquake-related threats; coordinating disaster recovery efforts; and defining responsibilities for data center security and coordination. Page S-2 Chapter I – Introduction and Background Introduction A data center is a facility used for housing and protecting computers and communications equipment that stores and processes the data necessary to support business operations. The Department of Administration (DofA) maintains a central data center as a service to state agencies. Information resources residing within the data center are critical servers, systems, and data including the Statewide Accounting, Budgeting and Human Resources System, the Department of Revenue’s IRIS system, and Department of Public Health and Human Services systems. DofA approximates the total value of equipment in the data center at $14 million. Scope and Objectives Agencies rely on DofA to protect the equipment housing their information systems and data. DofA has the responsibility to establish appropriate controls, which protect agency information resources contained within the data center. During past audits agencies have expressed concerns regarding the adequacy of controls over the data center. The scope of this audit included the management and protection of the data center and information resources residing within. The scope also included access controls to operating systems under the control of DofA, patch management and server updates. The scope did not include access controls related to any particular application, database, or system, and excluded network devices such as hubs, routers, switches, and firewalls. Objective #1: This objective is to determine whether the department has implemented controls that are commensurate with the identified threats to the information resources: Has DofA implemented controls to prevent, detect or mitigate risks from physical, environmental, and logical threats to the data center? Page 1 Chapter I – Introduction and Background Conclusion: DofA has controls in place for fire and heat, power surges and outages, and operating systems access and updates. In the areas of physical security, moisture and flooding, earthquakes, and incident response, controls are fragmented or nonexistent and can be improved. DofA performs damage control and remediation as problems arise, but does not eliminate or reduce all known threats proactively. Overall, there is not a process in place to ensure the continuity of data center operations or for management to make an informed decision about the appropriateness, cost effectiveness, and necessity of implementing data center controls. Objective #2: This objective is to evaluate the condition of the facilities housing the data center, primarily the Mitchell Building: Does the location of the data center, and the facilities that contain the data center, present significant threats that cannot be reasonably controlled or mitigated by DofA? Conclusion: The Mitchell Building presents additional challenges to securing the data center, particularly in the security against physical and water-related threats. DofA has taken a minimal approach to securing the existing data center, preferring to focus efforts and resources on obtaining a new facility they represent will solve the major problems. DofA can do more to mitigate these threats to the data center. For example, moving the data center from the basement level could reduce water related threats, and making structural improvements to the data center walls and locking hallway doors could tighten physical security. Methodology We evaluated whether DofA has identified threats to the data center, assessed the risk or impact presented by the threats, determined the feasibility of implementing controls to address the risks, implemented appropriate controls, and re-assessed risks periodically. We interviewed DofA personnel, conducted facility walkthroughs, observed operations, and reviewed documentation and equipment configurations. We reviewed safeguards used to prevent Page 2