Information Technology Audit Cyber Security across Government Entities Report by the Auditor General February 2017 Published by: National Audit Office Notre Dame Ravelin Floriana FRN 1600 Malta Telephone: (+356) 2205 5555 Fax: (+356) 2205 5077 E-mail: [email protected] Website: www.nao.gov.mt ISBN: 978-99957-60-02-1 Printed at the Government Press Marsa, Malta facebook.com/NAOMalta nao.gov.mt Information Technology Audit Cyber Security across Government Entities Table of Contents List of Figures 5 List of Tables 5 List of Abbreviations 6 Executive Summary 9 Chapter 1 - Overview 15 1.1 Background 16 1.2 Audit Coverage 17 1.2.1 Malita Investments p.l.c. 18 1.2.2 Malta College of Arts, Science and Technology 19 1.2.3 Malta Competition and Consumer Affairs 20 1.2.4 Malta Enterprise Corporation 20 1.2.5 Malta Freeport Corporation Ltd. 21 1.2.6 Manoel Theatre 21 1.2.7 Commission for the Rights of Persons with Disability 21 1.2.8 Refugee Commission 22 1.2.9 Regulator for Energy and Water Services 22 1.2.10 WasteServ Malta Ltd. 22 1.3 Audit Considerations 23 1.3.1 Data Collected, Stored and used 23 1.3.2 Number of employees 25 1.3.3 Teleworking Arrangements 25 1.3.4 In-house IT Unit or Out-Sourced IT services 27 1.4 ICT at the audited Entities 29 1.4.1 Applications/Databases 29 1.4.2 Website 30 1.4.3 Use of social media 31 1.4.4 Servers and Data Storage Hardware 33 1.4.5 Personal Computers 34 1.4.6 Local Area Network (LAN) 35 1.4.7 E-mail System 36 1.5 Audit Scope and Objectives 37 1.6 Audit Methodology 38 1.7 Structure of the Report 38 1.8 Acknowledgements 38 Information Technology Audit - Cyber Security across Government Entities 3 Chapter 2 - Data Management and Data Governance 39 2.1 Audit Trails 40 2.2 Information Classification Policy 43 2.3 Data Retention and Storage Policy 44 2.4 Hardware Disposal 45 Chapter 3 - User Education and Awareness 47 3.1 Training Programme 49 3.2 User Manuals 50 3.3 Internet and E-mail usage policy 51 3.4 Web Filtering Policy 53 3.5 User Awareness of Cyber Risks 55 Chapter 4 - Malware Protection 57 4.1 Anti-Virus Software 58 4.2 Patch Management 59 4.3 Use of Portable Smart Media and Storage Devices 61 Chapter 5 - Disaster Recovery 65 5.1 Business Continuity and Disaster Recovery Plans 66 5.2 Backup 68 5.3 Storage of Backup Media 70 5.4 Recovery of Data 71 Chapter 6 - Asset Management 73 6.1 IT Inventories 74 6.2 Physical Security 76 6.3 Server and Network Monitoring 79 6.4 Adequacy of Server Room 81 Chapter 7 - Access Control 83 7.1 User Authentication and Password Management 84 7.2 Unauthorised Physical Access 88 Chapter 8 - Management Comments 89 8.1 Malita Investments p.l.c. 90 8.2 Malta College of Arts, Science and Technology 92 8.3 Malta Competition and Consumer Affairs Authority 96 8.4 Malta Enterprise Corporation 98 8.5 Malta Freeport Corporation Ltd. 100 8.6 Manoel Theatre 102 8.7 Commission for the Rights of Persons with Disability 104 8.8 Refugee Commission 106 8.9 Regulator for Energy and Water Services 108 8.10 WasteServ Malta Ltd. 110 4 National Audit Office Malta Annexes Annex A: CoBit Controls 114 Annex B: Restrictions on the use of Electronic Mail and Internet services 118 Annex C: Business Continuity and Disaster Recovery Plan 120 List of Figures Figure 1: Cyber Security across Government Entities 14 Figure 2: The Four integrated domains of CoBit 114 List of Tables Table 1: Data Stored, Collected and Used 24 Table 2: Number of Employees 25 Table 3: Teleworking Arrangements 26 Table 4: Implementation Schedule – Malita Investments p.l.c. 91 Table 5: Implementation Schedule – MCAST 95 Table 6: Implementation Schedule – MCCAA 97 Table 7: Implementation Schedule – Malta Enterprise Corporation 99 Table 8: Implementation Schedule – Malta Freeport Corporation Ltd. 101 Table 9: Implementation Schedule – Manoel Theatre 103 Table 10: Implementation Schedule – CRPD 105 Table 11: Implementation Schedule – Refugee Commission 107 Table 12: Implementation Schedule – REWS 109 Table 13: Implementation Schedule – WasteServ Malta Ltd. 111 Information Technology Audit - Cyber Security across Government Entities 5 LIST OF ABBREVIATIONS The following is a list of abbreviations, which are used inter-alia throughout the document. BCP Business Continuity Plan BYOD Bring-your-own-Device CCTV Closed Circuit Television CDRT Centre for Development, Research and Training CIMU Central Information Management Unit CIO Chief Information Officer COBIT Control Objectives for Information and related Technology CRPD Commission for the Rights of Persons with Disability DRP Disaster Recovery Plan e-mail Electronic Mail eRFS Electronic Request for Service EU European Union HR Human Resources ICT Information and Communications Technology IMU Information Management Unit IP Internet Protocol IPS Institute for Public Services IT Information Technology LAN Local Area Network MAGNET Malta Government Network MCAST Malta College of Arts, Science and Technology MCCAA Malta Competition and Consumer Affairs Authority MITA Malta Information Technology Agency MQF Malta Qualifications Framework NAO National Audit Office NAS Network Attached Storage OS Operating System 6 National Audit Office Malta PAHRO Public Administration Human Resources Office PC Personal Computer PRTG Paessler Router Traffic Grapher REWS Regulator for Energy and Water Services RPO Recovery Point Objective RTO Recovery Time Objective SLA Service Level Agreement SNMP Simple Network Management Protocol SSL Secure Socket Layer UPS Uninterrupted Power Supply URL Uniform Resource Locator VPN Virtual Private Network WAN Wide Area Network Information Technology Audit - Cyber Security across Government Entities 7 Executive Summary