POL00142944 - Management Response and Summary of E&Y Financial Audit Findings 2011/12

Evidence on official site

POL00142944
POL00142944

Management Response and summary of E&Y Financial Audit findings 2011/12

New Findings 2011/12 Comment

Strengthen user admin Recommended management response

process As part of the improvement process, and due to findings from last year’s
audit a standardised access control management process has been
implemented by Fujitsu for both HNG and POLSAP (excluding Cash
Centres).

4x HNG findings — 2x findings
- resolved through initiation of
revised process

This process requires further evaluation to assess performance, but has
4x SAP findings all in Cash already been proven to catch outstanding anomalies.
Centre — responsibility of CC
Managers Mitigating controls are in place through the use of iKeys and issuing

procedures.

Fujitsu HR are now part of the process in access revocation.

Strengthen password Recommended management response
parameters = I E&Y have acknowledged that password weaknesses in the application,

No standard security policy
exists across all accounts /
applications I POL to review multiple security policies and standardise where appropriate,
I to provide a suitable cross-reference of parameter setting across multiple

I systems, landscapes and suppliers

Ernst & Young have allocated findings against the categories utilised in last year’s audit. While these have been assessed as
closed by POL (and RMG Internal Audit) new, lesser findings are being reported against these categories.

Prior year - open I Comment

Strengthen the change Recommended management response
management process E&Y review of change management processes did reflect improvements
since the prior year audit

SAP — 14x anomalies where
name evidence required Further clarity to be provided to the auditor regarding responsibility of
authorisation of changes according to category (ie maintenance change,
HNG — 35x anomalies raised antivirus etc.) — 26x null findings.

26x discounted as null
findings (due to being
maintenance changes)

9x findings prior to
implementation of new process

Service Improvement process implemented in Nov/Dec 2011 to resolve
other findings.

E&Y to provide amended RAG status

Review of privileged access Recommended management response
E&Y review of privileged access to IT functions across the in-scope

applications and their supporting infrastructure did reflect improvements,

SAP — 2x findings

POL Information Security — to particularly around POLSAP privileged access

assess whether appropriate to

shared service environment As part of the improvement process, and due to findings from last year’s
audit a standardised access control management process has been

HNG - 2x findings implemented by Fujitsu for both HNG and POLSAP (excluding Cash

POL Information Security - to Centres).

assess whether appropriate to This process requires further assessment to ensure performance, but has

shared service environment already been proven to catch outstanding anomalies

Mitigating controls are in place through the use of iKeys and issuing
procedures.

Reporting and evidence has been standardised in BAU reports for Privileged
Access utilisation.

As part of the iSMF BAU process management reviews assess adequacy
and regularity of the controls in place.

POL Information Security to review appropriateness of access against best
practise and centre of excellence models

E&Y to provide amended RAG status

Implement periodic user Recommended management response

access review and Objection to the statement — ‘ no process in place to periodically validate
monitoring controls user access appropriateness to the HNGX estate’

A process does exist, including a quarterly review , with communication &

HNG -— 2x findings — quarterly management via Information Security Management Forum (iSMF).

POL00142944

POL00142944

review not demonstrated

SAP — 1x finding — evidence of
review not retained

Implementation of the new process took place in October 2011, regular
access management reviews have been performed, with the exception of the
data centre physical access in Ireland (which was in the midst of a Service
improvement plan) and was unable to be evidenced to the E&Y Audit team.

Processes to be reviewed and communicated and evidence to be retained.

E&Y to provide amended RAG status

Strengthen the user
administration process

SAP - 6x findings — regarding
Cash Centre manager
authorities

HNG - 4x findings

2x findings prior to (and
captured by) new process
implemented October 2011

E&Y to provide amended RAG status

Recommended management response
E&Y examination of the user administration process for the applications in
scope reflected some improvements since the previous year audit

SAP — Cash Centre Manager's authorising responsibility to be assessed and
confirmed by Information Security as appropriate, with recommendations on
segregation of duties.

The existing review process to be assessed to ensure appropriateness of
controls regarding Cash Centre authorisation

Improvements to logical
security settings

2x Linux findings

2x Oracle findings

Fujitsu / POL Information
Security to confirm whether
this is appropriate to shared
service environment

I regular Pen Test Exercise invoked by PO Ltd Security.

Recommended management response

E&Y review of the logical security settings for the infrastructure supporting
the applications in scope reflected improvements, including the remediation
of the logical security weaknesses noted for the Linux platforms in the prior
year

Process currently in place to continue.
Fujitsu will perform a periodic scan of passwords to be made as part of a

Findings and exceptions outside of best practice to be raised at the regular
embedded BAU monitoring sessions within the existing BAU governance
process within POL and to be supported by the Audit Control Governance
Board

E&Y to provide amended RAG status

Strengthen password
parameters

Conflicting security policies

_I Recommended management response:

} their recommendation. Limitations exist due to the complexity of multiple
I systems and it is inappropriate to apply a single standard as suggested.

I E&Y to provide amended RAG status

E&Y review of the password configurations for the in-scope applications and
the infrastructure supporting these applications reflected some
improvements since the prior year audit

Auditors do not appear to recognise the complexity of the estate in line with

POL to review multiple security policies and standardise where appropriate,
otherwise provide a suitable cross-reference of setting across multiple
systems, landscapes and suppliers.

Review of generic privileged
accounts

Centre of Excellence
authorities / responsibilities
Fujitsu / POL Information
Security have confirmed that
this is appropriate to shared
service environment

(agreed to by RMG Internal
Audit - review 2012)

Recommended management response

E&Y review of privileged access to the in-scope applications and their
supporting infrastructure reflected some improvements in the use of shared
privileged accounts

Process currently in place to continue
Monitoring and communication will be provided to POL through the regular
embedded BAU process to ensure access control management is robust.

POL Information Security to confirm best practise approach and
appropriateness of access rights.

E&Y to provide amended RAG status