POL00142944
POL00142944
Management Response and summary of E&Y Financial Audit findings 2011/12
New Findings 2011/12 Comment
Strengthen user admin Recommended management response
process As part of the improvement process, and due to findings from last year’s
audit a standardised access control management process has been
implemented by Fujitsu for both HNG and POLSAP (excluding Cash
Centres).
4x HNG findings — 2x findings
- resolved through initiation of
revised process
This process requires further evaluation to assess performance, but has
4x SAP findings all in Cash already been proven to catch outstanding anomalies.
Centre — responsibility of CC
Managers Mitigating controls are in place through the use of iKeys and issuing
procedures.
Fujitsu HR are now part of the process in access revocation.
Strengthen password Recommended management response
parameters = I E&Y have acknowledged that password weaknesses in the application,
No standard security policy
exists across all accounts /
applications I POL to review multiple security policies and standardise where appropriate,
I to provide a suitable cross-reference of parameter setting across multiple
I systems, landscapes and suppliers
Ernst & Young have allocated findings against the categories utilised in last year’s audit. While these have been assessed as
closed by POL (and RMG Internal Audit) new, lesser findings are being reported against these categories.
Prior year - open I Comment
Strengthen the change Recommended management response
management process E&Y review of change management processes did reflect improvements
since the prior year audit
SAP — 14x anomalies where
name evidence required Further clarity to be provided to the auditor regarding responsibility of
authorisation of changes according to category (ie maintenance change,
HNG — 35x anomalies raised antivirus etc.) — 26x null findings.
26x discounted as null
findings (due to being
maintenance changes)
9x findings prior to
implementation of new process
Service Improvement process implemented in Nov/Dec 2011 to resolve
other findings.
E&Y to provide amended RAG status
Review of privileged access Recommended management response
E&Y review of privileged access to IT functions across the in-scope
applications and their supporting infrastructure did reflect improvements,
SAP — 2x findings
POL Information Security — to particularly around POLSAP privileged access
assess whether appropriate to
shared service environment As part of the improvement process, and due to findings from last year’s
audit a standardised access control management process has been
HNG - 2x findings implemented by Fujitsu for both HNG and POLSAP (excluding Cash
POL Information Security - to Centres).
assess whether appropriate to This process requires further assessment to ensure performance, but has
shared service environment already been proven to catch outstanding anomalies
Mitigating controls are in place through the use of iKeys and issuing
procedures.
Reporting and evidence has been standardised in BAU reports for Privileged
Access utilisation.
As part of the iSMF BAU process management reviews assess adequacy
and regularity of the controls in place.
POL Information Security to review appropriateness of access against best
practise and centre of excellence models
E&Y to provide amended RAG status
Implement periodic user Recommended management response
access review and Objection to the statement — ‘ no process in place to periodically validate
monitoring controls user access appropriateness to the HNGX estate’
A process does exist, including a quarterly review , with communication &
HNG -— 2x findings — quarterly management via Information Security Management Forum (iSMF).
POL00142944
POL00142944
review not demonstrated
SAP — 1x finding — evidence of
review not retained
Implementation of the new process took place in October 2011, regular
access management reviews have been performed, with the exception of the
data centre physical access in Ireland (which was in the midst of a Service
improvement plan) and was unable to be evidenced to the E&Y Audit team.
Processes to be reviewed and communicated and evidence to be retained.
E&Y to provide amended RAG status
Strengthen the user
administration process
SAP - 6x findings — regarding
Cash Centre manager
authorities
HNG - 4x findings
2x findings prior to (and
captured by) new process
implemented October 2011
E&Y to provide amended RAG status
Recommended management response
E&Y examination of the user administration process for the applications in
scope reflected some improvements since the previous year audit
SAP — Cash Centre Manager's authorising responsibility to be assessed and
confirmed by Information Security as appropriate, with recommendations on
segregation of duties.
The existing review process to be assessed to ensure appropriateness of
controls regarding Cash Centre authorisation
Improvements to logical
security settings
2x Linux findings
2x Oracle findings
Fujitsu / POL Information
Security to confirm whether
this is appropriate to shared
service environment
I regular Pen Test Exercise invoked by PO Ltd Security.
Recommended management response
E&Y review of the logical security settings for the infrastructure supporting
the applications in scope reflected improvements, including the remediation
of the logical security weaknesses noted for the Linux platforms in the prior
year
Process currently in place to continue.
Fujitsu will perform a periodic scan of passwords to be made as part of a
Findings and exceptions outside of best practice to be raised at the regular
embedded BAU monitoring sessions within the existing BAU governance
process within POL and to be supported by the Audit Control Governance
Board
E&Y to provide amended RAG status
Strengthen password
parameters
Conflicting security policies
_I Recommended management response:
} their recommendation. Limitations exist due to the complexity of multiple
I systems and it is inappropriate to apply a single standard as suggested.
I E&Y to provide amended RAG status
E&Y review of the password configurations for the in-scope applications and
the infrastructure supporting these applications reflected some
improvements since the prior year audit
Auditors do not appear to recognise the complexity of the estate in line with
POL to review multiple security policies and standardise where appropriate,
otherwise provide a suitable cross-reference of setting across multiple
systems, landscapes and suppliers.
Review of generic privileged
accounts
Centre of Excellence
authorities / responsibilities
Fujitsu / POL Information
Security have confirmed that
this is appropriate to shared
service environment
(agreed to by RMG Internal
Audit - review 2012)
Recommended management response
E&Y review of privileged access to the in-scope applications and their
supporting infrastructure reflected some improvements in the use of shared
privileged accounts
Process currently in place to continue
Monitoring and communication will be provided to POL through the regular
embedded BAU process to ensure access control management is robust.
POL Information Security to confirm best practise approach and
appropriateness of access rights.
E&Y to provide amended RAG status