At a recent Southwark Council Audit, Governance and Standards Committee we heard what external auditors had found during various audits including one on IT Network Security.
For the first time ever in my 10 year of chairing or vice charing these committees we heard that an area of the council had “No Assurance”. This means the area is in a complete pickle and no confidence it will get sorted out any time soon.
Please see page 45 of the agenda pack:
The area is IT Network Security. The key findings stated were:
- The council has deployed and is using operating systems that are no longer supported by the developer.
- There are not adequate arrangements in place to apply operating system security and firmware patches to its IT servers.
- The council’s corporate risk register does not accurately record the risk of an information security breach or the consequences.
- A disproportionately high number of users have been granted elevated access rights, which includes domain administrator access.
- The Council does not have procedures in place to identify unusual or suspicious activity, nor are existing network perimeter security controls reviewed on a routine basis.
- Vulnerabilities, including the absence of a de-militarized zone between the Council’s IT network and the PSN, have been included within the design of the council’s IT network.
- Firewall rules, both internal and external, are not subject to a routine review in order to determine their adequacy.
- Anti-malware signatures are not updated on all Council devices.
- The design and configuration of the council’s IT network perimeter security controls are inherently insecure and do not meet the requirements of either the PSN or of the Payment Card Industry Data Security Standard (PCI-DSS). A prolonged lack of effective management has only served to undermine the existing controls, such as they are, and require that the council will need to take drastic action in order to secure its IT network.
Utter IT security chaos placing Direct debits, employee ban accounts details, etc at risk.