FOLLOW-UP REVIEW OF RISK MANAGEMENT ETC RISK MANAGEMENT FRAMEWORK

Transcription

1 2017 FOLLOW-UP REVIEW OF RISK MANAGEMENT ETC RISK MANAGEMENT FRAMEWORK MA. LUISA JASA-LOQUE IMAAN HIGHER COLLEGE OF TECHNOLOGY Educational Technology Center

2 DISTRIBUTION LIST ETC QA CORDINATOR Report Distribution List Ms. Rehana Al Ameer, ETC-HoC Ms. Zayana Al Sinawi, HoS-CSS Ms. Nawal Al Dhanki, HoS-ESS Ms. Najiya Al Omrani, HoS-LSS

3 of Contents DISTRIBUTION LIST... 1 ETC QA CORDINATOR... 1 Report Distribution List... 1 EXECUTIVE SUMMARY Background Objectives Audit Assurance... 3 RISK PRIORITIZATION... 4 Priority 1 : High Risks... 4 Priority 2 : Significant Risks... 4 Priority 3 : Moderate Risks... 4 Priority 4 : Low Risks... 4 ACTION PLAN... 0

4 EXECUTIVE SUMMARY 1. Background 1.1 This document follows up the development made towards implementing Risk Action Plan written and discussed from the ETC Risk Framework completed and submitted to HCT QAU on May This documents made some recommendations as per team s risk assessment in order to improve controls. 2. Objectives The objectives of this follow up document are: To determine if the recommendations of the Risk Coordinator have been implemented. To evaluate the effect of any changes in the organization since the ETC Risk Framework established in the department. To formulate a view on the appropriateness and usefulness of the current risk management framework. To create a guide in embedding risk management framework within the organization 3. Audit Assurance The ETC Risk Framework is adequate in following developments that have been introduced last October 2015 and will benefit from further improvements to make sure it endures to improve in a constructive way.

5 RISK PRIORITIZATION The recommendations are prioritized according to the level of priority as follows: Priority 1 : High Risks High risks requires detailed research and management planning required at senior levels Priority 2 : Significant Risks Significant risks requires senior management attention Priority 3 : Moderate Risks Moderate risks requires management responsibility Priority 4 : Low Risks Low or minor risks, not critical and requires routine procedures

6 ACTION PLAN Ref. Original Recommendation Priority Agreed Action Follow Up Finding Further Recommendations and To ensure that the HCTv is up and running, a follow up on the submitted proposal of equipment upgrade must be done to the department level down to the Finance department To avoid network failure across the college, the spare parts for network devices and peripherals must always be available Maintain contracts for network devices/equipment maintenance The network team should coordinate to data center team as to determine the availability of the Disaster Recovery. All request and/or discussion should be through to ensure an audit trail. Coordinate with the Maintenance department to maintain the air ventilation basic standard requirement in communication room Regular follow up with the ETC Coordinator and Finance Department for the approval of the equipment upgrade The ETC presented and discussed the importance and benefits of purchasing the network devices to the Deanship The network team and data center team collaboratively working to provide smooth access on HCT e-services The network team will constantly monitor the air Not The ETC and Finance Department prioritized important projects Based on the output of the presentation and discussion with the Deanship, was to revised the proposal and quotation to suit the available budget The Data Center Team provided access to the network team and provide logs in order to provide smooth access of the HCT e- Services. In 4 communication rooms, the ACs were alternately used but Further Recommendations Distribute and implement HCTv via LAN : Agreed The ETC review the revised proposal to ensure to treat the risk. : ETC management allowed overtime work to the staff in charge to provide stable access of HCT e-services :

7 Review and implement the security controls (i.e. firewall, antivirus and network monitoring tools) and upgrade in a timely manner. Ensure all policies and procedures are properly maintained and followed by HCT students and staff. Maintain all network components at appropriate levels and closely monitor the network signals. ventilation in the communication room Constant monitoring of logs Training and awareness is required annually to all network team Conduct monthly and annual reviews on the usage of wireless in 2 other communication rooms, its constantly monitored Network security administrator ensure that the switches, wireless controller and Fortinet are secured and protected from any virus attack. Network team to upgrade the policies and procedures Network technician to monitor the network components and network signals. Network team must conduct annual review of the policies and Allowing network security administrator to work during weekend to ensure the security of switches, wireless and controllers Annual review of policies and procedures Annual training to all network staff Annual review of policies and procedures

8 17 Monitor the access of the communication room in new bldg. and the server rooms in other location within HCT to secure areas of network equipment Ensure that policy and procedures related to physical access are properly implemented. Review the access granted to the staff in a timely manner to make sure that there is no unauthorized access on the communication room and server room in other location across the college procedures on the wireless usage. Network team must conduct annual review of the policies and procedures on the of communication room and server room in other location across the college. Annual review of policies and procedures related to physical security of communication room and server room in other location across the college , 48 Implement the training need analysis Coordinate the training and development required in each staff to the Staff Development Coordinator to enhance the knowledge and skills of the staff. As a server owner, you have to do the best practices in securing your server such as: o Server Hygiene o Server Patching o Access Control Have a clear policies and procedures on what are the Do s and Don ts of a server owner and it must be coordinated with the Data Center 1 Agreed There must be clear segregation of duties between the Web Administrator and System Administrator under Data Center Team must Delegation of responsibility in assigning server ownership must be clear Team Leader to coordinate the performance of the staff to the HoS. Team Leader to review the policies and procedures, job responsibilities and segregation of duties Conducted TNA the cross training program

9 20 21 Ensure that the policies and procedure on hosting a server must be clearly discussed and agreed both by the Web Administrator and the Data Center Team. Technical control of your server is your responsibility as a server owner. A self-diagnostic tool must be established to assess the capabilities your server and to identify any opportunities for improvement Perform Database Auditing and Intrusion Detection Review and implement the security controls and upgrade in a timely manner. to determine who is in charge in overseeing a specific server 1 Agreed Periodically audit your database. Protect access to database Ensure that Data Security Risk and Compliance Life Cycle is being followed and implemented. 1 Agreed Constant monitoring of logs Check regularly the server maintenance. Ensure all standard, procedures and policies are maintained and followed Application developer and E- Learning Administrator to provide auditing and monitoring report Web administrator to send notification to the data center regarding any virus threat/attack and coordinate on the treatment.

10 22, 37 Coordinate with the Maintenance department to meet the required standard of high availability power system in HCT. Determine the power outage of each servers and the duration of each outage Each member of data center team to report and coordinate with Maintenance department any power fluctuation Coordinate with the Maintenance department to meet the required standard cooling system require in a data center environment. The system admin must: o Ensure that backup is complete. Have a good copy of the environment Ensure all standard, procedures and policies are maintained and followed. Regular monitoring of the temperature of the cooling system in the data center Backups should be validated that all are working properly Check regularly the server maintenance. Ensure that the Anti- Virus/Anti Spyware software definitions are up to date Each member of data center team to report and coordinate with Maintenance department regarding the monitoring the cooling system in data center System administrator to do periodic back up to avoid any mishaps. System administrator to send notification to the technical team to run the antivirus software in each assigned IT labs NA

11 Ensure that the account management policy is properly implemented Conduct a storage capacity planning to ensure that ETC keeps up with growth of the users in the college. With the help storage capacity planning, ETC helps predict future storage growth. To ensure adequate performance and efficiency of the server, the Team Leader in coordination with the HoS and HoC must make decision to change or upgrade hardware (servers) which are 4 years older. Use Virtualization and server hardware improvements to extend server life Delete user account (student and staff) who are no longer working and connected with HCT. Conduct a storage assessment to help the data center to understand how to reduce the time and effort required in managing storage capacity Cost-Benefit Analysis must be planned in order to determine System administrator to: Regularly review the active directory user accounts Adds, moves, changes and account removals System administrator to provide storage capacity planning and storage assessment to the Team Leader and HoS. Cost-Benefit Analysis Report must be presented to HoS/HoC

12 29, 30 Operational policies, procedures and standard must be properly implemented. Coordinate with the operational policies, procedures and standard Team member under the data center to check the server connection, logs and server configuration. Incident report must be submitted to Team Leader/HoS Create operational policies and procedures and conduct an awareness on the implementation of those policies and procedures To avoid any conflict of interest ETC must establish an organizational control framework which handles the following: Organizational Structure Job Description Segregation of Duties Work Restructuring to ensure greater job satisfaction from the employee Awareness about malware threats Each member of data center must be responsible for the strict implementation of the procedures and internal controls of the data center Avoid giving critical task to the staff who are involved in different committees outside ETC Use the result of staff performance in work restructuring to determine what tasks to be assigned to a specific staff Coordinate with the Network Team to enable the firewall protection. Team member to notify the team leader if any violations are done in the internal control procedures in the data center. Team leader to review and update the job responsibilities of each team member. Team leader do the work restructuring in coordination with the HoS. The assigned system administrator to Audit trail and incident report must be submitted to HoS Annual review of job responsibilities and evaluation of staff performance Annual review of job responsibilities and evaluation of staff performance

13 Implementation of operational policies and procedures to avoid malware threats Ensure that project requirements and other details are clearly discussed with the vendor If in case there are any delays, the data center must know how to communicate, negotiate and decide in order to complete the project Ensure that TNA and Job Rotation is strictly followed and implemented Conduct Cost-Benefit Analysis on license software. Consistent follow ups with the vendor must be done Work shadowing among the Data Center Team Coordinate with the vendor if possible to provide free license for academic purposes. work closely with the technical team in running the antivirus software in IT Labs Project timetable and sign off be submitted to HoS/HoC Cross Training is being implemented Coordinate with Academic Department on the software to be used on the IT Labs. Established physical resources team Reviewed the TNA Established physical resources team Coordinate with ELC on the proposal to upgrade the computers in ELC-IT Labs Coordinate with the ESS any issues concerning lamp problems in projector 1 Agreed Coordinate with the ELC on the computer which are having incompatible issue with the OS Monitoring the projector in all IT Labs regularly Monitoring the PCs in the IT Labs in ELC Area The assigned technical staff has to provide incident report to the ERAM

14 Constant coordination with the Data Center Constant coordination with the staffin-charge in Zero-Client Free Access Lab and the assigned technical staff. Coordinate with the Network Team any intermittent connection in the labs. Coordinate with the Maintenance department. Coordinate with the Data Center on any virus alert received in the IT Labs Regular monitoring of the logs and provide incident report Monitoring the zero-client free access lab regularly Regular monitoring of all the IT Labs in the Engineering Area and provide incident report with audit trail for any intermittent connection in the labs Submit request letter for the replacement of all broken chairs in all IT Labs Regularly updates the logs and ensure that the checklist is updated Team for any lamp problems in projector Checking the IT Labs regularly Monitoring and checking the zeroclient free access lab Monitoring of the network connection regularly Reported all the broken chair and handed it over to the maintenance department Scan all the PC in all the IT Labs Assigned Ensure that the task were accomplished by reviewing the task plan of the technical staff