AUDIT REPORT Network Assessment Audit Audit Opinion: Needs Improvement Date: December 15, 2014 Report Number: 2014-IT-03
Table of Contents: Page Executive Summary Background 1 Audit Objectives and Scope 1 Audit Opinion 2 Appendix Definitions 3 Issue Classifications 4 Distribution 6 Audit Performed By 6
Executive Summary Background The Office of the Internal Auditor (OIA) requested that Citizens Legal Counsel engage a third party firm to perform a network assessment as a proactive approach to assess potential cyber risks associated with Citizens IT environment. News reports routinely portray susceptibility to cyber threats across all corporate industries and government entities. Recent Verizon study statistics show that hacking and malware comprise the most common attack methods with servers and user devices as the primary targets. Companies look to technology investments, process and monitoring improvements, people assets and more recently, cyber insurance as part of their risk mitigation efforts. However, there is a need to think beyond the traditional security protection mechanisms to remain vigilant and constantly view system vulnerabilities through the lens of a cyber-criminal. To this end, penetration testing provides a proactive approach to understanding local threats and specific risks not always depicted in results sets created by standardized vulnerability management tools. Penetration testing is the process of evaluating computer network security by simulating malicious external/internal attacks. This process involves the active analysis of potential vulnerabilities that, if exploited, could result in business disruption. Penetration testing of Citizens network perimeter has been conducted periodically by various third-party firms. The Information Security department headed by the Director of IT Security and Risk is normally responsible for the performance and/or coordination of the internal and external penetration tests. The third party network test objectives were shared with a small subset of IT management during the engagement process to ensure a collaborative plan was developed and certain key IT individuals were involved during the testing to assure that Citizens network and business functions were not impacted. Internal, external and wireless penetration testing was performed to assure that a comprehensive view of risks was obtained. The work product of the third party firm is protected under Attorney Client Privilege, ensuring that vulnerabilities remain confidential within the organization. Although the audit primarily focused on the impact of a cyber event within the organization, there was a need to improve the data incident management process as well. Accordingly, the development of an organization-wide data incident response plan was included in the project. The plan provides for all stages of data incident response as well as intersections to other existing enterprise processes as needed and ondemand reference materials such as risk assessments, external resource lists and other required documentation. Audit Objectives and Scope The objective of this audit was to evaluate the adequacy and effectiveness of vulnerability management processes implemented to safeguard Citizens computer network and ensure that network security and availability adequately support the objectives of the business. The focus areas included the following: Page 1
Executive Summary Internal and External Penetration Testing o Attack simulation processes were employed to evaluate computer and network security and identify vulnerabilities that may be difficult to detect with only automated network or application vulnerability scanning processes. Web Application Security Review o Targeted browser-based application security controls testing was performed, referencing discovered vulnerabilities to industry standard web application security frameworks such as the SANS Top 25 and Open Web Application Security Project (OWASP). Wireless Penetration Testing o A wireless security assessment was completed including a review of encryption and authentication technologies as well as detection of rogue access points and wireless network adapters. This was a targeted review of one location. Audit Opinion Following completion of the third party network assessment, we are of the opinion that overall effectiveness of the processes and controls associated with the vulnerability management program is rated as Needs Improvement. Security enhancements have been made in the cyber security realm over the past two years. A Director of IT Security and Risk was hired to oversee all IT security risks and processes. A greater focus has been placed on privacy and security risks with the implementation of a privacy framework comprised of a Privacy Policy, an Information Security Policy and an Information Classification and Handling Policy. Emphasis has also been placed on enhancements and tools associated with vulnerability management and penetration testing processes. However, our work identified some areas of improvement required in network security risk mitigation. Management is working on a corrective action plan which will include enhancement of the organization s understanding of the impact of cyber risks, best practices required to protect Citizens data and continuous improvements essential to the vulnerability management program maturity. We would like to thank management and staff for their cooperation and professional courtesy throughout the course of this audit. Page 2
Appendix 1 Definitions Audit Ratings Satisfactory: Critical internal control systems are functioning in an acceptable manner. There may be no or very few minor issues, but their number and severity relative to the size and scope of the operation, entity, or process audited indicate minimal concern. Corrective action to address the issues identified, although not serious, remains an area of focus. Needs Improvement: Internal control systems are not functioning in an acceptable manner and the control environment will require some enhancement before it can be considered as fully effective. The number and severity of issues relative to the size and scope of the operation, entity, or process being audited indicate some significant areas of weakness. Overall exposure (existing or potential) requires corrective action plan with priority. Unsatisfactory: One or more critical control deficiencies exist which would have a significant adverse effect on loss potential, customer satisfaction or management information. Or the number and severity of issues relative to the size and scope of the operation, entity, or process being audited indicate pervasive, systemic, or individually serious weaknesses. As a result the control environment is not considered to be appropriate, or the management of risks reviewed falls outside acceptable parameters, or both. Overall exposure (existing or potential) is unacceptable and requires immediate corrective action plan with highest priority. Page 3
Appendix 2 Issue Classifications Control Category High Medium Low Financial Controls (Reliability of financial reporting) Operational Controls (Effectiveness and efficiency of operations) financial statement misstatements >USD 5 million Control issue that could have a pervasive impact on control effectiveness in business or financial processes at the business unit level A control issue relating to any fraud committed by any member of senior management or any manager who plays a significant role in the financial reporting process losses >USD 2.5 million Achievement of principal business objectives in jeopardy Customer service failure (e.g., excessive processing backlogs, unit pricing errors, call center non responsiveness for more than a day) impacting 10,000 policyholders or more or negatively impacting a number of key corporate accounts prolonged IT service failure impacts one or more applications and/or one or more business units negative publicity related to an operational control issue An operational control issue relating to any fraud committed by any member of senior management or any manager who plays a financial statement misstatements between USD 2.5 million to 5 million Control issue that could have an important impact on control effectiveness in business or financial processes at the business unit level losses between USD 0.5 to 2.5 million Achievement of principal business objectives may be affected Customer service failure (e.g., processing backlogs, unit pricing errors, call center non responsiveness) impacting 1,000 policyholders to 10,000 or negatively impacting a key corporate account IT service failure impacts more than one application for a short period of time Any operational issue leading to injury of an employee or customer financial statement misstatements below USD 2.5 million Control issue that does not impact on control effectiveness in business or financial processes at the business unit level losses below USD 0.5 million Achievement of principal business objectives not in doubt Customer service failure (e.g., processing backlogs, unit pricing errors, call center non responsiveness) impacting less than 1,000 policyholders IT service failure impacts one application for a short period of time Page 4
Appendix 2 Control Category High Medium Low significant role in operations Any operational issue leading to death of an employee or customer Compliance Controls (Compliance with applicable laws and regulations) Remediation timeline for public censure, fines or enforcement action (including requirement to take corrective actions) by any regulatory body which could have a significant financial and/or reputational impact on the Group Any risk of loss of license or regulatory approval to do business Areas of non-compliance identified which could ultimately lead to the above outcomes A control issue relating to any fraud committed by any member of senior management which could have an important compliance or regulatory impact Such an issue would be expected to receive immediate attention from senior management, but must not exceed 60 days to remedy for public censure, fines or enforcement action (including requirement to take corrective action) by any regulatory body Areas of noncompliance identified which could ultimately lead to the above outcomes Such an issue would be expected to receive corrective action from senior management within 1 month, but must be completed within 90 days of final Audit Report date for non-public action (including routine fines) by any regulatory body Areas of noncompliance identified which could ultimately lead the above outcome Such an issue does not warrant immediate attention but there should be an agreed program for resolution. This would be expected to complete within 4 months, but in every case must not exceed 180 days Page 5
Appendix 3 Distribution Addressees: Copies: Mitch Brockbank, Director, IT Security and Risk Juan Cocuy, Citizens Audit Committee Chairman Bette Brown, Citizens Audit Committee Member Jim Henderson, Citizens Audit Committee Member Barry Gilway, President/CEO/Executive Director Kelly Booten, Chief of Systems and Operations Curt Overpeck, Chief Information Officer John Rollins, Chief Risk Officer Dan Sumner, General Counsel and Chief Legal Officer Bruce Meeks, Inspector General Johnson Lambert, LLP (External Auditors) Following Audit Committee Distribution The Honorable Rick Scott, Governor The Honorable Jeff Atwater, Chief Financial Officer The Honorable Pam Bondi, Attorney General The Honorable Adam Putnam, Commissioner of Agriculture The Honorable Andy Gardiner, President of the Senate The Honorable Steve Crisafulli, Speaker of the House of Representatives Audit Performed By Audit Director Under the Direction of Karen Wittlinger Joe Martins, Chief of Internal Audit Page 6