The URL can be used to link to this page

Home My WebLink AboutID-2806o CITY OF PALO ALTO City of Pa 10 Alto , Finance Committee Staff Report Report Type: Action ItemsMeeting Date: 6/5/2012 Summary Title: SAP Security Audit Progress Title: SAP Security Audit Progress Report From: City Manager Lead Department: IT Department Recommendation (10 # 2806) Staff recommends that the Finance Committee review the SAP Security Audit recommendations progress report and summary of next steps. Executive Summary In 2011, the City Auditor's Office conducted an audit of selected SAP security controls. The Audit report, consisting of 4 findings and 21 recommendations, was reported to the Finance Committee on October 7, 2011. Staff acknowledged the importance of the security vulnerability in SAP; since then, staff has made it a top priority to address and rectify many of the findings in the audit. This report provides an update of the status. As of June, 2012, Staff has implemented 13 recommendations (62%), one in progress and 7 recommendations still open. Status October, 2011 June, 2012 status Status l ..... _ ....... __ ..... __ ._ ... _ .. _ ...... _ ..... _ ....... _+ .. _ ......... _ ......... -................ -... _ ................................... ·--.r .. _ ..... _ ........ _ .. _ ...... _ .... _ .......... _ ................ _-_ ... _--j IN PROGRESS! 2 ! 1 i , ....................... _ ....... _ ...... _ ... _ ......... l" .................................... _ ....... _ .... _ ................... _. __ ............................... _ ............. -......... _ .......................... -...... _ .................................. , ! COMPLETED ! 7 (33%) 13 (62%) j !._ ...... _ ............... _ ... _ ... _ .. _ ... _ .. _ .. _ ...... _ ... _ ....... --; ............ _ ............... -...... -._.... . ... _ ....... _ .................... __ ....... _ .... __ ...... ···_·········1 i TOTAL i 21 . 21 i 1... .. _ ...... _ ......... _ ........................ _ ......... _ ..... _ .. _ ..... l... •••...............•...•............... _ ...... _ .......................................... _ •• _ ••.•. _ .•••.••. '-•••••............•.•... _ ...•••••.•••• _ ••••• _ ••••••••••• _ ....... _ ...... _ ............. _ ......... _., Discussion June OS, 2012 (ID # 2806) Page lof7 The following six recommendations were implemented since the first Finance Committee review meeting of October 7,2011. FINDING 1: ASD did not secure powerful system-provided user accounts, resulting in significant security vulnerabilities. RECOMMENDATION #3 -To ensure the City can appropriately respond to SAP security incidents, ASD should develop and implement a comprehensive incident response plan that meets PCI DSS and NIST control standards and that also includes provisions. Status: The SAP Program Management Office (PMO) has implemented an incident management procedure that includes the following elements: • Incident reporting, including date, report by, description, evidence collection • Incident recovery: including actions taken and communication • Incident analysis, including business impact, root cause analysis and mitigation plan • Incident review and approval: a formal review and sign off procedure is implemented at SAP Program Office. FINDING 2: ASD violated two critical security principles by not properly restricting access for all user accounts This report will not address recommendation under finding 2 FINDING 3: ASD has not effectively managed all SAP user accounts to ensure system security RECOMMENDATION #6 -Develop and implement pOlicies and procedures to ensure that SAP access to separated City employees be terminated in a timely manner and coordinated with Human Resources Department processes. June 05, 2012 (ID # 2806) Page 2 of7 Status: NT Account and SAP user account will be terminated upon receiving a Termination Report from HR. The security risk resides largely on the employee's termination business process, i.e. having the business department fill out a Personnel Action Form (PAF) for each terminated employee. To mitigate the risk, staff has automated the SAP user account termination process and implemented controls to facilitate reconciliation between Human Resource, Windows NT account, and SAP user account. These actions will ensure that access to SAP by separated City employees is monitored and terminated. RECOMMENDATION #7 -ASD should eliminate the 52 generic Calcard user accounts. The 52 generic Cal Card user accounts do not have any role or authorization assigned; therefore, the corresponding security risk is relatively low. The user accounts are used to close out fraudulent charges to the City's Cal Cards and cannot be used for purchases. To mitigate the risk, Staff has implemented a daily control to monitor and review the activity of the generic user accounts. The actual elimination of the 52 generic Calcard user accounts will take effect after the Purchase Card replacement project is fully implemented. Status: The new Purchase Card program has been fully implemented and staff will eliminate the generic user accounts as part of the closing of the CalCard program. Staff estimates that this step will be completed by August 2012 " RECOMMENDATION #11 -ASD should establish poliCies, procedures, and processes to ensure that SAP user administrators are aware of the required identification information for each type of SAP user account, and that SAP is configured to mandate, to the extent pOSSible, input of required information. SAP user accounts contain all required user identification information, consistent with Human Resources Department records and/or other applicable independent authorized lists for City employees. The City is compliant with ~CI DSS and NIST SP 800-53 standards in its management of SAP user accounts. Status: The SAP user account information combines HR employee master information and information from the active Directory (Network and Email account). Therefore, any attempt to address the issue with SAP only is limited. Staff has reviewed HR new employee, employee changes, and termination June 05, 2012 (10 # 2806) Page 3 of7 processes and automated the SAP account maintenance to ensure information consistency between HR, NT account and SAP account. FINDING 4: The City needs to formally adopt and implement information systems control standards to ensure SAP security RECOMMENDATION #14 -ASO should formally assign responsibility for SAP security Information security is becoming increasingly important as new, potentially more damaging threats arise each day; therefore, the information security manager position has been created to develop and implement a City wide information security program, as well as, ensuring that ongoing activities preserve the availability, integrity and confidentiality of city information resources in compliance with" applicable security policies and standards. Status: The starting date for the new Security Manager is May 15, 2012. RECOMMENDATION #17 -ASD should develop and implement formal policies and procedures to ensure that SAP security parameters are properly configured and compliant with PCI DSS, NIST SP 800-53, and other applicable industry standards. Status: the following 10 SAP Security parameters have been updated to tighten security controls: 1 ; disable multiple sapgui logons (for same i 0 " SAP Acts) 2 min. number of digits in passwords 0 3 min. number of letters in passwords 0 Minimum Password June 05, 2012 (10 # 2806) M"orethan 0 More than 0 More than 0 70r 1 2 4 i8 , Page 4 of 7 _._ ........................................................................... · .... ·_ ... ··················-r· .. ···· ............. ···_······_····· ...... _._ .. -···················_ ..... · .. _······_·········--·r-··_ ... _··. __ .... _ ...... - i 5 ,_·m"i"n"i"m·um··-n-u·m·be-r···of··io;·e·r:=ca·se-·· __ ·· .. ·-·· .. ·············_ .. ····_ .. ···········"1""0··_·········_····._...... . Mo·re··"th·an········li·_········- L' I 6 i minimum numb,er of lower-case I 0 i More than ! 1 ! j I characters in passwords i 0 I I , ... ········ .. _········f-··············_···_········_···-........... _ .... _ ...... _ ............... _ ........ __ ......... _ .................................. _ ...... __ ........ -·······_·············-i-······_········_······ .... _. __ ........ _._ ..... __ ......... __ ................. f-········-·-· .. -······-··········-~ 17 I Dates until password must be changed 1 180 90 or less I 90 I ~······--·········-·r········.....:.····················--·· .............. _ ... _ .... _ ......... _ ........... _ .... _ .. _ ..................... _ ..................................................................... -.. _ ........ _ ........ _ .... " .................... -...................... _ ........ _._ ....... __ ...................... } ........ _ .. _ ........ __ .... --.... I 18 I max~mum #days a pass~ord (set by the ; 4S 14 or less 114 I 1 .......... _ .. · .. .J··~d'!!.~~1..~~ .. ~ .. E.~~.~.~s~_~J.~.!!I~.t ..................................................... _ .................... _ .. _L ....................... _ ..... _ ..... _ ,_ .................. _ ......... _ ......... _ ..................... ~ __ ..... _. __ .. _ ........ _._.! I 9 i maximum #days a password (set by the 0 ! 30 or less I 45 i I·······-········J.···~~·~·~·t.~~.~ .... ~.~ .... ~.~-~~.~~ ... U~.I..~l.. .................. __ ..... _ ............... _........... . ... _ ..... __ .......... ..1. ........ _._._ ......... _ ......... _ ........ _ ........ J ......... _ .. _ ....... _ ................. .1 110 I The max idle ,ime for a user in seconds 14400 1900 or less 1 7200 I ! ......... _ ......•. _'"-.•••.••• _ ••••................. _ ................. _ ...• _ ........ __ .................... _._ .... _ ......... _._ ......•................. __ ................................ _ ••••••••• _ •••. _ ••••••••••••••••• _ ••••••• _ .... _ ....• _ .•.••.••.••••••.••••••••• -'_ •••...... _ ........•.. _ ........... _ ...•....•.. l...._ ••••• _ .. _ ................. _ •••••••••• 1 In December 2011 the new IT Department was transitioned to the management of the Chief Information Officer. The IT Department is the lead on resolving the outstanding audit recommendations and will coordinate with the Administrative . Services Department. In progress Recommendation 21: In order to enhance the Auditor's Office's efficiency, audit independence, and ability to ensure compliance with generally accepted government auditing standards, Staff recommends that ASD implement the AIS tool and provide access to the Auditor's Office. Status: Staff is in the process of analyzing authorization role requirements and design preparation. The target completion date is December, 2012. Next Steps June OS, 2012 (10 # 2806) Page 5 of7 The remaining recommendations involve implementing IT department level NIST or PCI-DSS standards and City wide Security Policies and procedures. Staff recommends a City wide security assessment to determine risk level and implementation strategy. FINDING 2: ASD violated two critical security principles by not properly restricting access for all user accounts Recommendation 5: Ensure that SAP user account administration functions are properly separated (SOD). FINDING 4: The City needs to formally adopt and implement information systems control standards to ensure SAP security Recommendation 12 -IT Department in coordination with ASD should adopt and implement PCI DSS and NIST SP 800-53 Recommendation 13: IT Department in coordination with ASD should develop and implement a formal and comprehensive security policy consistent with PCI DSS, NIST, the SAP Library, and other industry standards. Recommendation 15: IT Department in coordination with ASD should implement a formal security awareness and training program. Recommendation 16: IT Department in coordination with ASD should implement a formal risk assessment process that meets minimum standards as stated in PCI DSS and NIST 800-53--ASD has not properly reconfigured key SAP system security settings. Recommendation 18: IT Department in coordination with ASD should ensure that access to SAP system parameters is restricted to only authorized staff, and that poliCies and procedures incorporate change controls as stated in NIST SP 800-53 so that all changes are properly planned, authorized, executed, and monitored . . Recommendation 19: IT Department in coordination with ASD should develop poliCies and procedures, and also implement minimum NIST SP 800-53 and PCI DSS controls applicable to log management. June 05, 2012 (10 # 2806) Page 6 of7 Timeline, Resource Impact, Policy Implications, Environmental Review (If Applicable) Additional resources will be needed to conduct City Wide Information Security Assessment. Prepared By: Department Head: City Manager Approval: June 05, 2012 (ID # 2806) Jennifer Leu, Manager, IT Jonathan Reichental, Chief Information Officer Page 7 of7