Information Technology Systems Audit Sample Report

Avant Systems, Inc. JQM IT Audit.

Table of Contents.

EXECUTIVE SUMMARY. .................................................................................... 1 NETWORK AUDIT RESULTS. ............................................................................ 3

MISSION CRITICAL MACHINE AUDIT RESULTS. ............................................ 7 NON-MISSION CRITICAL MACHINE NOTES. ................................................. 11 FINANCIALS ..................................................................................................... 12 POLICY .............................................................................................................. 14 APPENDIX A: NOTES ON AUDIT METHODOLOGY ....................................... 16

Avant Systems, Inc. JQM IT Audit.

Executive Summary Avant Systems, Inc., (Avant) was retained by Juniper Quota Manufacturing. (JQM) to conduct an audit of their IT infrastructure, and IT assets/expenditures, and to make recommendations for improving the health of IT systems in general. The onsite portion of the audit was conducted over a two day period. Avant met with partners in order to determine JQMs strategic vision and objectives1; the results of these interviews form the basis of the defect scoring system (Appendix A). The remainder of the onsite audit was devoted to meeting with nonownership personnel and fact-finding about technology currently deployed at JQM. During the offsite portion of the audit; Avant reviewed IT spending for fiscal year 2001 and 2002 to date; reviewed configuration information, and drafted this document. The audit was principally concerned with four overarching performance metrics: Material impact, or Bang for the buck Security Technical inadequacies Suggestions for future direction

Avants overall recommendation is that all non-essential IT spending be frozen. This freeze should last until such time as a management action plan can be developed which reprioritizes IT decision-making and spending in light of the findings presented herein. This management action plan should receive the unanimous approval of all partners prior to implementation.

A fundamental principle of sound auditing practice holds that an audit must include an evaluation of the business goals, strategies, and policies of the business being audited. See, e.g., IS Auditing Guideline, Document 060.020.050 [IL: Information Systems Audit and Control Association (ISACA), 2002. Available online at http://www.isaca.org] As an aside, the author wishes to apologize for footnoting an executive summary.

Avant Systems, Inc. JQM IT Audit. Page 1

It is further recommended, in order to provide the ownership of the firm with performance metrics, that a best practice model be developed and adhered to during the correction of these faults. These best practices will then be used for all future IT implementations at JQM. Of particular concern is the rise in support costs over time. This rise can be traced to poor design and configuration in some cases. If the current trend continues unchecked, each new project deployment will require an unreasonable amount of support and administration, and will create additional support and administration on the network. Thus, any deployment of significant projects such as Document Management, an extranet, or a wholesale conversion from WordPerfect to Word should be postponed until such time as all infrastructure issues have been resolved.

Avant Systems, Inc. JQM IT Audit. Page 2

Network Audit Results Overview The scope of this portion of the audit covered the physical layer and the logical network. The physical layer includes: Network cabling Hubs, switches, and routers Patch panels and equipment racks

The logical network is built upon the physical network, and includes: Network protocols deployed TCP/IP Design Security from outside risks

Overall, the state of the network at JQM is poor. This is based upon multiple noted defects in both the physical layer and the logical network. Physical Layer Results The physical layer of the network forms the foundation for all software applications, data transfer, and machine communication. It is of the utmost importance that the physical layer of any network be in the best possible condition; any errors at this layer can cause a variety of symptoms in operating systems and software applications. These symptoms can be extremely costly to cure, as it will be difficult to pinpoint their cause. The overall state of the physical layer at JQM is poor. Improperly installed cabling and electronics may be seriously impacting the performance of the network. An undocumented port topology and lack of labels may result in the expenditure of more man-hours during setup and troubleshooting. Lack of managed network electronics makes it impossible to determine error conditions which might be easily correctable and lead to increased reliability and performance.

Avant Systems, Inc. JQM IT Audit. Page 3

Table 1: Physical layer: Noted Defects and suggested remedies Defect Missing conductors from network runs/cable runs not properly punched down Score Remedy 3 Install new cable as needed. Purchase sufficient punchdown blocks, reterminate all cable runs as needed. Purchase and install required patch cables. 3 Purchase an equipment rack/shelf. 3 Purchase wire management products; route cables neatly and with no strain; label all cable runs clearly for quick identification. 2 As part of correction of above, vendor should provide a certification report clearly showing that all cable runs meet industry standard for 100Mbs transmission. Additionally, all cabling should be installed in conformance with EIA/TIA Category 5 standards. 1 Develop a port map that indicates which office is plugged into which port 3 Purchase, installation, and configuration of managed network switches 3 Configuration of the Internet router to log activity, if possible. This is important, as the router serves as the first layer in the present firewall architecture.

Network electronics haphazardly stacked Poor routing and labeling of cables in the computer room

Certification/Adherence to standards

Network Map

Inability to log any network traffic errors

Inability to log any threats to the Internet router

Avant Systems, Inc. JQM IT Audit. Page 4

Logical Network Results The logical network is the next building block in constructing a reliable, stable, and scalable network. A properly designed logical network, when built upon a properly built and maintained physical layer, insures that applications and data work seamlessly over the network.

Overall Health: the state of the logical network at JQM is poor to fair. Many configuration problems result in poor network performance. An inadequate firewall places the firms main server at risk for many attacks, including simple email based Denial of Service attacks.

Table 2: Logical Network Defects and suggested remedies. Defect IP address assignment Score Remedy 1-2 Reconfiguration of DHCP services, including redundancy, documentation, and splitting up of scope. Mission critical device connected to 5 Remove server Main from Internet with a very low-end firewall having connection to Internet. places firm applications and data at risk If continued use of Microsoft of compromise ISA server is desired, that product should be installed on a dedicated computer [bastion host configuration] with no other application or data installed. The installation of a managed hardware firewall appliance is the most preferable solution.

Avant Systems, Inc. JQM IT Audit. Page 5

Table 2: Logical Network Defects and suggested remedies, continued. Defect No e-mail application filtering - Any exploited vulnerabilities in Exchange Server will impact internal e-mail and other applications reliant upon server Main Score Remedy 4-5 Installation of a messaging firewall which protects the internal mail server from exploit. This messaging firewall can either be an additional SMTP server; a more robust firewall appliance; or [most secure], both. 2 Installation of a firewall which permits expansion to accommodate future implementations, e.g., an extranet for clients and cocounsel to safely access firm data. 1 Determine protocol requirements for all devices connected to network, and configure for TCP/IP if possible 3 Design and implement an effective naming services model. Currently, if server MAIN goes down, it is not clear that continued access to the JURIS server will be available. Naming services work at best intermittently, and in some cases not at all. Workarounds of creating hosts and lmhosts files on individual machines are not recommended.

Limited firewall

Unused protocols [potentially IPX/SPX and DLC]

Naming Services

Avant Systems, Inc. JQM IT Audit. Page 6

Mission Critical Machine Audit Results This portion of the audit focused on physical machines connected to the LAN. Machines were divided into two classes: mission critical and non-mission critical. The firms two servers were deemed the only mission critical machines; as such, they were subject to an extensive audit. Non-mission critical machines were inventoried only.2 The overall condition of the two servers is poor. There are substantial gaps (detailed below) between these each of these servers and a properly specified, designed, and implemented server. Additionally, there is no attempt at integration of the two servers, which is one of the strengths of Windows 2000 Active Directory. Such integration can lower administrative overhead while increasing stability and availability. It is recommended that JQM develop a design which takes advantage of the strengths of Active Directory, and includes provisions for redundancy of key services. This design should provide a framework for developing a detailed project plan for implementing changes on both servers.

This inventory was conducted by Chris Metzler and reviewed by Avant.

Avant Systems, Inc. JQM IT Audit. Page 7

Mission Critical Resource Number: Server Main Overall Machine State: Poor to fair. Lack of a consistently functioning tape backup and backup routine puts the firms data at some risk. Likewise, there is no documentation on recovering this server in the event of a catastrophic failure which could lead to unwarranted downtime while a replacement server is being built. An inadequate disk subsystem may be causing a performance bottleneck. Improperly implemented security puts firms data at risk. Recommended Management Action: (1) Develop a plan to rebuild this server. This rebuild should include an appropriate SCSI based disk subsystem. (2) In conjunction with installation of a dedicated firewall appliance, disable ISA server. Reinstall and reconfigure DNS and WINS. (3) Develop an overall Active Directory Design which provides redundancy of key services. Table 3: Server MAIN Defects and suggested remedies. Defect Inadequate disk subsystem Lack of tape backup Score Remedy 3 Installation of a SCSI based disk subsystem 5 Installation of a high quality tape drive. This drive should be SCSI based DAT.3 4-5 Development and implementation of a rotating backup schedule. 1 Development and implementation of log archiving 4-5 Remove Everyone (Full Control) which permits any user, to delete the contents of the entire hard drive. Conduct a periodic and thorough review of NTFS permissions on the entire HDD.

Lack of any standard tape rotation

No log archiving

Improper permissions set on the root of C:\ and D:\

The same tapes should be usable by all servers in the organization. This helps to insure that in the case of a catastrophic failure there is a fallback plan to get up and running.

Avant Systems, Inc. JQM IT Audit. Page 8

Table 3: Server MAIN Defects and suggested remedies, continued. Defect Failure to timely apply hotfixes4 Score Remedy 55 Implement a policy and procedure for auditing the server and obtaining hotfixes on a timely basis. 1 Disable all unused services 3 Reconfiguration of DNS structure, including redundancy. Troubleshooting of DNS lookup failures and subsequent broadcasts by client machines. Reinstallation of Small Business Server to establish a private namespace that does not overlap existing public namespace [JQM.COM] 4-5 Recommend that update frequency be changed to hourly to prevent e-mail based outbreaks. 4 Develop a step-by-step guide to enable quickly rebuilding the system in case of a server failure. 1 Install case cover to prevent accidental physical damage to server components 5 Develop a strong password policy. 1 Disable

Unneeded services running Improper configuration of naming services

Antivirus Software updates daily

No system recovery documentation

Lack of case cover

Password Policy Automatic update service running

This was identified by running the Microsoft Baseline Security Analyzer (BSA). Electronic copies of the results of this audit will be supplied upon request; however, the BSA is a free tool and should be run on a periodic basis. Missing hotfixes and service packs are most critical on this machine due to its connection to the Internet. 5 This is defect is difficult to score. However, since there is no established policy and no observed implicitly followed policy for the testing and application of selective hotfixes, it must be assumed that hotfixes are either just applied or not applied. If we are correct in this assumption, then all hotfixes should be applied in a timely fashion.

Avant Systems, Inc. JQM IT Audit. Page 9

Mission Critical Resource Number: Server IBM220 Overall Machine State: Poor. Improperly installed operating system requires duplicate administrative effort, and presents a security risk. Uninstalled and critical hard disk controller requires reinstallation of operating system. Server being used for applications other than Juris. A complete audit was not performed, since the noted defects require a complete re-installation of the operating system, along with complete reconfiguration of security and services. Recommended Management Action: Develop a detailed project plan for rebuilding of this server, including installation of missing RAID controller. This project plan should include items to insure redundancy of key services. Table 4: Server IBM220 Defects and Suggested Remedies. Defect RAID controller still in shipping carton Score Remedy 5 Develop a comprehensive list of tasks to be completed to install RAID controller and reinstall the operating system. This list will include such things as: Backup of existing data; installation of hardware; creating partitions; installation of operating system as a member server; installation of key network services for redundancy purposes. 5 Configure as a member server or second domain controller. 6

Windows 2000 installed as a standalone server in a separate workgroup

See http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q295765&LN=ENGB&SD=gn&FR=0

Avant Systems, Inc. JQM IT Audit. Page 10

Non-mission critical machines Overall results: while the machines all appear to be functioning properly, there is some outdated hardware which should be replaced. Operating systems should be standardized, and any machines running Windows 95/98 should be replaced first. Issues such as printing will become dramatically easier to manage with a common operating system in place. This will result in lowered support costs. Additionally, Windows 95/98 is not a secure operating system. By using this software, there is a greater risk of more damage from a computer virus or trojan. This risk is unnecessary given the easy methods of prevention which are possible. Windows 2000/XP can integrate extremely well with Active Directory running on the servers. This can decrease administrative overhead by permitting central management of the workstations. Currently, there are quite a few security holes at the workstation level which place the firms data at unnecessary risk. These security considerations are easy to manage with Active Directory Group Policies. Recommended management action: Develop a project plan and budget for migrating all machines to Windows 2000 or Windows XP. This plan should additionally take into consideration the benefits of central administration offered by Windows 2000 Active Directory.

Avant Systems, Inc. JQM IT Audit. Page 11

Financials The purpose of the financials audit was not to complete an exhaustive analysis of all transactions, but to identify large problem areas in IT spending. We focused on mission critical resources: the network itself, and the servers. Materials charges appear to be largely in line with industry standards. However, in some cases decisions as to what material purchases to be made [e.g., the specification of a server is a server is incorrect, but purchases to that specification are within reason] are somewhat less than good. Labor charges from VENDOR X appear to be excessive. Despite this, Avant recommends that if it at all possible, the relationship with VENDOR X be considered an asset to the firm, and VENDOR Xs strengths be leveraged in a mutually beneficial business relationship. Table 5. Financial hotspots Server Main Hardware specification Server Main Hardware Cost Server Main Operating System Cost Server Main Configuration Disk and tape subsystems inadequate for a server class machine. In line with fair market pricing In line with fair market pricing 3-4x fair market pricing without considering expense of reconfiguration.7 Good specification In line with fair market pricing In line with fair market pricing Significantly over fair market pricing. Estimate that by time all necessary configuration is complete, configuration charge will be 2x fair market value.8

Server IBM220 Hardware Specification Server IBM220 Hardware Cost Server Main- Operating System Cost Server IBM220 Configuration

The recorded labor charge for this server to date is ~$7,300.00. Note that this is not an allinclusive figure: for example, it doesnt include the time spent attempting to get backup working. Avant did intervene and provide sample backup scripts as part of the audit; it is hoped that backup is by now fully functional. This figure doesnt include necessary reconfiguration and documentation labor. 8 No separate labor charge was specified for this server. However, the server has to be installed and reconfigured from scratch due to omission of hard drive controller and incorrect installation of operating system. Assuming that the first installation was within fair market pricing, and that the second installation will be within fair market pricing, this means the firm will pay a minimum of double fair market pricing.

Avant Systems, Inc. JQM IT Audit. Page 12

In addition to the noted hotspots, an incomplete deployment of a poorly designed and documented network is contributing to ongoing support costs. Since there is no formal problem tracking methodology in place at JQM, it is impossible to audit all support costs. However, there were a couple of incidents that arose while Avant was onsite:

Setup of a workstation to use a database. ODBC setup was apparently failing. The workstation couldnt access the database. VENDOR X spent approximately 4 hours trying to diagnose this issue, then finally resorted to calling the software manufacturers technical support. Tech support ultimately diagnosed a name resolution failure. Proper network design would have eliminated this entire incident. Users accessing Internet sites. Some Internet sites cant be accessed, including the companys own site. VENDOR X has spent time attempting to resolve this; however, a properly designed network would not have this problem.

Given that there is no problem tracking, and that VENDOR X provides no detailed timekeeping records, it is impossible to assess how much support overhead is generated by poor design and configuration. However, it is not unreasonable to expect that ongoing support and administration costs could be significantly lowered by proper design and implementation.

Avant Systems, Inc. JQM IT Audit. Page 13

Policy There are no formal, documented policies governing IT in place at JQM. While this is not unusual for a firm of this size, it is widely recognized that part of responsible system management includes the development of policies governing use of IT resources, as one of the most important assets to the firm is the data contained in electronic format. The formal development and statement of policy is especially important for JQM in setting a standard of technological excellence for its clients. Clients either have, or need to have, a clear understanding of policy to succeed in the management of their IT assets. By developing internal policies, JQM will be better able to assist their clients by demonstrating leadership in this area. Note that in many cases there is already an excellent, but not formally stated policy in effect. For example, an implicit policy of All Microsoft, wherever possible or Keeping to the de facto standards of clients to insure smooth exchange of business information are excellent policies. However, they should be formally stated and periodically reviewed. Recommendations for policy development would include at a minimum: A hardware standard A software standard An Operating System standard A project deployment policy A backup policy An incident handling policy A problem handling policy A disaster recovery policy A documentation policy and standard

Avant Systems, Inc. JQM IT Audit. Page 14

These policies do not have to be particularly verbose. For example: JQM Operating System Policy The OS for the next 2-3 years will be a mixture of 2000 and XP. Any workstations purchased will have XP installed. Any servers purchased will have Windows 2000 server installed.

JQM project deployment policy No project estimated at over $xxx in total cost shall be undertaken without the express sponsorship of a partner. Every project must have a project plan, including estimated time to completion and cost to completion. Every plan must be unanimously approved by all partners prior to implementation.

Avant Systems, Inc. JQM IT Audit. Page 15

Appendix A: Notes on Audit Methodology This audit is concerned with identifying defects that have material impact to JQM. We strove to create a defect scoring mechanism that accurately reflects the goals of the firm. A lower defect scoring implies less material impact to the firm. 1 Creates additional labor for tactical management in meeting organizations IT objectives. For example, the lack of a network map and port diagram may impede quick troubleshooting of a communications issue; but this is not a defect that impacts JQMs strategic objectives. 2 Creates additional labor at a strategic level in meeting organizations IT objectives. For example, an incorrectly configured server might function sufficiently well to meet the current workload demands; however, it may cease to function when a planned new application is deployed. Defects at this scoring level impede future deployments, and remedies may involve significantly more work than defects with a score of 1. 3 Impedes proper functioning of applications. Defects at this scoring level impact productivity: either by creating performance bottlenecks or causing unscheduled downtime. Defects at this scoring level additionally impact JQM via increased labor costs in troubleshooting symptoms rather than fixing the cause of those symptoms. For example, incorrectly designed network naming services may cause various applications to not function correctly. By not remedying the defect, a patchwork of symptomatic relief is continually amended: since this patchwork goes largely undocumented, a snowball effect is created in which the same problem is fixed many times. 4 Poses a risk to the safety of some data in isolated circumstances. This risk can either be a risk from improper machine configuration, inadequate security on one machine, or a practice such as leaving network electronics in an unsafe environment. 5 Poses an immediate and substantial risk to the health of the IT systems, or creates a significant additional and unplanned expense for the firm. For example, improperly configured security on a server might expose all the firms data to a trojan horse program. Obviously, there is considerable leeway in the process of scoring a defect. We have attempted to take a conservative approach, and indicate a range when we felt the defect wasnt clearly contained at one scoring level.

Avant Systems, Inc. JQM IT Audit. Page 16