Office of the Auditor Audit Services Division

City and County of Denver

Timothy M. O’Brien, CPA Denver Auditor

FOLLOW-UP REPORT D I A B u s i n e s s T e c h n o l o g i e s D I A N e t w o r k D e v i c e S e c u r i t y M a n a g e m e n t A u d i t June 2017

Audit Committee

Timothy M. O’Brien, CPA, Chairman Rudolfo Payan, Vice Chairman Jack Blumenthal Leslie Mitchell Florine Nath Charles Scheibe Ed Scholz

Audit Management

Valerie Walling, CPA, CMC®, Deputy Auditor Heidi O’Neil, CPA, CGMA, Director of Financial Audits Kevin Sear, CISA, CPA, CFE, CIA, CGMA, Audit Manager

Audit Staff

Shannon Kuhn, CISA, Audit Supervisor Karin Doughty, CISA, Senior Auditor

You can obtain copies of this report by contacting us:

Office of the Auditor 201 West Colfax Avenue, #705 Denver CO, 80202 (720) 913-5000 Fax (720) 913-5247

Or download and view an electronic copy by visiting our website at: www.denvergov.org/auditor Report year: 2014

The Auditor of the City and County of Denver is independently elected by the citizens of Denver. He is responsible for examining and evaluating the operations of City agencies and contractors for the purpose of ensuring the proper and efficient use of City resources and providing other audit services and information to City Council, the Mayor, and the public to improve all aspects of Denver’s government.

The Audit Committee is chaired by the Auditor and consists of seven members. The Audit Committee assists the Auditor in his oversight responsibilities regarding the integrity of the City’s finances and operations, including the reliability of the City’s financial statements. The Audit Committee is structured in a manner that ensures the independent oversight of City operations, thereby enhancing citizen confidence and avoiding any appearance of a conflict of interest.

June 1, 2017

Ms. Kim Day, Chief Executive Officer Department of Aviation City and County of Denver Re: DIA Network Device Security Follow-Up Report

Dear Ms. Day:

In keeping with generally accepted government auditing standards and the Audit Services Division’s policy, as authorized by D.R.M.C. § 20-276, our Division has a responsibility to monitor and follow-up on audit recommendations to ensure that audit findings are being addressed through appropriate corrective action and to aid us in planning future audits.

This report is to inform you that we have completed our follow-up effort for the DIA Network Device Security Management audit issued June 19, 2014. Our review determined that the DIA Business Technologies Division has adequately implemented all of the recommendations made in the audit report.

For your reference, this report includes a highlights page that provides background and summary information on the original audit and the completed follow-up effort. Following the highlights page is a detailed implementation status update for each recommendation.

This concludes audit follow-up work related to this audit. I would like to express our sincere appreciation to you and to the DIA Business Technologies personnel who assisted us throughout the audit and follow-up process. If you have any questions, please feel free to contact me at 720-913-5000 or Shannon Kuhn, Internal Audit Supervisor, at 720-913-5159.

Denver Auditor’s Office

Timothy M. O’Brien, CPA Auditor

City and County of Denver 201 West Colfax Avenue, #705 • Denver, Colorado 80202

720-913-5000 • Fax 720-913-5253 • www.denvergov.org/auditor

DIA Business

Technologies Network Device Security Management June 2017

Status DIA Business Technologies has implemented all five of the recommendations made in the June 2014 audit report.

Background Airports Council International ranks DIA as the eighteenth busiest airport in the world. Managing day to day network operations for a busy airport such as DIA requires a stable and secure network environ-ment. DIA Business Technologies is responsible for supporting the DIA network including managing hun-dreds of network devices such as routers, switches, and firewalls. The division also provides network ser-vices to merchants and passengers within the airport.

Purpose The purpose of the audit was to assess network device manage-ment and gain assurance that the DIA network is secure, available, and configured to industry stand-ards. We assessed the administra-tion of network devices and re-viewed network device configura-tions based on DIA and manufac-turer standards for network device configuration. We also reviewed the individuals who had access to configure network devices to en-sure that they were current employ-ees with access commensurate to job duties.

Highlights from Original Audit DIA Business Technologies should continually update and adhere to their network administration standards to improve the overall security and availability of the DIA network. Our audit highlighted that:

• Firewall rule sets were not consistently backed up • Changes to network device configurations were made that

circumvented the formal change management process • Administrative access to the management tool used to

configure firewalls included individuals who no longer required access

• Passwords for network devices were not changed within the time frame required by DIA policy

DIA Business Technologies does however appear to have strong controls in the following areas:

• Well documented network device daily operation procedures • Standardized configuration and hardening network device

rules • Layered internal controls that strengthen network device

security

R E P O R T H I G H L I G H T S

For a copy of this report, visit www.denvergov.org/auditor or contact the Auditor’s Office at 720-913-5000.

● ● ● Findings at Follow-up

DIA Business Technologies instituted new procedures to strengthen controls over network security devices. Specific processes include expanded use of two-factor authentication, utilizing the ticketing system to manage and control off boarding

activities to ensure that privileged access to network devices is removed in a timely manner, and scheduled quarterly password changes for these same

network security devices. Firewall configurations backups are performed on a monthly basis and DIA Business Technologies will be implementing the

ServiceNow GRC platform to provide additional assurance. Finally, DIA Business Technologies created a process utilizing Tripwire, a file integrity and

configuration management tool, to monitor changes to network devices. ● ● ●

Page 1 Timothy M. O’Brien, CPA Denver Auditor

Recommendations: Status of Implementation

Recommendation Auditee Action Status

FINDING: Process Improvements Are Necessary to Further Strengthen DIA Network Device Security

1.1 The Director of Operations for the DIA Business Technologies division should ensure removal of the accounts for the individuals who are no longer authorized to configure firewalls and implement a periodic review process to ensure that unauthorized accounts are removed timely on an employee’s last day or when an employee transfers to a new position.

DIA Business Technologies documented access control validation procedures for critical systems to be used when employees terminate employment or change roles within the organization. DIA Business Technologies utilizes a ticketing system and tasks to ensure that detailed off boarding activities, which include disabling Information systems access, are completed in a timely manner.

Implemented

1.2 The Director of Operations for the DIA Business Technologies division should ensure removal of the IP address that is no longer in use from the firewall management tool and implement a periodic review process to assess the IP addresses that are allowed to configure firewalls, removing any that are no longer needed.

The IP address that resulted in the finding was removed in July 2014. Since the original audit, DIA Business Technologies has revised the authentication process for firewall configuration to include additional use of two-factor authentication and access-group membership. The revised processes enhance the security around the network devices.

Implemented

1.3 The Director of Operations for the DIA Business Technologies division should ensure that passwords are changed for network devices at least every ninety days as required by the DIA IT Acceptable Use Policy and implement a compensating control such as a recurring notification that alerts administrators that passwords need to be changed.

DIA Business Technologies implemented the use of Change requests in the ticketing systems to ensure that network device passwords are changed on a quarterly basis.

Implemented

Timothy M. O’Brien, CPA Page 2 Denver Auditor

Recommendations: Status of Implementation

Recommendation Auditee Action Status

1.4 The Director of Operations for the DIA Business Technologies division should ensure changes to network devices are periodically reviewed using a monitoring tool and that the changes correspond with an approved change ticket.

DIA Business Technologies is now using Tripwire, a file integrity and configuration management tool, to monitor changes to network devices. When changes are detected, they are evaluated against planned changes. Unplanned changes are routed to appropriate teams for research and resolution.

Implemented

1.5 The Director of Operations for the DIA Business Technologies division should ensure that firewall backups are performed prior to every configuration change or at a minimum every 30 days. In the event that a previous configuration restoration point is needed to ensure continued operations.

DIA Business Technologies was compliant with established procedures for firewall configuration backups from May 2014 through April 2016 but fell out of compliance after employee turnover and the transition of the backup procedure to a new team. DIA recognized the process issue and re-established the backup procedure in 2017. In addition, they are in the process of purchasing the ServiceNow GRC platform to manage and schedule the backup process.

Implemented

Page 3 Timothy M. O’Brien, CPA Denver Auditor

Conclusion We found that the Business Technologies Division has fully implemented all recommendations and adequately mitigated the risk identified during the original audit. As a result, we conclude our follow-up effort related to the DIA Network Device Security Management.

On behalf of the citizens of the City and County of Denver, we thank staff and leadership from the DIA Business Technologies Division for their cooperation during our follow-up effort and their dedicated public service.