Home  |  Curriculum  |  Admin Advisory  |  Technicians  |  Internet Development  |  Procurement
 Welcome guest. Please login.
Weather Stations
Did you know the LGfL has weather stations across the country collecting data. This data is freely available for schools to use.
Click for more information
Technicians Service
Server Maintenance Contracts
MSIs Available To Purchase
My Login
Log A Helpdesk Call
Course Booking System
Leadership of ICT
eSafety
Manuals & Helpguides
2008-2009 SLA
Contact ITASS

London Borough of Newham

SIMS Accredited Partner

Sunrise Excellence In IT Service 		Technicians Service

Audit: General Security Controls and Support

ITASS recently underwent an audit conducted by Deloittes the scope of which was to ‘review and assess whether ITASS service has implemented adequate and effective controls over the general IT security environment within the schools’ infrastructure’.

Outline

The audit examined the following:

  1. That effective plans and in place to meet the business objectives;
  2. Adequate processes are in place to plan and manage data integrity and duties are appropriately segregated;
  3. Formal policies and procedures are in place;
  4. The systems and other IT equipment are adequately protected both physically and environmentally;
  5. Logical controls are in place over the schools’ software systems;
  6. Adequate procedures are in place to recover data and systems in the event of a disaster;
  7. The organisation complies with key legislation.

Audit Opinion 

Substantial Assurance:
AMBER


The audit identified 18 different strengths as part of the audit and recommended some Medium Priority recommendations and two Low Priority Recommendations as outlined below. The audit was complex as some of the scope examined was actually responsibilities of the school and outside of the control of ITASS. Some of the recommendations, therefore, are actions to which we must bring the attention of Head Teachers and schools.

Medium Priority Recommendations

  1. By the end of November 2009, ITASS management should design and implement a formal electronic procedure for:
    • Requesting and granting access;
    • Amending user roles/permissions;
    • Deleting leavers
    • Agreeing the roles and responsibilities between ITASS and schools in undertaking user management functions

  2. By the end of March 2010 to meet audit recommendations, ITASS will have amended logical access settings for users in the Windows Group Policy with regard to:
    • Enforce password history = 13 or greater;
    • Maximum password age = 30-60 days;
    • Password must meet complexity = Enable;
    • Store passwords using reversible encryption = Disable

  3. By the end of March 2010, ITASS should amend user lockout settings in Windows Group Policy to ensure:
    • Lockout Duration = 30;
    • Reset account lockout counter after 1440;
    • Establish a procedure to log, report and regularly review system logs to detect exceptional or unusual login events.

  4. By the end of November 2009 ITASS should advise schools on the possibility of implementing the following environmental controls for server storage:
    • To install servers in a dedicated room;
    • To ensure that the computer environment has adequate temperature and humidity controls (i.e. air conditioning);
    • To install fire detection equipment;
    • To install an automatic fire suppression system;
    • To provide manual fire extinguishers;
    • To provide an alternative power supply;
    • To store paper and other flammable material in a separate room;
    • To check the rooms for pipes to prevent water damage.

  5. By the end of November 2009 ITASS should continue to:
    • Ensure all new server purchases include remote backup service, details of which have been made aware to schools.

  6. By the end of November 2009 ITASS will:
    • Implement CentraStage on all supported servers to monitor and report server disc space, hardware specifications and performance, software installations and the rollout of Windows Updates etc using this feedback to provide pro-active support and to inform schools of status of equipment.

  7. By the end of November 2009 ITASS should provide guidance and reminders to HTs that regular test restores are carried out to ensure that backups are valid. carried out to ensure that backups are valid.

Low Priority Recommendations

  1. By the end of December 2009, ITASS will have offered advice to Head Teacher Representatives:
    •  recommending the implementation of  a logon banner on user systems warning users that only authorised employees should continue further and gain access to systems;
    • Making staff aware of the issues under the Computer Misuse Act etc that a defendant could claim in defence that security barriers (unauthorised use or access) were not evident.

  2. By the end of December 2009 ITASS will advise Head Teachers of their responsibility with regard to software licensing and recommend that the school either:
    • Undertakes software audits; or
    • Engages ITASS to perform audits periodically.