Internal Audit delegates of Ministry of Economy and Finance (MEF) led by H.E Chea Vuthna, Director General of General Department of Internal Audit met with Director of Information Technology Department (ITD) to discuss on the auditing result abiding by the standard audit procedure on 12th February 2015 at 9:00am, ITD big meeting room of MEF. The purpose of auditing was to control and improve FMIS system implementation which is planned to go live with a sufficient internal control and good governance ensuring the effectiveness, efficiency, and compliance.
The result of Internal Audit was shown that ITD has been actively performing their tasks on infrastructure and installation of FMIS. Even though some gaps are needed to be fitted before the go live, those gaps do not affect to entire FMIS construction.
After discussion, the agreement was made on the result of auditing, activity plan revision and was also agreed to improve as below recommendations:
- ITD continues with its present recruitment plan
- During recruiting officials, ITD should pay particular attention to strengthening the network management and administration team
- Security staff should be perform only security duties
- ITD should develop an FMIS security policy containing infrastructure and application security procedures for use by data owners, custodians and users as well as incorporating the policies mentioned in recommendation 18 and 22
- The windows between the administrative area and computer rooms should be secured by permanent screws
- A smart card should be installed to control access to administrative areas at Main Data Center (MDC) and Data Recovery Center (DRC).
- If this is technically feasible, ITD should configure smart card locks to alert to security staff whenever there are three consecutive failed access attempts.
- Non-working hours, the motion activation of cameras should also alert security staff
- At the DRC, the nearest fire extinguisher to the data center should be checked for its suitability for use with electrical items
- Power cables should preferably not share a single, external shaft. If so, then doors with strong locks should be fitted to protect against unauthorized access
- ITD should monitor the time that each PT is without power as a basis for deciding which, if any, PTs should be provided with backup power generators
- Security for the water supply for the air conditioning in MDC should be recheck and strengthened, if necessary
- ITD should arrange for external area around the air conditioning fan to be tidied regularly to reduce fire risk
- All FMIS equipment should be recorded in an up to date inventory including the serial number and equipment location
- All existing user access rights and privileges should be reviewed, redesigned as necessary and properly authorized and documented
- As a priority the least lines at DRC should be separated
- All data in transit should be encrypted. This applies particularly to the set up or amendment of user access rights and privileges
- ITD should develop a policy for the logging and monitoring of network usage
- ITD should also document a policy for the provision of secure, remote access to the FMIS
- ITD should develop a policy for the retention of documents and digital media that satisfies all operation and legal requirements
- Backup and recovery policies should contain a clear allocation of responsibilities
- All staff training in the operation of backup and recovery procedure should be completed prior to FMIS “Go Live”
- All backup media should be stored remotely in a secured site and far away from main data location
- Restore procedures should be tested until working and tested regularly thereafter
- Failover to the DRC should be tested fully and the necessary procedures and responsibilities documented. All changes to software, master, standing and transaction data should be synchronized fully.
The director of ITD agreed on the points and recommendations of the audit delegates. He also mentioned that so far ITD‘s comments have not received full supports, but now after this findings together with recommendations from General Department of Internal Audit will draw much attention to have more additional support for ITD to implement the FMIS system. Finally, the director of ITD thanks for all outputs of the delegates, and will follow these recommendations to make the improvement.