Page 17: Finding 6 – The BCPS computer network was not adequately secured.
Recommendation 6, We recommend that BCPS:
a. configure its firewall rules to adequately secure connections from un-trusted third parties (including the Internet and Baltimore County Government);
b. relocate all publicly accessible servers to a separate neutral network zone to limit security exposures to the internal network segment;
c. perform a documented review and assessment of its network securityrisks and identify how IDPS and HIPS coverage should be best applied to its network and implement this coverage; and
d.complete the wireless network conversion project to properly segment all guest wireless users and require authentication and encryption for all wireless users accessing internal resources.
Page: 19: Finding 7 – Workstations and servers were not sufficiently protected against malware.
Recommendation 7: We recommend that BCPS
a. ensure that administrative privileges on workstations are restricted to network administrators,
- keep its computers up-to-date for all critical security related updates to potentially vulnerable installed software,
- configure its malware protection software so that users cannot disable the settings which allow users to override and modify default security controls established by management, and
- ensure that the current versions of malware protection software and related signatures are installed and running properly on all workstations and servers.
Page 20: Finding 8 – Controls over BCPS’ network domain accounts, passwords, and administrative access were not sufficient.
Recommendation 8, We recommend that BCPS:
a. implement strong controls over domain accounts and passwords in accordance with best practices identified in the aforementioned Information Security Policy (repeat), and
b. ensure that membership in powerful domain groups only be assigned to users requiring such privileges.
Page 21: Finding 9 – Controls over the student information and financial management databases were inadequate.
Recommendation 9, We recommend that BCPS
- limit access to critical databases to personnel whose job duties require such access;
- limit the assignment of access and privileges to the student information database and server to only those accounts requiring such access and privileges; and
- log all critical audit events and direct changes to critical tables, review these logs on a regular basis with appropriate investigation of unusual activity, document these reviews, and retain the documentation for subsequent verification.
Some questions from the BCPS community:
- Have the recommendations from the audit report been followed/instituted?
- What kind of compliance personnel does BCPS employ?