3.

3.2

3.3

3.4

3.5

3.6

3.7

3.8

3.9

3.1

3.11
3.12

3.13

3.14

3.15

3.16

3.17

3.18

3.19

3.2

3.21

3.22

3.23

3.24

3.25

3.26

3.27

3.28

4.1.1

4.1.2

4.1.3

4.1.4

4.1.5

4.1.6

4.1.7

4.1.8

4.1.9

4.1.10

4.1.11

4.1.12

4.1.13

4.1.14

4.1.15

4.1.16

4.2.1

4.2.2

4.2.3

4.2.4

4.2.5

4.2.6

4.2.7

4.2.8

5.1.1

5.1.2

5.1.3

5.1.4

5.1.5

5.1.6

5.1.7

5.1.8

5.1.9

5.1.10

5.1.11

5.1.12

5.2.1

5.2.2

5.2.3

5.2.4

5.2.5

5.2.6

5.2.7

5.2.8

5.2.9

5.2.10

5.2.11

5.2.12

5.2.13

5.2.14

5.2.15

5.2.16

5.3.1

5.3.2

5.3.3

5.3.4

5.4.1

5.4.2

5.4.3

5.4.4

5.4.5

5.4.6

5.4.7

5.4.8

5.4.9

5.4.10

5.4.11

5.4.12

5.4.13

5.4.14

5.4.15

5.4.16

5.4.17

5.4.18

5.5.1

5.5.2

5.5.3

5.6.1.1

5.6.1.2

5.6.1.3

5.6.1.4

5.6.1.5

5.6.1.6

5.6.1.7

5.6.1.8

5.6.1.9

5.6.1.10

5.6.1.11

5.6.1.12

5.6.1.13

5.6.1.14

5.6.1.15

5.6.2.1

5.6.2.2

IT General Controls
Weaknesses noted in the governance of IT strategy
This issue was discussed with ACEO & Business Development, ACEO advised to
consider the initiatives suggested in QCC Strategy as the work frame. IT suggested
drafting a strategy and discussing it with ACEO. So, the draft Strategy was prepared but
IT risk assessment & reviews of IT Infrastructure, Applications and Systems is not performed
This will be considered. The jobs descriptions of Business Analyst and Network Admin
will be adjusted to cover this requirements (BA for all risks at applications and databases
leve and Network Admin for the risk assoicated with any IT Infrastructre components).
The risk review to be conducted at Q3 every year, and as if required.
Breach of software licenses and inappropriate management of tools
In the audit period IT was executing projects that will require different licenses, All new
requirement are being discussed with the providers.
Absence of information security function
This business needs will be covered with as explained in 3.3 and we think that this is
sufficient as of now. An independent information security function will be needed later
when QCC has more system on the web or cloud computing. Security Training will be increased.
Lack of comprehensive policies and procedures
Policies and procedures suggested by IT and reviewed & adjusted by Policies Committee.
To be considered as the first version and to be evaluated and enhanced within 6 months
starting from issuing date.Increasing the end-user awareness is important and will be considered.

Intrusion Prevention System (IPS) and Intrusion Detection System (IDS) is not installed
All are considered in 2014-budget.
Inadequate management of security incidents across QCC
Security Policy & Procedure will be adjusted to consider that.
Disaster recovery drills are not being performed
Noted We think that DRP is one component of a comprehensive BCP and drills to be
conducted to the BCP to have comprehensive and meaningful drills.
Current DRP is sufficient for business needs. And we are doing recovering test regularly.
It is not stated in the draft Policy. Policy will be adjusted.
Absence of change control policies, procedures & documentation
The current policies address the Change Management in application and in the infrastructure
projects. But there is no separate Change Control Policies.

Change management logs are not available

Separate logs for changes are not implemented. However, any change request will be documented

before executing as per the policies.

Absence of backup firewall

Will be considered in budget 2014.

Such devices is form the type Fix and Leave

Patch management process is not in place

We do install patches every time after testing and investigating. However, in many cases conflicts

occur between the new patches and the running applications. Procedure to be introduced

Absence of controls over remote access solution

Currently VPN will be made available to 3rd party only if there is a real need. The access
will be limited to the areas of the concern.

The recommendation will be considered

Inappropriate configuration for Dam Ware remote access tool

IT staff as per the policy and procedure are not allowed to access any PC without permission
form the end-user. This suggestion is considered.

Insufficient storage for backup

Backup is being taken as follow:

Application: Full monthly.

Data: JDE, VAS: daily incremental & full backup weekly.

Backup restoration and testing was not performed

Media is needed, Budget 2014.

Inadequate implementation of password policy (not done)

That was due to some enhancements requested by a review. The policy will be adjusted accordingly.

Sharing of administrator ID and password ( 2 persons are using it in jde and SA)
For AD Admin. The issue is fixed.

For ERP, In the new JDE upgrade this point is fixed.

Ex-employee IDs are still active on domain ( almost done )

As per the current policy, the account of resigned will be made inactive and IT is implementing that.

Lack of physical & environmental control over primary data center

Fire suppression system is installed and tested regularly by Safety;
Surveillance system is a new and being implemented.
Temperature and humidity control, we are communicating with the contractor to fix;
Water detector is not needed;
Visitor logs will be considered
Servers are connected with only one network cable /card: that is for old servers which will be replaced.

Wires were lying around; no, all are In place

Combustible material, such as, wooden table, cartons, chairs, etc were present: the issue is fixed.

Lack of physical & environmental control over DR site

This location is temporary; a new location is being prepared.
Absence of project management methodology and its relevant policies and procedures
IT has drafted the Policy for project management; however the Policy & Procedures committee
decided to generalize it to control all QCC project, still under modification of Policy committee

Weakness noted in recovery process

We think this part is to be considered as a part of QCC BCP where the critical mission objectives are

identified and accordingly IT DRP will be designed.

Review of IT balance scorecard is not performed

The review is used to be quarterly.

Absence of data classification scheme with associated data protection guidelines

We rely on the Authority Matrix from application side. Data scheme will be discussed with management.

Generic user IDs are found on domain

This issue is fixed.

IT steering committee is not in place

The alignment with business is achieved via a close coordination with middle management &

Absence of IT trainings and information security awareness

Recommendation will be considered.

Application Controls
Absence of Standard Operating Procedures (SOP)
It is done for some applications and the remaining will be considered.

Absence of authority and Segregation of Duties (SOD) matrix

We will try it to make it more dynamic by designing a report to define the SODs.

Password parameters needs to be configured ( not done)

The issue was fixed. It was because the master password was sit to 3 char. After JDE upgrade we
change the master password to be compliant to the suggested password policy

Weaknesses noted in log generation and its details

It is implemented whenever found applicable in JDE, and satisfies business needs with less load on the performance.

Absence of segregation of duties in HR, Payroll and Store modules

We support this recommendation. The comment was passed to concerned departments & IT will issue.

work closely with Proc. & HR to overcome such

Excessive access for payroll staff on payroll sub-system

We support this recommendation. The comment was passed to concerned departments & IT will
work closely with HR to overcome such issue.

Excessive right of application administrator over production environment

The access to Production will be minimized and restricted.

Inactive User IDs were found in JDE (To be checked)

Noted - All these users are inactive. The list was taken during migrating from JDE 8.12 to JDE 9.1.

Absence of workflow in payroll system

That is considered in SharePoint Projects.

Generic user IDs were found in JDE

Recommendation is considered and the issue is fixed.

Allowance and dedication are calculated manually

That will be considered in SharePoint Projects & JDE implementation projects.

Periodic review of access rights is not being performed

In case of any change the owner (department manager) is responsible to inform IT via email or open

a support ticket Purchasing reporting tool to report the access right from the system is planned.

communicated with department manager & IA for review and approve.

Naming convention for creating user IDs is not being used

Fixed in VAS. JDE will be studied.

SSO for QCC portal will cover this need.

Lack of input validation control in HR modules

This is JDE limitation.

Absence of automated notification for item reorder level

It is included in SharePoint project.

Lack of validation control over maintenance modules

It is due to JDE limitation.

Absence of authority and Segregation of Duties (SOD) matrix

We will try it to make it more dynamic by designing a report to define the SODs.

Password parameters needs to be configured

The system does not support such request; we request an offer from supplier.

Excessive right of application administrator over production environment ( VAS

remaining)
Alzaidi user name is removed, VAS administrator is used to run some service, so it cannot be removed.

Inactive User IDs were found in VAS ( with Abu ali)

Recommendation is considered and the issue is fixed and will be communicated with the service

provider to implements.

Absence of dedicated testing environment

Considered in budget 2014.

Generic IDs were found in VAS

Considered. However VAS user is needed by the system. Many Ids are customer id to access to
access iDispo Those will be moved to the test environment.

Periodic review of access rights is not being performed

In case of any change the manger of owner department is responsible to inform IT via email or .
open a support ticket Review will be conducted periodically.

Naming convention for creating user IDs is not being used

There is no formal policy, however we are using employeeID as the user name for all. Drafting
Policy will be considered.

Information Security
Clear text HTTP service is enabled
The issue is fixed.

Weak user account lockout policy setting is configured

Recommendation is considered and the issue is fixed.

Weak password history policy setting is configured

Recommendation is considered and the issue is fixed.

No HTTP service network access restrictions

The issue is fixed.

Syslog logging is not enabled

That was found in few servers. the issue is fixed.

NTP control queries were permitted

Most of the servers were in sync. The issue was found in one server and that was fixed.

No time synchronization is configured

Most of the servers were in sync. The issue was found in one server and that was fixed.

AUX port is not disabled

Recommendation is considered and the issue is fixed.

No network filtering rules were configured

We are implementing this feature for external access. We will implement that for all.

No warning in pre-logon banner

Noted.

No post logon banner message

Noted.

Weak password expiry warning policy setting is configured

We will extend it to 7-day notice.

Underlying Operating System of JDE ( password history not ava.

Recommendation is considered and the issue is fixed.

Minimum password age is not properly configured

Recommendation is considered and the issue is fixed.

Minimum Password Length is not properly configured

That became applicable only after we have upgraded ERP. We have fixed the issue.

Account lockout threshold is not configured ( will fixeed

Recommendation is considered and the issue is fixed.

Audit account logon events is not configured

Recommendation is considered and the issue is fixed.

Audit logon events is not configured

Recommendation is considered and the issue is fixed.

Audit policy change is not configured

Recommendation is considered and the issue is fixed.

Audit policy change is not configured

Recommendation is considered and the issue is fixed.

Audit system events is not configured

Recommendation is considered and the issue is fixed.

Deny access to this computer from the network

Recommendation is considered and the issue is fixed.

Rename administrator account

Recommendation is considered and the issue is fixed.

Account lockout duration is not configured

Recommendation is considered and the issue is fixed.

Reset account lockout counter after is not configured

Recommendation is considered and the issue is fixed.

Do not allow anonymous enumeration of SAM accounts and shares

To be fixed.

LAN manager authentication level

Recommendation is considered and the issue is fixed.

Message text for users attempting to log on

Noted.

Underlying Database of JDE

Recommendation is considered and the issue is fixed.

C2 audit mode is not being configured appropriately

Recommendation is considered and the issue is fixed.

System table updates is not being configured appropriately

Recommendation is considered and the issue is fixed.

Shared administrative IDs being used ( no one know the Password of 'SA' user)
Recommendation is considered and the issue is fixed.

Password history is not properly configured

To be fixed by the service provider.

Minimum password age is not properly configured

To be fixed by the service provider.

Minimum Password Length is not properly configured

To be fixed by the service provider.

Password complexity is not enabled

To be fixed by the service provider.

Account lockout threshold is not configured

To be fixed by the service provider.

Audit account logon events is not properly configured

To be fixed by the service provider.

Audit account management is not configured

To be fixed by the service provider.

Audit logon events is not properly configured

To be fixed by the service provider.

Audit policy change is not configured

To be fixed by the service provider.

Audit system events is not configured

To be fixed by the service provider.

Rename administrator account

To be fixed by the service provider.

Account lockout duration is not configured

To be fixed by the service provider.

Reset account lockout counter after is not configured

To be fixed by the service provider.

Deny access to this computer from the network

To be fixed by the service provider.

Do not allow anonymous enumeration of SAM accounts and shares

To be fixed by the service provider.

LAN manager authentication level

To be fixed by the service provider.

Message text for users attempting to log on

To be fixed by the service provider.

Prompt user to change password is not configured

To be fixed by the service provider.

Server authentication mode is not configured properly

To be fixed by the service provider during his next service visit on Sunday 2nd Nov.

C2 audit mode is not being configured appropriately

To be fixed by the service provider.

Shared administrative IDs being used

To be fixed by the service provider.

Break into various information systems of QCC

Full windows patch should be implemented on the affected servers and encrypting remote desktop

connection. IPS/IDS will be implement for the 2014 project.

Remote Desktop Protocol (RDP) server has man-in-the-middle weakness

For Servers we will renew the SSL For Workstations we will enable NLA for Remote desktop

Apache tomcat manager common administrative credentials

Recommendation is considered and the issue is fixed.

IBM websphere application server (multiple vulnerabilities)

Some patches are conflicting with JDE and not recommended by Oracle.

SSL certificate cannot be trusted and it is expired

Recommendation is considered and the issue is fixed.

SSL self-signed certificate

Recommendation is considered and the issue is fixed.

Terminal services doesn't use Network Level Authentication (NLA)

Recommendation is considered and the issue is fixed.

Microsoft windows SMB NULL session authentication

It will be communicated with VAS Service contractor and will be implemented accordingly.

SSL Version 2 (v2) protocol detection

Recommendation is considered and the issue is fixed.

Terminal services encryption level is medium or low

Recommendation is considered and the issue is fixed.

Apache HTTP Server httpOnly cookie information disclosure

Recommendation is considered and the issue is fixed.

HTTP TRACE / TRACK methods allowed

Recommendation is considered and the issue is fixed.

SMB signing is disabled

Recommendation is considered and the issue is fixed.

Terminal services encryption level is not FIPS-140 compliant

Recommendation is considered and the issue is fixed.

SSL / SSL RC4 Weak Cipher Suites Supported

To be Fixed.

SSL certificate cannot be trusted and it is expired

Recommendation is considered and the issue to be fixed.

Web server HTTP header internal IP disclosure

Recommendation is considered and the issue is fixed.

Jan. 2014

Dec. 2013

Dec. 2013

Mar. 2014

Mar. 2014

Mar. 2014

Mar. 2014

Mar. 2014

Jan. 2014

Jan. 2014

Mar. 2014
Jan. 2014

Jan. 2014

Dec. 2013

Mar. 2014

Apr. 2014

Fixed.

sa

Fixed.

sa

Fixed.

sa

Mar. 2014

Mar. 2014

Jan. 2014

Jun. 2014

##

CEO

##

CEO

Fixed.

ok

##

CEO

##

IT HR

Mar. 2014

##

Jan. 2014 IA

Fixed.

This week

Mar. 2014 Review

##

Dec. 2013 HR

##

Dec. 2013 Hr

##

Dec. 2013 VAS

Fixed.

##

Fixed.

Jun. 2014

Jun. 2014

This week

Jan. 2014 HR

OK

Jun. 2014

Jan. 2014

Jun. 2014

Jan. 2014

##

Jan. 2014 IA

##

Jan. 2014 VAS

Fixed.

VAS

Fixed.

VAS

Feb. 2014

Jan. 2014

Jun. 2014

Jun. 2014

Fixed.

ok

Fixed.

ok

Fixed.

ok

Fixed.

ok

Fixed.

ok

Fixed.

ok

Fixed.

ok

Fixed.

ok

Fixed.

ok

Fixed.

ok

Fixed.

ok

Fixed.

ok

Fixed.

ok

Fixed.

ok

Fixed.

ok

Fixed.

ok

Fixed.

ok

Fixed.

ok

Fixed.

ok

Fixed.

ok

Fixed.

ok

Fixed.

ok

Fixed.

ok

Fixed.

ok

Fixed.

ok

Fixed.

ok

Fixed.

ok

Fixed.

ok

Fixed.

OK

Fixed.

ok

Fixed.

ok

Fixed.

Ok

Fixed.

VAS

Fixed.

VAS

Fixed.

VAS

Fixed.

VAS

Fixed.

VAS

Fixed.

VAS

Fixed.

VAS

Fixed.

VAS

Fixed.

VAS

SL

Fixed.

VAS

Fixed.

VAS

Fixed.

VAS

Fixed.

VAS

Fixed.

VAS

Fixed.

VAS

Fixed.

VAS

Fixed.

VAS

Fixed.

VAS

Fixed.

VAS

Fixed.

VAS

Fixed.

VAS

Fixed.

Ok

Fixed.

Ok

Fixed.

Ok

Fixed.

Ok

Fixed.

Ok

Fixed.

Ok

Fixed.

Ok

Fixed.

Ok

Fixed.

Ok

Fixed.

Ok

Fixed.

VAS

Fixed.

Ok

Fixed.

Ok

Fixed.

Ok

Fixed.

Ok

Fixed.

Ok

Fixed.

OK