Sheet1IT General Controls3.1 Weaknesses noted in the governance of IT strategyJan. 2014This issue was discussed with ACEO & Business Development, ACEO advised toconsider the initiatives suggested in QCC Strategy as the work frame. IT suggested drafting a strategy and discussing it with ACEO. So, the draft Strategy was prepared but3.2 IT risk assessment & reviews of IT Infrastructure, Applications and Systems is not performedDec. 2013This will be considered. The jobs descriptions of Business Analyst and Network Adminwill be adjusted to cover this requirements (BA for all risks at applications and databasesleve and Network Admin for the risk assoicated with any IT Infrastructre components).The risk review to be conducted at Q3 every year, and as if required.3.3Breach of software licenses and inappropriate management of toolsDec. 2013 In the audit period IT was executing projects that will require different licenses, All newrequirement are being discussed with the providers.3.4Absence of information security functionMar. 2014This business needs will be covered with as explained in 3.3 and we think that this issufficient as of now. An independent information security function will be needed laterwhen QCC has more system on the web or cloud computing. Security Training will be increased.3.5Lack of comprehensive policies and proceduresMar. 2014Policies and procedures suggested by IT and reviewed & adjusted by Policies Committee. To be considered as the first version and to be evaluated and enhanced within 6 monthsstarting from issuing date.Increasing the end-user awareness is important and will be considered.3.6Intrusion Prevention System (IPS) and Intrusion Detection System (IDS) is not installedMar. 2014All are considered in 2014-budget.3.7Inadequate management of security incidents across QCCMar. 2014Security Policy & Procedure will be adjusted to consider that.3.8Disaster recovery drills are not being performedMar. 2014Noted We think that DRP is one component of a comprehensive BCP and drills to beconducted to the BCP to have comprehensive and meaningful drills.Current DRP is sufficient for business needs. And we are doing recovering test regularly.It is not stated in the draft Policy. Policy will be adjusted.3.9Absence of change control policies, procedures & documentationJan. 2014The current policies address the Change Management in application and in the infrastructure projects. But there is no separate Change Control Policies.3.1Change management logs are not availableJan. 2014Separate logs for changes are not implemented. However, any change request will be documented before executing as per the policies.3.11Absence of backup firewallMar. 2014Will be considered in budget 2014. Such devices is form the type Fix and Leave3.12Patch management process is not in placeJan. 2014We do install patches every time after testing and investigating. However, in many cases conflicts occur between the new patches and the running applications. Procedure to be introduced3.13Absence of controls over remote access solutionJan. 2014Currently VPN will be made available to 3rd party only if there is a real need. The accesswill be limited to the areas of the concern. The recommendation will be considered 3.14Inappropriate configuration for Dam Ware remote access toolDec. 2013IT staff as per the policy and procedure are not allowed to access any PC without permission form the end-user. This suggestion is considered.3.15Insufficient storage for backupMar. 2014 Backup is being taken as follow: Application: Full monthly. Data: JDE, VAS: daily incremental & full backup weekly. 3.16Backup restoration and testing was not performedApr. 2014 Media is needed, Budget 2014.3.17Inadequate implementation of password policy (not done)Fixed. saThat was due to some enhancements requested by a review. The policy will be adjusted accordingly.3.18Sharing of administrator ID and password ( 2 persons are using it in jde and SA) Fixed. sa For AD Admin. The issue is fixed. For ERP, In the new JDE upgrade this point is fixed.3.19Ex-employee IDs are still active on domain ( almost done )Fixed.saAs per the current policy, the account of resigned will be made inactive and IT is implementing that.3.2Lack of physical & environmental control over primary data centerMar. 2014 Fire suppression system is installed and tested regularly by Safety; Surveillance system is a new and being implemented. Temperature and humidity control, we are communicating with the contractor to fix; Water detector is not needed; Visitor logs will be considered Servers are connected with only one network cable /card: that is for old servers which will be replaced. Wires were lying around; no, all are In place Combustible material, such as, wooden table, cartons, chairs, etc were present: the issue is fixed.3.21Lack of physical & environmental control over DR siteMar. 2014This location is temporary; a new location is being prepared.3.22Absence of project management methodology and its relevant policies and proceduresJan. 2014IT has drafted the Policy for project management; however the Policy & Procedures committee . decided to generalize it to control all QCC project, still under modification of Policy committee3.23Weakness noted in recovery processJun. 2014We think this part is to be considered as a part of QCC BCP where the critical mission objectives are identified and accordingly IT DRP will be designed.3.24Review of IT balance scorecard is not performed##CEOThe review is used to be quarterly.3.25Absence of data classification scheme with associated data protection guidelines##CEOWe rely on the Authority Matrix from application side. Data scheme will be discussed with management.3.26Generic user IDs are found on domain Fixed. okThis issue is fixed.3.27IT steering committee is not in place##CEOThe alignment with business is achieved via a close coordination with middle management & 3.28Absence of IT trainings and information security awareness##IT HRRecommendation will be considered.

Application Controls4.1.1Absence of Standard Operating Procedures (SOP)Mar. 2014It is done for some applications and the remaining will be considered.4.1.2Absence of authority and Segregation of Duties (SOD) matrix##Jan. 2014IAWe will try it to make it more dynamic by designing a report to define the SODs.4.1.3Password parameters needs to be configured ( not done)Fixed.This weekThe issue was fixed. It was because the master password was sit to 3 char. After JDE upgrade we change the master password to be compliant to the suggested password policy4.1.4Weaknesses noted in log generation and its detailsMar. 2014ReviewIt is implemented whenever found applicable in JDE, and satisfies business needs with less load on the performance.4.1.5Absence of segregation of duties in HR, Payroll and Store modules##Dec. 2013HRWe support this recommendation. The comment was passed to concerned departments & IT will issue.work closely with Proc. & HR to overcome such4.1.6Excessive access for payroll staff on payroll sub-system##Dec. 2013HrWe support this recommendation. The comment was passed to concerned departments & IT will work closely with HR to overcome such issue.4.1.7Excessive right of application administrator over production environment##Dec. 2013VASThe access to Production will be minimized and restricted.4.1.8Inactive User IDs were found in JDE (To be checked)Fixed. This weekNoted - All these users are inactive. The list was taken during migrating from JDE 8.12 to JDE 9.1.4.1.9Absence of workflow in payroll system##Jan. 2014HRThat is considered in SharePoint Projects.4.1.10Generic user IDs were found in JDE Fixed.OKRecommendation is considered and the issue is fixed.4.1.11Allowance and dedication are calculated manuallyJun. 2014That will be considered in SharePoint Projects & JDE implementation projects.4.1.12Periodic review of access rights is not being performedJun. 2014In case of any change the owner (department manager) is responsible to inform IT via email or open a support ticket Purchasing reporting tool to report the access right from the system is planned.communicated with department manager & IA for review and approve.4.1.13Naming convention for creating user IDs is not being usedJun. 2014Fixed in VAS. JDE will be studied. SSO for QCC portal will cover this need.4.1.14Lack of input validation control in HR modulesJan. 2014This is JDE limitation.4.1.15Absence of automated notification for item reorder levelJun. 2014It is included in SharePoint project.4.1.16Lack of validation control over maintenance modulesJan. 2014It is due to JDE limitation.4.2.1Absence of authority and Segregation of Duties (SOD) matrix##Jan. 2014IAWe will try it to make it more dynamic by designing a report to define the SODs.4.2.2Password parameters needs to be configured##Jan. 2014VASThe system does not support such request; we request an offer from supplier.4.2.3Excessive right of application administrator over production environment ( VAS remaining)Fixed. VASAlzaidi user name is removed, VAS administrator is used to run some service, so it cannot be removed.4.2.4Inactive User IDs were found in VAS ( with Abu ali)Fixed.VASRecommendation is considered and the issue is fixed and will be communicated with the service provider to implements.4.2.5Absence of dedicated testing environmentFeb. 2014Considered in budget 2014.4.2.6Generic IDs were found in VASJan. 2014Considered. However VAS user is needed by the system. Many Ids are customer id to access to access iDispo Those will be moved to the test environment.4.2.7Periodic review of access rights is not being performedJun. 2014In case of any change the manger of owner department is responsible to inform IT via email or .open a support ticket Review will be conducted periodically.4.2.8Naming convention for creating user IDs is not being usedJun. 2014There is no formal policy, however we are using employeeID as the user name for all. Drafting Policy will be considered. Information Security5.1.1Clear text HTTP service is enabledFixed.okThe issue is fixed.5.1.2Weak user account lockout policy setting is configuredFixed.okRecommendation is considered and the issue is fixed.5.1.3Weak password history policy setting is configuredFixed.okRecommendation is considered and the issue is fixed.5.1.4No HTTP service network access restrictionsFixed.okThe issue is fixed.5.1.5Syslog logging is not enabledFixed.okThat was found in few servers. the issue is fixed. 5.1.6NTP control queries were permittedFixed.okMost of the servers were in sync. The issue was found in one server and that was fixed.5.1.7No time synchronization is configuredFixed.okMost of the servers were in sync. The issue was found in one server and that was fixed.5.1.8AUX port is not disabledFixed.okRecommendation is considered and the issue is fixed.5.1.9No network filtering rules were configuredFixed.okWe are implementing this feature for external access. We will implement that for all.5.1.10No warning in pre-logon bannerFixed.okNoted.5.1.11No post logon banner messageFixed.okNoted.5.1.12Weak password expiry warning policy setting is configuredFixed.okWe will extend it to 7-day notice.5.2.1Underlying Operating System of JDE ( password history not ava.Fixed.okRecommendation is considered and the issue is fixed.5.2.2Minimum password age is not properly configuredFixed.okRecommendation is considered and the issue is fixed. 5.2.3Minimum Password Length is not properly configuredFixed.okThat became applicable only after we have upgraded ERP. We have fixed the issue.5.2.4Account lockout threshold is not configured ( will fixeedFixed.okRecommendation is considered and the issue is fixed.5.2.5Audit account logon events is not configured Fixed.okRecommendation is considered and the issue is fixed.5.2.6Audit logon events is not configured Fixed.okRecommendation is considered and the issue is fixed.5.2.7Audit policy change is not configured Fixed.okRecommendation is considered and the issue is fixed.5.2.8Audit policy change is not configuredFixed.okRecommendation is considered and the issue is fixed.5.2.9Audit system events is not configuredFixed.okRecommendation is considered and the issue is fixed.5.2.10Deny access to this computer from the networkFixed.okRecommendation is considered and the issue is fixed.5.2.11Rename administrator accountFixed.okRecommendation is considered and the issue is fixed. 5.2.12Account lockout duration is not configuredFixed.okRecommendation is considered and the issue is fixed.5.2.13Reset account lockout counter after is not configuredFixed.okRecommendation is considered and the issue is fixed.5.2.14Do not allow anonymous enumeration of SAM accounts and sharesFixed.ok To be fixed.5.2.15LAN manager authentication levelFixed.okRecommendation is considered and the issue is fixed.5.2.16Message text for users attempting to log onFixed.okNoted.5.3.1Underlying Database of JDEFixed.OKSLRecommendation is considered and the issue is fixed.5.3.2C2 audit mode is not being configured appropriatelyFixed.okRecommendation is considered and the issue is fixed.5.3.3System table updates is not being configured appropriatelyFixed.okRecommendation is considered and the issue is fixed.5.3.4Shared administrative IDs being used ( no one know the Password of 'SA' user)Fixed.Ok Recommendation is considered and the issue is fixed. 5.4.1Password history is not properly configuredFixed.VASTo be fixed by the service provider.5.4.2Minimum password age is not properly configuredFixed.VASTo be fixed by the service provider.5.4.3Minimum Password Length is not properly configuredFixed.VASTo be fixed by the service provider.5.4.4Password complexity is not enabledFixed.VASTo be fixed by the service provider.5.4.5Account lockout threshold is not configuredFixed.VASTo be fixed by the service provider.5.4.6 Audit account logon events is not properly configuredFixed.VASTo be fixed by the service provider.5.4.7Audit account management is not configuredFixed.VASTo be fixed by the service provider.5.4.8Audit logon events is not properly configuredFixed.VASTo be fixed by the service provider.5.4.9Audit policy change is not configuredFixed.VASTo be fixed by the service provider. 5.4.10Audit system events is not configuredFixed.VASTo be fixed by the service provider.5.4.11Rename administrator accountFixed.VASTo be fixed by the service provider.5.4.12Account lockout duration is not configuredFixed.VASTo be fixed by the service provider.5.4.13Reset account lockout counter after is not configuredFixed.VASTo be fixed by the service provider.5.4.14Deny access to this computer from the networkFixed.VASTo be fixed by the service provider.5.4.15Do not allow anonymous enumeration of SAM accounts and sharesFixed.VASTo be fixed by the service provider.5.4.16LAN manager authentication levelFixed.VASTo be fixed by the service provider.5.4.17Message text for users attempting to log onFixed.VASTo be fixed by the service provider.5.4.18Prompt user to change password is not configuredFixed.VASTo be fixed by the service provider. 5.5.1Server authentication mode is not configured properlyFixed.VASTo be fixed by the service provider during his next service visit on Sunday 2nd Nov.5.5.2C2 audit mode is not being configured appropriatelyFixed.VASTo be fixed by the service provider.5.5.3Shared administrative IDs being usedFixed.VASTo be fixed by the service provider.5.6.1.1Break into various information systems of QCCFixed.Ok Full windows patch should be implemented on the affected servers and encrypting remote desktop connection. IPS/IDS will be implement for the 2014 project.5.6.1.2Remote Desktop Protocol (RDP) server has man-in-the-middle weaknessFixed.OkFor Servers we will renew the SSL For Workstations we will enable NLA for Remote desktop5.6.1.3Apache tomcat manager common administrative credentialsFixed.OkRecommendation is considered and the issue is fixed.5.6.1.4IBM websphere application server (multiple vulnerabilities)Fixed.OkSome patches are conflicting with JDE and not recommended by Oracle.5.6.1.5SSL certificate cannot be trusted and it is expiredFixed.OkRecommendation is considered and the issue is fixed.5.6.1.6SSL self-signed certificateFixed.OkRecommendation is considered and the issue is fixed.5.6.1.7Terminal services doesn't use Network Level Authentication (NLA)Fixed.OkRecommendation is considered and the issue is fixed.5.6.1.8Microsoft windows SMB NULL session authenticationFixed.OkIt will be communicated with VAS Service contractor and will be implemented accordingly.5.6.1.9SSL Version 2 (v2) protocol detectionFixed.OkRecommendation is considered and the issue is fixed.5.6.1.10Terminal services encryption level is medium or lowFixed.OkRecommendation is considered and the issue is fixed. 5.6.1.11Apache HTTP Server httpOnly cookie information disclosureFixed.VASRecommendation is considered and the issue is fixed. 5.6.1.12HTTP TRACE / TRACK methods allowedFixed.OkRecommendation is considered and the issue is fixed. 5.6.1.13SMB signing is disabledFixed.OkRecommendation is considered and the issue is fixed. 5.6.1.14Terminal services encryption level is not FIPS-140 compliantFixed.OkRecommendation is considered and the issue is fixed. 5.6.1.15SSL / SSL RC4 Weak Cipher Suites SupportedFixed.OkTo be Fixed. 5.6.2.1SSL certificate cannot be trusted and it is expiredFixed.OkRecommendation is considered and the issue to be fixed.5.6.2.2Web server HTTP header internal IP disclosureFixed.OKRecommendation is considered and the issue is fixed.

Sheet2

Sheet3