SFI to perform security audits on grant system


24 Aug 2004

Share on FacebookTweet about this on TwitterShare on LinkedInShare on Google+Pin on PinterestShare on RedditEmail this to someone

Share on FacebookTweet about this on TwitterShare on LinkedInShare on Google+Pin on PinterestShare on RedditEmail this to someone

Science Foundation Ireland (SFI), the agency responsible for delivering over €600m of science infrastructure investment over the coming years, has put out a tender for a security audit of its awards management system central to the release of research grants and internships.

The contract will be for a single security audit of SFI’s systems, network and applications security, but it is envisaged that the audit will be carried out on a recurring basis.

The main aims of the audit are to ensure that external access to SFI and Forfas’s IT network and awards management systems are restricted and that access the Exchequer’s server and service is restricted to SFI staff.

The awards management system (AMS) is a web-based application implemented on at least 10 servers at SFI’s headquarters in Dublin.

The first phase tender contract will involve a penetration test reporting on internet protocol devices that are visible within the AMS infrastructure, an analysis of the server lockdown measures in place and an analysis of the level of security offered by SFI’s virtual private network.

The first phase will also look at router integrity, firewall integrity and virus management. SFI uses PIX, Nokia and Checkpoint firewall systems.

The second phase will involve an overall review of network security in terms of network access to the Exchequer’s server and an analysis of the Windows server on which the Exchequer service runs, including user access rights.

SFI was set up in 2000 as a sub-board of Forfás to administer Ireland’s Technology Foresight Fund. In 2003 the organisation became a full state agency under the Industrial Development (Science Foundation Ireland) Act 2003. As a statutory body the agency has a requirement to perform security audits on its AMS infrastructure.

By John Kennedy