DENVER – The city’s Technology Services agency does not have clear citywide authority to establish uniform policies, which could weaken the city’s approach to cybersecurity and its management of information technology, according to an audit out this month from Denver Auditor Timothy M. O’Brien, CPA.
“We’re still using an executive order that’s 15 years old to direct our approach to managing technology,” Auditor O’Brien said. “We need an update that will allow Technology Services to more effectively take leadership in protecting our use of cloud-based applications.”
The audit examined asset management software applications in the Department of Transportation and Infrastructure, which was called the Department of Public Works at the time of the audit. We evaluated the design and the operating effectiveness of the information technology general controls, specific application controls and financial reporting for infrastructure assets tracked in two cloud-based systems.
While evaluating how Transportation uses these cloud-based systems, we found the agency had no formal policies or procedures in place to implement critical controls. There was no guidance from Technology Services. The lack of formal citywide policies for information technology processes to guide agency procedures creates both cybersecurity and operational risks.
Under Executive Order 18, Technology Services does not have the explicit authority to create and enforce citywide information technology policies. The executive order was created in 2005, when the technology environment was radically different. The term for cloud computing was not even created until 2006.
Without guidance from Technology Services, all city agencies are currently responsible for creating their own policies and procedures related to information technology. Because individual agencies lack the expertise Technology Services has in creating appropriate safeguards, we found some necessary controls were missing in the Public Works systems we tested were missing.
Lacking these controls creates a higher cybersecurity risk, because a weakness in a system may allow a hacker to gain access. Once an attacker has access to a system connected to the city’s network, the intruder can access the entire city network. This places the whole city at risk of a ransomware attack or loss of city data.
The need to develop and implement information technology general controls cannot be overemphasized, according to the report. This is the foundation of an effective and efficient cybersecurity program and technology operations.
Providing the same type of direction for technology-related areas will also help create a more consistent and secure method of providing technology-related services across the city.
“We are operating in the past,” Auditor O’Brien. “Technology Services needs to be able to take the lead to ensure a uniform approach to cybersecurity.”
Our audit team found that giving Technology Services the clear authority to establish and enforce technology-related policies could mimic the process the Controller’s Office uses to establish required financial controls for the city. The city’s Fiscal Accountability Rules apply to all city agencies and ensure they are accounting for items the same way. The audit team recommended that the city use a similar approach to information technology.
At Audit Committee, Technology Services officials agreed the 15-year-old guidance is outdated and that a uniform approach to system governance would be best. They say they plan to discuss options to change the law or executive order.
The audit also found improving contracting processes for technology purchases and strengthening vendor oversight will create a stronger cybersecurity approach for protecting the city’s data. We made recommendations related to spreadsheet controls to protect critical financial and operational data. We also made recommendations related to oversight of vendors by the Department of Transportation and Infrastructure.