DENVER – Denver County Court supports its own technology needs, independent of the rest of the city, but managers showed limited signs of implementing needed policies and procedures for user access and change management, according to a follow-up report from Denver Auditor Timothy M. O’Brien, CPA.
“This matters because without policies and procedures in place, management may eventually find the resources they have cannot serve their needs,” Auditor O’Brien said. “This could lead to data destruction, loss, or theft.”
We conducted an audit of Denver County Court and its general controls for information technology in 2018. At the time, we found a need for better and more frequent backups of data and improved policies and procedures.
When we returned to follow up, we found the court had implemented our recommendation to start using cloud storage for more frequent backups of critical data, which was a key step toward securing information.
However, the former manager in charge of the court’s information technology had retired in 2019 without implementing the new policies and procedures we recommended. The new director initially said they were busy adjusting to technology needs caused by the COVID-19 pandemic, including remote work and virtual court. However, the policies and procedures remained unimplemented as of the first quarter of 2021.
The court originally estimated it would implement the recommended policies and procedures by June 2019.
The current information technology director told our audit team they are evaluating both federal standards and Criminal Justice Information System standards. They did provide our team with documented checklists and a policy draft relating to user access reviews and password security, which are steps in the right direction.
However, progress on updating the policies and procedures was limited and we consider this recommendation not implemented.
We also recommended the court move its computer servers to a more secure location shared with other city data centers. Court officials disagreed with this recommendation, although we did find they took some action to put more equipment in a new location with support from the city’s Technology Services agency.
Auditor O’Brien also issued a second follow-up report this month related to Denver International Airport’s cybersecurity operations. Although managers at the airport improved communication with the city’s Technology Services agency, they still need to improve communication about cybersecurity with third-party vendors.
County Court Information Technology General Controls: Read the Follow-Up Report
County Court Information Technology General Controls: Read the Audit
Denver International Airport Cybersecurity Operations Center: Read the Follow-Up Report
Denver International Airport Cybersecurity Operations Center: Read the Audit