Audit Report

Download PDF

Patch Management

The objective of our audit was to evaluate the patch management program for the City and County of Denver’s information technology systems. This audit found some areas of strength and some areas that need improvement. Because of the information security sensitivities involved with patch management, these issues have been communicated separately to the relevant city agencies for their remediation.

Cyber criminals constantly try to hack into vulnerable information technology systems and hardware to gain unauthorized access to data. Usually technology vendors thoroughly test their systems for cybersecurity vulnerabilities; however, hackers are coming up with new ways to exploit systems.

To combat vulnerabilities, vendors develop corrections or fixes for security loopholes or flaws as those become known. These corrections or fixes are applied to systems through “patches.” Patches are very common. According to the SysAdmin Audit Network and Security, or SANS, Institute, a security research and education company: “In the software world, rarely, if ever, is an application developed without having the need to be corrected, upgraded, or modified.”

Cybersecurity is not the only reason to apply patches to a system. In some cases, a patch adds new features. For example, a recent software update (i.e., patch) for the iPhone added a variety of new features including dark mode, a photos tab, and enhancements to portrait lighting when taking a photo.

“Patch management” is the process of identifying, acquiring, installing, and verifying patches for information technology systems. There are many models of what an effective patch management program should look like, but all have certain common characteristics.

An effective patch management process helps reduce cybersecurity risks across information technology systems. Installing patches in a timely manner can lessen the chance of a breach and any resulting data loss. According to the Ponemon Institute, an independent research firm on data protection and emerging information technologies, “60% of cyberattack victims report that their breaches could have been prevented by installing an available patch.”

Some of the largest data breaches reported recently have been because of unpatched systems. These include data breaches at Equifax, JP Morgan Chase, Target, The Home Depot, and Marriott. Millions of customers were impacted in these cases, which resulted in lawsuits, fines, and reputational damage to the companies.

The objective of our audit was to evaluate the patch management program for the City and County of Denver’s information technology systems. This audit found some areas of strength and some areas that need improvement. Because of the information security sensitivities involved with patch management, these issues have been communicated separately to the relevant city agencies for their remediation.

This audit is authorized pursuant to the City and County of Denver Charter, Article V, Part 2, Section 1, “General Powers and Duties of Auditor.” We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

We extend our appreciation to the personnel in the relevant city agencies who assisted and cooperated with us during the audit. For any questions, please feel free to contact me at 720-913-5000.

Follow-up report

A follow-up report is forthcoming. 

Audit Team: Dawn Wiseman, Kevin Sear, Brenda Berlin, Jared Miller, Nicholas Jimroglou, Karin Doughty, Brian Cheli, Joe Ebiziem