Human Resources Bureau 2021 Audit Status Report

Information

We are tracking one report that made seven recommendations to Human Resources

On this page

Elected-in-charge: Mayor Ted Wheeler
Bureau or Office Director: Cathy Bless

We are tracking one report and seven recommendations

Our 2018 data loss prevention audit made seven recommendations to the Bureau of Human Resources. The Bureau has implemented six recommendations and is in the process of implementing the seventh recommendation.

Human Resources had six recommendations implemented, one in process, and no recommendations not implemented or pending a follow-up by Audit Services.

Highlight from Last Year

Human Resources has implemented six data loss prevention recommendations, including recommendations to require password changes, improve physical security, and train all City staff on data and information technology security.

To Do

Human Resources should finalize implementation of our seventh recommendation, which remains confidential because of the sensitivity of information about potential computer or system weaknesses.

Data Loss Prevention Human Resources

Report published October 29, 2018 | Follow-up report | Contact E lizabeth Pape

In 2018, we reported that the City's steps to prevent data loss was relatively sound but needed to be strengthened. The purpose of the audit was to assess if the Bureau of Technology Services' approach to data loss prevention was well-designed and implemented effectively. Testing centered on practices used by Human Resources and other bureaus and offices to manage and protect data it creates and uses in a variety formats, including paper, electronic, and removable media. We kept the details of the report confidential because of the sensitivity of information about potential computer or system weaknesses, which is exempt in state law from public disclosure. Recommendations we found to be "in process" remain confidential. We Data Loss Prevention Program is stronger.

On this audit there were six recommendations implemented and one in process.

A bar graph showing six recommendations have been implemented and one is in process.

In Process Recommendation Details

Icon of a hourglass on a blue background.

Confidential Recommendation. (Data Loss Prevention Human Resources)

Implemented Recommendation Details

Icon of a white check mark on a blue background.

We recommended the Bureau configure applications to comply with appropriate password change requirements. The Bureau said it reconfigured its applications to require password changes after 90 days. (Data Loss Prevention Human Resources)

We recommended monitoring of closets containing cable connections at the Bureau's temporary workspace, development of a physical access control policy, and updated policies for terminating access when employees leave the City. The Bureau moved out of its temporary workspace. Closets in the new workspace are secure. The Bureau worked with Facilities to update access controls in the new workspace. The Bureau worked with Technology Services to develop a report to immediately notify Facilities when an employee leaves the City. (Data Loss Prevention Human Resources)

We recommended that the Bureau continue the development and implementation of information security awareness training. The Bureau reported that it worked with the City Archivist to develop a training, which is currently offered to employees. (Data Loss Prevention Human Resources)

We recommended the Bureau develop formal policies and procedures to address security of laptops, Universal Serial Bus drives, and hard copy documents. The Bureau said it developed a set of written expectations for the storage of sensitive data. It also planned to conduct spot checks. (Data Loss Prevention Human Resources)

We recommended the Bureau finalize its Continuity of Operations Plan and update it annually. The Bureau said it finalized its plan and was committed to updating it every six months. (Data Loss Prevention Human Resources)

We recommended the Bureau review third-party contracts and amend them to include requirements for protection of data. The Bureau said it modified its contracts. (Data Loss Prevention Human Resources)

Data Notes

At the end of every audit report, we issue a series of recommendations intended to make programs work even better. This report includes the status of Bureau recommendations since 2018, which was the beginning of our new follow-up process. We prepared it with a few audiences in mind:

City Council can use it to identify bureaus that may need additional resources or support in order to implement recommendations.
Bureau directors can use it to assess bureau performance and to determine if any changes in policy or procedure are necessary.
Bureau management and staff can use it to track recommendation status across audits to develop work plans and priorities.
General public can use it to monitor the status of recommendations related to topics of interest and to compare performance across bureaus.

This report includes recommendation status as of December 31, 2021.

Translated reports
Reports from this year and most of 2021 are available in four languages: Spanish, Vietnamese, Chinese, and Russian. We are translating new reports as they’re released, but older reports may not be available in a language other than English. If you would like to request a translated version of a report, please contact Leslie Chaires.

Links

Data Loss Prevention Human Resources
- Report Linkhttps://www.portland.gov/audit-services/news/2018/10/29/data-loss-prevention-citys-approach-sound-its-practices-should-be
- Follow-up Link http://www.portland.gov/year3data-loss-prevention

Contact

Audit Services Division

Send us your comments or questions

auditservices@portlandoregon.gov

Follow on Social Media

CityAuditorPDX

See something we could improve on this page? Give website feedback.