Elected-in-charge: Mary Hull Caballero
Bureau or Office Director: Diana Banning
We are tracking one Archives and Records Management Audit: Data Loss Prevention
The audit focused on Bureau of Human Resources practices but made two recommendations to Archives because some Human Resources records are archived. Archives implemented our recommendation to monitor user permissions immediately after the audit. In 2021, Archives implemented our second recommendation to promptly test and apply updates.
Highlight from Last Year
There was no activity in 2022.
There are no outstanding Archives recommendations.
Data Loss Prevention Archives
In 2018, we reported that the City's steps to prevent data loss was relatively sound but needed to be strengthened. The purpose of the audit was to assess if the Bureau of Technology Services' approach to data loss prevention was well-designed and implemented effectively. Testing centered on practices used by Human Resources and other bureaus and offices to manage and protect data they create and use in a variety of formats, including paper, electronic, and removable media. We kept the details of the report confidential because of the sensitivity of information about potential computer or system weaknesses, which is exempt in state law from public disclosure. Recommendations we found to be "in process" remain confidential. We made a total of 27 recommendations. Three years later, most of them have been implemented, and the City's Data Loss Prevention Program is stronger.
On this audit there were two recommendations implemented.
Implemented Recommendation Details
We recommended Archives perform regular monitoring of system user permissions to ensure independence within security roles. Archives said it is now reviewing system permissions with each upgrade. (Data Loss Prevention Archives)
We recommended Archives test and apply software updates as they were released. Archives said that it updated its system every two years when major upgrades were deployed. Archives reported that it takes a risk-based approach for minor patches, considering factors such as compatibility requirements and new features. (Data Loss Prevention Archives)
At the end of every audit report, we issue a series of recommendations intended to make programs work even better. This report includes the status of Bureau recommendations since 2018, which was the beginning of our new follow-up process. We prepared it with a few audiences in mind:
- City Council can use it to identify bureaus that may need additional resources or support in order to implement recommendations.
- Bureau directors can use it to assess bureau performance and to determine if any changes in policy or procedure are necessary.
- Bureau management and staff can use it to track recommendation status across audits to develop work plans and priorities.
- General public can use it to monitor the status of recommendations related to topics of interest and to compare performance across bureaus.
This report includes recommendation status as of December 31, 2022.
Most reports are available in four languages: Spanish, Vietnamese, Chinese, and Russian. We are translating new reports as they’re released, but older reports may not be available in a language other than English. If you would like to request a translated version of a report, please contact KC Jones.
Data Loss Prevention Archives