Storm damage recovery

Data Loss Prevention: City's approach is sound but its practices should be strengthened

White icons on blue backgrounds illustrating data loss prevention concepts
Overall the City of Portland’s approach to data loss prevention is sound. The audit did, however, identify some vulnerabilities and recommend actions the City can take to strengthen its data security program. Continued progress will help decrease the risk of data loss.

Data loss prevention is the practice of detecting and preventing disclosure of sensitive or confidential information outside of an organization. The City Auditor hired a technical expert to assess the City’s Bureau of Technology Services’ approach to data loss prevention. Testing centered on practices used by the Bureau of Human Resources to manage and protect data it uses. The audit also reviewed the City’s electronic records management system.

The City Auditor provided detailed audit results and recommendations to the Bureaus of Technology Services and Human Resources, and Archives and Records Management in separate confidential reports. Bureau managers provided responses to the detailed reports and generally committed to implementing the recommendations. Because of the sensitive information about computer or system weaknesses in those detailed reports, the City Auditor is publishing this public report to describe the overall audit process and results.

The City Auditor will follow up in one year to confirm that the recommended improvements were made.


Fiona Howell Earle

Performance Auditor