Data Loss Prevention Program stronger after most recommendations implemented

News Article
Audit Update Image - Photo of Willamette River and Downtown Portland Skyline
This is a three-year follow-up to our 2018 report, "Data Loss Prevention: City's approach is sound but its practices should be strengthened."
Published

Ver el informe | Xem báo cáo | 阅读报告 | просмотреть отчет

In 2018, we reported that the City’s steps to prevent data loss was relatively sound but needed to be strengthened. The purpose of the audit was to assess if the Bureau of Technology Services’ approach to data loss prevention was well-designed and implemented effectively. Testing centered on practices used by Human Resources and other bureaus and offices to manage and protect data it creates and uses in a variety formats, including paper, electronic, and removable media.

We kept the details of the report confidential because of the sensitivity of information about potential computer or system weaknesses, which is exempt in state law from public disclosure. Recommendations we found to be “in process” remain confidential. We made a total of 27 recommendations. Three years later, most of them have been implemented, and the City’s Data Loss Prevention Program is stronger.

We directed 18 recommendations to the Bureau of Technology Services.

  • Twelve were implemented.
    These included recommendations to consistently complete vulnerability scans, back-up data offsite, and create plans for continuity of operations and incident response.
  • Four are in process.
  • Two will not be implemented.
    The Bureau will not implement a uniform Systems Development Life Cycle program but reported that many of the components were in place. The Bureau will also not disable Universal Serial Bus ports in computers because they are allowed for use at the City.

We directed seven recommendations to the Bureau of Human Resources.

  • Six were implemented.
    These included recommendations to configure applications to require password changes, improve physical security, and train all City staff on data and information technology security.
  • One is in process.

We directed two recommendations to Archives and Records Management

  • Both were implemented.
    Archives reported that it is now reviewing system permissions with each upgrade. It also performs major upgrades to its system every two years and performs a risk assessment to decide when to apply patches.

View the original 2018 audit report.

Visit our online dashboard to track the status of recommendations from other reports

Contact

Elizabeth Pape

Performance Auditor II
elizabeth.pape@portlandoregon.gov

Related

View our audit follow-up dashboard

See something we could improve on this page? Give website feedback.