Elected-in-charge: Mayor Ted Wheeler
Bureau or Office Director: Cathy Bless
We are tracking two reports and nine recommendations
Our 2018 data loss prevention audit made seven recommendations to the Bureau of Human Resources. A second audit was about Human Resources' role in increasing accountability in the Fire Bureau. Human Resources has implemented six recommendations, one is in process, and two are pending.
Highlight from Last Year
There was no activity in 2022.
To Do
We recommended accurately documenting and monitoring complaints, investigations, and discipline to enable the data to be analyzed for risks, interventions, policy changes, and training needs.
Data Loss Prevention Human Resources
Report published October 29, 2018 | Follow-up report | Contact Elizabeth Pape
In 2018, we reported that the City's steps to prevent data loss was relatively sound but needed to be strengthened. The purpose of the audit was to assess if the Bureau of Technology Services' approach to data loss prevention was well-designed and implemented effectively. Testing centered on practices used by Human Resources and other bureaus and offices to manage and protect data they create and use in a variety of formats, including paper, electronic, and removable media. We kept the details of the report confidential because of the sensitivity of information about potential computer or system weaknesses, which is exempt in state law from public disclosure. Recommendations we found to be "in process" remain confidential.
On this audit there were six recommendations implemented and one in process.
Portland Fire & Rescue does not have a coherent accountability system
Report published June 29, 2022 | Contact Jenny Scott
We found that the Portland Fire Bureau has not invested the time, attention, and resources needed for a coherent employee accountability system. We make recommendations for training, complaint investigation, and discipline processes to help ensure that the Bureau achieves its diversity goals.
This is a new audit with two recommendations pending follow-up.
In Process Recommendation Details
Confidential Recommendation. (Data Loss Prevention Human Resources)
Implemented Recommendation Details
We recommended the Bureau configure applications to comply with appropriate password change requirements. The Bureau said it reconfigured its applications to require password changes after 90 days. (Data Loss Prevention Human Resources)
We recommended monitoring of closets containing cable connections at the Bureau's temporary workspace, development of a physical access control policy, and updated policies for terminating access when employees leave the City. The Bureau moved out of its temporary workspace. Closets in the new workspace are secure. The Bureau worked with Facilities to update access controls in the new workspace. The Bureau worked with Technology Services to develop a report to immediately notify Facilities when an employee leaves the City. (Data Loss Prevention Human Resources)
We recommended that the Bureau continue the development and implementation of information security awareness training. The Bureau reported that it worked with the City Archivist to develop a training, which is currently offered to employees. (Data Loss Prevention Human Resources)
We recommended the Bureau develop formal policies and procedures to address security of laptops, Universal Serial Bus drives, and hard copy documents. The Bureau said it developed a set of written expectations for the storage of sensitive data. It also planned to conduct spot checks. (Data Loss Prevention Human Resources)
We recommended the Bureau finalize its Continuity of Operations Plan and update it annually. The Bureau said it finalized its plan and was committed to updating it every six months. (Data Loss Prevention Human Resources)
We recommended the Bureau review third-party contracts and amend them to include requirements for protection of data. The Bureau said it modified its contracts. (Data Loss Prevention Human Resources)
Pending Recommendation Details
We recommended improving Human Resources’ investigation guidance to ensure that necessary investigation steps are performed and documented, and that notice is given to employees when investigations are completed. The updated guidance should include timeliness benchmarks for key investigative steps. (Portland Fire & Rescue does not have a coherent accountability system)
We recommended accurately documenting and monitoring complaints, investigations, and discipline to enable the data to be analyzed for risks, interventions, policy changes, and training needs. (Portland Fire & Rescue does not have a coherent accountability system)
Data Notes
At the end of every audit report, we issue a series of recommendations intended to make programs work even better. This report includes the status of Bureau recommendations since 2018, which was the beginning of our new follow-up process. We prepared it with a few audiences in mind:
- City Council can use it to identify bureaus that may need additional resources or support in order to implement recommendations.
- Bureau directors can use it to assess bureau performance and to determine if any changes in policy or procedure are necessary.
- Bureau management and staff can use it to track recommendation status across audits to develop work plans and priorities.
- General public can use it to monitor the status of recommendations related to topics of interest and to compare performance across bureaus.
This report includes recommendation status as of December 31, 2022.
Translated reports
Most reports are available in four languages: Spanish, Vietnamese, Chinese, and Russian. We are translating new reports as they’re released, but older reports may not be available in a language other than English. If you would like to request a translated version of a report, please contact KC Jones.
Links
- Data Loss Prevention Human Resources
- Portland Fire & Rescue does not have a coherent accountability system
- Report Link https://www.portland.gov/fire-discipline-audit