Elected-in-charge: Mayor Ted Wheeler
Bureau or Office Director: Jeff Baer
Summary: We are tracking one report and 18 recommendations
The audit focused on practices used by Human Resources but included Technology Services because it is responsible for managing some aspects of data maintenance. We are keeping details about “in process” recommendations confidential because of the sensitivity of information about potential computer or system weaknesses. These sensitive details are exempt in state law from public disclosure. Four recommendations are “in process.”
There were 12 recommendations implemented, four in process, and two not implemented.
Highlight from Last Year
There was no activity in 2022.
To Do
"In Process" recommendations are confidential.
Data Loss Prevention Technology Services
Report published October 29,2018| Follow-up report | Contact Elizabeth Pape
In 2018, we reported that the City’s steps to prevent data loss were relatively sound but needed to be strengthened. The purpose of the audit was to assess if the Bureau of Technology Services’ approach to data loss prevention was well-designed and implemented effectively. Testing centered on practices used by Human Resources and other bureaus and offices to manage and protect data they create and use in a variety of formats, including paper, electronic, and removable media. We kept the details of the report confidential because of the sensitivity of information about potential computer or system weaknesses, which is exempt in state law from public disclosure. Recommendations we found to be "in process" remain confidential. We made a total of 27 recommendations across bureaus. Three years later, most of them have been implemented, and the City’s Data Loss Prevention Program is stronger.
On this audit there were 12 recommendations implemented, four in process, and two not implemented.
Not Implemented Recommendation Details
We recommended that the Bureau publish a System Development Lifecycle policy. The Bureau will not implement a uniform Systems Development Life Cycle program but reported that many of the components were in place. (Data Loss Prevention Technology Services)
We recommended the Bureau disable Universal Serial Bus (USB) ports and network jacks in public areas or only allow city devices to connect to the network. The Bureau said that it has evaluated the risks and will not disable the ports because they are allowed for use at the City. The Bureau said that port access will be a part of its Network Access Control project, which is expected to occur in Fiscal Year 2022-23. (Data Loss Prevention Technology Services)
In Process Recommendation Details
Confidential Recommendation (Data Loss Prevention Technology Services)
Confidential Recommendation (Data Loss Prevention Technology Services)
Confidential Recommendation (Data Loss Prevention Technology Services)
Confidential Recommendation (Data Loss Prevention Technology Services)
Implemented Recommendation Details
We recommended that the Bureau perform vulnerability scans consistently and completely. The Bureau provided us with a vulnerability scan schedule. (Data Loss Prevention Technology Services)
We recommended that the Bureau configure Windows servers and improve network device security. According to the Bureau, several privileged access processes, controls, procedures, and review processes have been adopted. (Data Loss Prevention Technology Services)
We recommended that the Bureau complete the back-up of the financial information system at its data center. As of July 2019, all financial data is backed-up at the secondary data center. (Data Loss Prevention Technology Services)
We recommended the Bureau update its incident response administrative rule and approve and test the Business Continuity of Operations Plan. The Bureau reported it now updates the plan quarterly and added a position that is assigned to oversee the plan. (Data Loss Prevention Technology Services)
We recommended that the Bureau configure security systems consistently. The Bureau reported it now regularly audits access controls and reviews security logs for the financial system. (Data Loss Prevention Technology Services)
We recommended that the Bureau regularly review user accounts to identify any with inappropriate permissions. The Bureau reported it removed stale accounts. (Data Loss Prevention Technology Services)
We recommended that the Bureau regularly review user access to the network to identify any with inappropriate permissions. The Bureau reported network access control and user account terminations have been reviewed and updated. (Data Loss Prevention Technology Services)
We recommended that the Bureau consistently implement data center access controls. The Bureau reported it relocated data centers and strengthened controls to the second highest level possible. (Data Loss Prevention Technology Services)
We recommended that the Bureau continue the development and implementation of security awareness training. All users are now required to complete an annual security awareness training. (Data Loss Prevention Technology Services)
We recommended the Bureau mask personally identifiable data when using it in testing and development environments. The Bureau reported all data is now scrubbed before use in the testing and development environment. (Data Loss Prevention Technology Services)
We recommended the Bureau ensure Human Resources-related issues were reported using the “trouble ticketing” system. The Bureau said all incidents are reported. (Data Loss Prevention Technology Services)
We recommended the Bureau develop a policy for removable media. The Bureau reported it developed a new policy, which they anticipate posting to the City’s website in September 2021. (Data Loss Prevention Technology Services)
Data Notes
At the end of every audit report, we issue a series of recommendations intended to make programs work even better. This report includes the status of Bureau recommendations since 2018, which was the beginning of our new follow-up process. We prepared it with a few audiences in mind:
- City Council can use it to identify bureaus that may need additional resources or support in order to implement recommendations.
- Bureau directors can use it to assess bureau performance and to determine if any changes in policy or procedure are necessary.
- Bureau management and staff can use it to track recommendation status across audits to develop work plans and priorities.
- General public can use it to monitor the status of recommendations related to topics of interest and to compare performance across bureaus.
This report includes recommendation status as of December 31, 2022.
Translated reports
Most reports are available in four languages: Spanish, Vietnamese, Chinese, and Russian. We are translating new reports as they’re released, but older reports may not be available in a language other than English. If you would like to request a translated version of a report, please contact KC Jones.
Links
Data Loss Prevention Technology Services