Technology Services 2022 Audit Status Report

Information
We are tracking one Technology Services audit with 18 recommendations.
On this page

Elected-in-charge: Mayor Ted Wheeler
Bureau or Office Director: Jeff Baer


Summary: We are tracking one report and 18 recommendations

The audit focused on practices used by Human Resources but included Technology Services because it is responsible for managing some aspects of data maintenance. We are keeping details about “in process” recommendations confidential because of the sensitivity of information about potential computer or system weaknesses. These sensitive details are exempt in state law from public disclosure. Four recommendations are “in process.”

There were 12 recommendations implemented, four in process, and two not implemented.

Technology Services had 12 recommendations implemented, four in process, two recommendations not implemented, and no recommendations pending a follow-up by Audit Services.

Highlight from Last Year

There was no activity in 2022.

To Do

"In Process" recommendations are confidential.


Data Loss Prevention Technology Services

Report published October 29,2018| Follow-up report | Contact Elizabeth Pape

In 2018, we reported that the City’s steps to prevent data loss were relatively sound but needed to be strengthened. The purpose of the audit was to assess if the Bureau of Technology Services’ approach to data loss prevention was well-designed and implemented effectively. Testing centered on practices used by Human Resources and other bureaus and offices to manage and protect data they create and use in a variety of formats, including paper, electronic, and removable media. We kept the details of the report confidential because of the sensitivity of information about potential computer or system weaknesses, which is exempt in state law from public disclosure. Recommendations we found to be "in process" remain confidential. We made a total of 27 recommendations across bureaus. Three years later, most of them have been implemented, and the City’s Data Loss Prevention Program is stronger.

On this audit there were 12 recommendations implemented, four in process, and two not implemented.

A bar graph showing 12 recommendations have been implemented, four are in process, and two have not been implemented.

Not Implemented Recommendation Details

An image of a white exclamation point within a triangle on a blue background.

We recommended that the Bureau publish a System Development Lifecycle policy. The Bureau will not implement a uniform Systems Development Life Cycle program but reported that many of the components were in place. (Data Loss Prevention Technology Services)

We recommended the Bureau disable Universal Serial Bus (USB) ports and network jacks in public areas or only allow city devices to connect to the network. The Bureau said that it has evaluated the risks and will not disable the ports because they are allowed for use at the City. The Bureau said that port access will be a part of its Network Access Control project, which is expected to occur in Fiscal Year 2022-23. (Data Loss Prevention Technology Services)

In Process Recommendation Details

Icon of a hourglass on a blue background.

Confidential Recommendation (Data Loss Prevention Technology Services)

Confidential Recommendation (Data Loss Prevention Technology Services)

Confidential Recommendation (Data Loss Prevention Technology Services)

Confidential Recommendation (Data Loss Prevention Technology Services)

Implemented Recommendation Details

Icon of a white check mark on a blue background.

We recommended that the Bureau perform vulnerability scans consistently and completely. The Bureau provided us with a vulnerability scan schedule. (Data Loss Prevention Technology Services)

We recommended that the Bureau configure Windows servers and improve network device security. According to the Bureau, several privileged access processes, controls, procedures, and review processes have been adopted. (Data Loss Prevention Technology Services)

We recommended that the Bureau complete the back-up of the financial information system at its data center. As of July 2019, all financial data is backed-up at the secondary data center. (Data Loss Prevention Technology Services)

We recommended the Bureau update its incident response administrative rule and approve and test the Business Continuity of Operations Plan. The Bureau reported it now updates the plan quarterly and added a position that is assigned to oversee the plan. (Data Loss Prevention Technology Services)

We recommended that the Bureau configure security systems consistently. The Bureau reported it now regularly audits access controls and reviews security logs for the financial system. (Data Loss Prevention Technology Services)

We recommended that the Bureau regularly review user accounts to identify any with inappropriate permissions. The Bureau reported it removed stale accounts. (Data Loss Prevention Technology Services)

We recommended that the Bureau regularly review user access to the network to identify any with inappropriate permissions. The Bureau reported network access control and user account terminations have been reviewed and updated. (Data Loss Prevention Technology Services)

We recommended that the Bureau consistently implement data center access controls. The Bureau reported it relocated data centers and strengthened controls to the second highest level possible. (Data Loss Prevention Technology Services)

We recommended that the Bureau continue the development and implementation of security awareness training. All users are now required to complete an annual security awareness training. (Data Loss Prevention Technology Services)

We recommended the Bureau mask personally identifiable data when using it in testing and development environments. The Bureau reported all data is now scrubbed before use in the testing and development environment. (Data Loss Prevention Technology Services)

We recommended the Bureau ensure Human Resources-related issues were reported using the “trouble ticketing” system. The Bureau said all incidents are reported. (Data Loss Prevention Technology Services)

We recommended the Bureau develop a policy for removable media. The Bureau reported it developed a new policy, which they anticipate posting to the City’s website in September 2021. (Data Loss Prevention Technology Services)


Data Notes

At the end of every audit report, we issue a series of recommendations intended to make programs work even better. This report includes the status of Bureau recommendations since 2018, which was the beginning of our new follow-up process. We prepared it with a few audiences in mind:

  • City Council can use it to identify bureaus that may need additional resources or support in order to implement recommendations.
  • Bureau directors can use it to assess bureau performance and to determine if any changes in policy or procedure are necessary.
  • Bureau management and staff can use it to track recommendation status across audits to develop work plans and priorities.
  • General public can use it to monitor the status of recommendations related to topics of interest and to compare performance across bureaus.

This report includes recommendation status as of December 31, 2022.


Translated reports

Most reports are available in four languages: Spanish, Vietnamese, Chinese, and Russian. We are translating new reports as they’re released, but older reports may not be available in a language other than English. If you would like to request a translated version of a report, please contact KC Jones.


Links