HomeMy WebLinkAboutAudit Reports - Public - Information Technology (IT) General Controls - Audit Follow-up - 5/4/2018GLE
City Auditor's Office Memorandum
Date:
May 4, 2018
To:
Kevin R. Phelps, City Manager
From:
Candace MacLeod, City Auditor
Subject:
Audit Follow-up: IT General Controls
In December 2016, the City Auditor's Office completed an information technology (IT)
general controls review, in conjunction with a third -party consultant, MyPFBS, LLC. The
purpose of the audit was to assess the controls present in the environment within and
surrounding the information systems at the City of Glendale (City). The audit included 17
recommendations to strengthen controls. Management concurred with all the
recommendations and estimated that action plans to address them would be
developed by December 31, 2017.
In March 2018, an audit follow-up was performed. Out of the 17 recommendations, four
remain open with an estimated completion date of June 30, 2019. The open items
include:
Innovation and Technology:
Updating and testing the disaster recovery plan, at least annually, after the
implementation of SimpliCity.
Ensuring access to IT equipment is based on job requirements and routinely
monitored.
Working with Facilities Management to ensure IT equipment is adequately secured,
protected from environmental hazards, and appropriate fire suppression exists.
City Manager's Office:
• Implementing an organization -wide security awareness training program.
Please contact me if you have any questions.
Attachment
cc: Michael D. Bailey, City Attorney
Jim Burke, Director of Public Facilities, Recreation and Special Events
Lisefte Camacho, Assistant Director of Budget and Finance
Tom Duensing, Assistant City Manager
Jack Friedline, Assistant City Manager
Craig Johnson, Director of Water Services
Chuck Murphy, Director of Innovation and Technology
City Auditor's Office Memorandum
Vicki Rios, Director of Budget and Finance
Rick St. John, Police Chief
Michelle Woytenko, Director of Field Operations
City Auditor's Office 1 IT General Controls Follow-up
Recommendation
Management Response
December 2016
Management Response
March 2018
Status
1.1
Innovation and
IT is in the process of
IT has decided to take
Open
Technology (IT) should
completing
another direction with
update and test the
documentation and
DR due to the ongoing
disaster recovery (DR)
testing the DR plan.
implementation of
plan on an ongoing
Target DR testing to be
basis, at least
completed by mid-April
iiwo*
annually.
2017. IT will implement
DR testing on an
significant impact on
annual basis.
how DR will be
approached moving
forward. We are now
focusing on how DR will
be implemented post
SimpliCity go -live. We
are looking at June
30th, 2019 for a true DR
test.
2.1
The City Manager's
The CMO will work with
The CMO has approved
Closed
Office (CMO) should
the IT to assess and
a modification of the
establish authority for
establish authority to
Technology
IT to enforce the
enforce the City's
Replacement Fund (TRF)
City's equipment and
equipment and device
procedure requiring all
device standards with
standards with the
technology acquisitions
the ability to prevent
ability to prevent non-
to be approved through
non-standard or
standard or
IT in accordance with
unauthorized
unauthorized
the TRF procedure. The
equipment or devices
equipment or devices
following process was
from utilizing the City's
from utilizing the City's
added to the TRF
networks and
networks and
Procedure document:
infrastructure,
infrastructure by April
"All software, computer,
especially if it is
30, 2017.
network or data related
deemed to present
equipment shall require
security risks above
IT approval prior to
the determined risk
acquisition, regardless of
tolerance level.
the funding source. IT
approval is essential to
ensure security,
interoperability and
maintenance
requirements are met.
A list of standard
equipment is
maintained and
updated by IT. Any
deviations from the
City Auditor's Office 1 IT General Controls Follow-up
City Auditor's Office 2 IT General Controls Follow-up
Management Response
Management Response
Recommendation
December 2016
March 2018
Status
standard equipment list
must have a
documented business
need and cannot be
justified solely on cost."
2.2
IT should develop risk
IT implemented best-
All technology decisions
Closed
evaluation criteria for
practices security
now include a
assessing non-
measures in calendar
mandatory approval by
standard equipment
year Q42016 (to
IT. IT will determine risk
and devices, allowing
include unused
evaluation for any non -
IT to make an
network LAN port shut-
standard equipment
informed decision
down). IT will also
based on several
about whether to
determine risk
factors to include our
allow or deny the use
evaluation for any non-
current standards and
of the equipment by
standard equipment
security related impact
documenting the
based on several
on our environment.
request, risk
factors to include our
assessment and
current standards and
outcome.
security related impact
on our environment.
This will go into effect
once the City
Manager's policy is
implemented from
recommendation 2.1
noted above.
3.1
IT should develop a
IT will create a policy
IT created a Physical
Closed
policy addressing
for addressing physical
Security policy. It was
physical access and
access for City
updated on May 17,
environmental
locations that house IT
2017.
controls for City
equipment.
locations storing IT
equipment
3.2
IT should ensure
IT currently has no
Facilities Management
Open
access to IT
physical control over
plans to start the
equipment is based
who has access to
process on May 7, 2018,
on job requirements
shared closets within
and expects to be
and routinely
each facility. But this is
done with this phase of
monitored.
going to be addressed
the work by June 30,
by 3.3 below.
2018.
3.3
IT should work with
IT met with and will be
Facilities Management
Open
Public Works and
working directly with
plans to start the
other City
Facilities Management
process on May 7, 2018
departments to
on a project to install a
and expects to be
ensure IT equipment is I
new City-wide key
done with this phase of
City Auditor's Office 2 IT General Controls Follow-up
City Auditor's Office 3 IT General Controls Follow-up
Management Response
Management Response
Recommendation
December 2016
March 2018
Status
adequately secured,
control system that will
the work by June 30,
protected from
be more restrictive and
2018.
environmental
give Facilities
hazards and
Management and IT
appropriate fire
the ability to track
suppression exists at
individuals who access
sites where IT assets
the IT and electrical
are located, as
closets.
applicable.
3.4
Police should address
Police Department
In January 2017,
Closed
any potential fire
employees will remove
potential hazards were
hazards immediately
potential hazards from
removed from areas
to ensure that IT
areas where IT
where IT equipment is
equipment is not
equipment is stored by
stored.
damaged.
March 31, 2017.
3.5
Water Services should
Corrective action was
Closed
restrict access to the
taken by February 20,
2017.
based on job function
Security
and ensure the code
and Water Services IT
is changed
reviewed access and
periodically, including
has limited staff to only
when an employee
those who need to
with the code
access this area of the
terminates
facility for City business.
employment.
4.1
IT should ensure all IT
IT Staff has been
The Data Sanitizing and
Closed
equipment with
reinstructed on all
Media Disposal Policy
storage media is
policies and
and Data Sanitizing
sanitized prior to
documented
and Media Disposal
disposal and the
procedures.
Procedure have been
process, including the
updated and training
chain of custody, is
has been completed to
documented.
address 4.1, 4.2, and
4.3.
4.2
IT should update IT
As stated during the
The Data Sanitizing and
Closed
equipment
audit, IT is in the process
Media Disposal Policy
sanitization and
of updating policies
and Data Sanitizing
disposal policies and
and procedures. The
and Media Disposal
procedures and train
current policy in
Procedure have been
staff.
question does exist but
updated and training
was inadvertently
has been completed to
laced in a directory
City Auditor's Office 3 IT General Controls Follow-up
City Auditor's Office 4 IT General Controls Follow-up
Management Response
Management Response
Recommendation
December 2016
March 2018
Status
not available to the
address 4.1, 4.2, and
auditor. The policy
4.3.
exists and addresses
third party sanitation.
4.3
IT should enhance
IT has updated its
The Data Sanitizing and
Closed
controls to ensure
disposal forms and now
Media Disposal Policy
disposal forms are
includes a signature
and Data Sanitizing
completed in
box for both the Service
and Media Disposal
accordance with IT
Desk Supervisor and IT
Procedure have been
policies and
Manager to ensure the
updated and training
procedures.
forms are completed
has been completed to
per procedure. The
address 4.1, 4.2, and
new forms also allow for
4.3.
more text space to
document why
equipment may be
removed from the
disposal list. IT staff has
also been retrained on
the proper disposal
procedures.
4.4
Public Facilities,
Public Facilities,
The Public Facilities,
Closed
Recreation and
Recreation and Special
Recreation and Special
Special Events should
Events will retain copies
Events Department has
retain copies of
of disposal forms in
not disposed of
disposal forms in
accordance with the
equipment during this
accordance with the
records retention
timeframe, but does
records retention
schedule, effective
have disposal forms and
schedule.
immediately.
will retain copies when/if
equipment is disposed.
5.1
IT should develop
IT has implemented a
The TRF Procedure and
Closed
controls to ensure the
new software program
training have been
TRF inventory listing is
(Manage Engine) that
completed.
accurate, complete
automatically registers
and updated in a
and inventories
timely manner.
equipment placed into
service. This, coupled
with the existing
inventory system,
should be sufficient to
track inventory. It is
estimated that IT
policies and
procedures will be
updated to reflect
City Auditor's Office 4 IT General Controls Follow-up
City Auditor's Office 5 IT General Controls Follow-up
Management Response
Management Response
Recommendation
December 2016
March 2018
Status
these changes by July
1, 2017.
6.1
IT should monitor
Closed
application,
database and sever
logs for changes and
continue to retain
documentation to
confirm compliance
with change
management
procedures.
The change
The change control
control process does
process does create a
create a record of all
record of all requested
requested changes,
changes, including
including database
database changes and
changes and
implementation status
implementation status
which we believe is a
which we believe is a
sufficient control.
sufficient control.
7.1
IT should review and
IT has been in the
All applicable policies,
Closed
update existing IT
process of updating all
procedures and training
policies and
policies and
has been completed.
procedures in
procedures
accordance with
documentation.
professional
frameworks, including
NIST, and train staff.
7.2
IT should develop a
IT holds regular
IT holds regular
Closed
policy that outlines
meetings to review and
meetings to review and
the process of
update IT policies.
update IT policies.
reviewing and
updating the policy
library, time frame
intervals and
procedures for
adding or
discontinuing a
policy.
8.1
The CMO should work
The CMO will work with
IT has drafted an
Open
in conjunction with
City departments to
Information Security
City departments to
implement an
Governance Policy and
implement an
organizational wide
a Cyber Security Policy
ongoing
security awareness
which has been
organizational wide
submitted it to HR to be
City Auditor's Office 5 IT General Controls Follow-up
City Auditor's Office 6 IT General Controls Follow-up
Recommendation
Management Response
December 2016
Management Response
March 2018
Status
security awareness
training program by
considered by the
training program
December 31, 2017.
Personnel Committee
appropriate to the
on March 29, 2018.
employee's role,
The CMO is currently
including third -party
working with HR,
providers.
Finance and IT to
organize a City-wide
approach to security
awareness. Related to
this, the CMO will
endeavor to implement
a Cyber Security
Training program by
June 30, 2018 with
applicable employees
trained by September
30, 2018.
City Auditor's Office 6 IT General Controls Follow-up