The URL can be used to link to this page

Home My WebLink AboutAudit Reports - Public - Information Systems Security Report - 6/9/2021 FINAL REPORT City of Glendale INFORMATION SYSTEMS SECURITY REPORT June 9, 2021 Moss Adams LLP 999 Third Avenue, Suite 2800 Seattle, WA 98104 Information Systems Security Report FOR INTERNAL USE OF THE CITY OF GLENDALE ONLY Table of Contents Executive Summary 1 A. Objectives 1 B. Conclusions 1 Detailed Report 3 A. Introduction 3 B. Background 3 C. Objectives 3 D. Scope and Methodology 3 Findings and Recommendations 5 Appendix A: Definitions of Audit Findings Rankings 6 Information Systems Security Report | 1 FOR INTERNAL USE OF THE CITY OF GLENDALE ONLY EXECUTIVE SUMMARY Moss Adams LLP (Moss Adams) was contracted by the City of Glendale (the City) to evaluate the performance of the Information Security Systems program. We utilized a combination of interviews, document reviews, and testing to determine the effectiveness of the program. The objective of this review was to establish whether the City had adequate information security safeguards in place to protect their critical systems and data managed by the City’s Innovation and Technology Department. This engagement was performed in accordance with Standards for Consulting Services established by the American Institute of Certified Public Accountants. Accordingly, we provide no opinion, attestation, or other form of assurance with respect to our work or the information upon which our work is based. This engagement was also performed with guidance issued by the Institute of Internal Auditor’s (IIA) International Professional Practices Framework (IPPF). This report was developed based on information gained from our interviews and analysis of sample documentation. The procedures we performed do not constitute an examination in accordance with generally accepted auditing standards or attestation standards. Our objectives for this internal audit were related to the City’s information security systems. Specifically, the internal audit focused on: • Assessing the City’s user access levels and permissions and determining whether it provides assurance on the confidentiality, integrity, and availability of the City’s assets • Reviewing the information security system architecture to ensure it is robust and minimizes risks • Testing what defined roles have the ability to approve and grant access • Reviewing long- and short-term visions of Information Security The procedures and testing performed identified one area that requires improvement, which is highlighted below: Mobile Device Management on the City’s Network – Low Risk 1 Finding The Police Department and Fire Department’s mobile devices currently connect to a third-party network that is outside of the City's network, and the Innovation and Technology Department is not able to implement security controls consistent with best practices. Recommendation We recommend the Innovation and Technology Department expedite the completion of the Mobile Device Management system currently being implemented in collaboration with the Police and Fire Departments. Information Systems Security Report | 2 FOR INTERNAL USE OF THE CITY OF GLENDALE ONLY Although the focus of this internal audit was to identify opportunities for improvement, it is important to note the areas of commendable operations. The City should be commended for the following accomplishments: • Adoption of a Recognized Information Security Framework (NIST): This framework can help an organization to better understand, manage, and reduce its cybersecurity risks. It also provides a common language to address cybersecurity risk management, and it is especially helpful in communicating inside and outside the organization. This includes improving communications, awareness, and understanding among City departments. • Role Based Access Control (RBAC): The use of RBAC in combination with automation for the management of user access control is an under-utilized mechanism for ensuring timely removal of user access. The City uses RBAC along with automation to ensure timely removal of user access. We would like to thank City’s Innovation and Technology Department staff and management for their open and direct communications while assisting us with our review. Information Systems Security Report | 3 FOR INTERNAL USE OF THE CITY OF GLENDALE ONLY DETAILED REPORT Moss Adams was contracted by the City to perform an internal audit over the City’s information security function, which is assigned to the Innovation and Technology Department. This internal audit was performed as part of the Fiscal Year (FY) 2020 Annual Audit Plan developed by the City’s Independent Internal Audit Program (IIAP). Our internal audit was performed between January and March 2021. This internal audit was limited in scope to information security systems. The City’s Innovation and Technology Department is responsible for the management of information security systems. In general terms, information security is the protection against the unauthorized use of information, especially electronic data, or the measures taken to achieve this. A key component of an effective information security function is proper management and oversight of critical data and proper evaluation of ongoing information technology acquisition and management. The City has established a program to protect City information resources, except those managed within the Police Department and Utility Divisions. Our objectives for this internal audit were related to the City’s information security systems. Specifically, the internal audit focused on: • Assessing the City’s user access levels and permissions and determining whether it provides assurance on the confidentiality, integrity, and availability of the City’s assets • Reviewing the information security system architecture to ensure it is robust and minimizes risks • Testing what defined roles have the ability to approve and grant access • Reviewing long- and short-term visions of Information Security In order to obtain an understanding of the specific processes and overall information security system functions, we conducted interviews with personnel in the City’s Innovation and Technology Department who have designated responsibilities related to creating information security policies, drafting and maintaining the information technology vision of the City, securing the City’s data, and ensuring the confidentiality, integrity, and availability of the City’s assets. We performed the following detailed review activities and testing for the following areas: • Policies and Procedures: We obtained and reviewed information security policies and procedures for adequacy, internal controls, and best practices. We also performed the following testing on the documents: ○ Reviewed the implementation and ongoing management of the information security program, including: Information Systems Security Report | 4 FOR INTERNAL USE OF THE CITY OF GLENDALE ONLY − Delegation of program responsibilities − Risk assessment practices − Safeguard controls testing − Employee training − Board reporting • Security and Access Control: We assessed whether City employees and contractors, where relevant, receive appropriate awareness education, training, and regular updates in organizational policies and procedures, as relevant for their job function. We also assessed the information security responsibilities and duties for the removal of every terminated employee or change of employment. We performed the following detailed review activities and testing procedures: ○ Reviewed operational security including physical environmental controls ○ Reviewed appropriateness of electronic access by employees, contractors, and service providers to applicable systems ○ Ensured data encryption mechanisms have been implemented as necessary ○ Reviewed user password administration ○ Assessed the City’s information security policies and procedures ○ Reviewed network management responsibilities ○ Evaluated anti-virus controls and systems used for firewall, intrusion detection, and vulnerability assessment ○ Reviewed mobile device management ○ Control testing: − Tested user accounts for access to Active Directory and verified key elements − Tested password parameters for Active Directory for compliance with the information security standard ○ Evaluated security controls for remote and virtual working environments Information Systems Security Report | 5 FOR INTERNAL USE OF THE CITY OF GLENDALE ONLY FINDINGS AND RECOMMENDATIONS 1 . Finding The Police Department’s and Fire Department’s mobile devices currently connect to a third-party network that is outside of the City's network. Recommendation We recommend the Innovation & Technology department expedite the completion of the Mobile Device Management system currently being implemented in collaboration with the Police and Fire departments. Condition: In assessing the City’s mobile device security, and based on interviews performed, we found that the City provides mobile devices to Fire Department and Police Department employees in order to access citizens bio data, government records, health records, etc., when the need arises. However, these devices connect directly to a third-party system in order to access the data and the Innovation and Technology Department does not have the ability to manage these mobile devices. Criteria: Security standard best practices for access management controls require that all mobile devices should be administered with a Mobile Device Management solution, which provides capabilities such as better application control, device tracking, and remote device erase capability. Cause: In absence of an implemented Mobile Device Management solution, the Innovation and Technology Department does not have the ability or access to manage security controls on the Fire Department and Police Department’s device connections. Effect: A compromised mobile device may allow unauthorized remote access to sensitive on- premises City data or any other data that a City employee has entrusted on their mobile device. Recommendations: We recommend Innovation & Technology expedite the completion of the Mobile Device Management system currently being implemented in collaboration with the Police and Fire Departments. Management Response: Management Agreement Owner Target Completion Date Concur Arlene Chemello Deputy CIO October 2021 Action Plan: Management agrees with the recommendation. Innovation & Technology, in collaboration with Police and Fire departments are in the process of implementing a Mobile Device Management solution. The targeted completion date is October 2021. Information Systems Security Report | 6 FOR INTERNAL USE OF THE CITY OF GLENDALE ONLY APPENDIX A: DEFINITIONS OF AUDIT FINDINGS RANKINGS We utilized the City’s Independent Internal Audit Program risk rankings, presented below, and assigned rankings based on our professional judgment. A qualitative assessment of high, moderate, or low helps to prioritize implementation of corrective action, as shown in the following table. HIGH Critical control deficiencies that exposes the City to a high degree of combined risks. Recommendations from high-risk findings should be implemented immediately (preferably within three months) to address areas with most significant impact or highest likelihood of loss, misappropriation, or damage related to City assets. MODERATE Represents less than critical deficiencies that expose the City to a moderate degree of combined risks. Recommendations arising from moderate-risk findings should be implemented in a timely manner (preferably within six months) to address moderate risks and strengthen or enhance efficiency in internal controls on areas with moderate impact and likelihood of exposure. LOW Represents low-risk or control deficiencies, and the exposure is not likely to expose the City and its assets to significant losses. However, they should be addressed in order to improve efficiency and effectiveness of operations. Recommendations arising from low-risk findings should be implemented within 12 months.