The URL can be used to link to this page

Home My WebLink AboutAudit Reports - Public - Technology Governance Program Evaluation Report - 6/9/2021 FINAL REPORT City of Glendale TECHNOLOGY GOVERNANCE PROGRAM EVALUATION REPORT June 9, 2021 Moss Adams LLP 999 Third Avenue, Suite 2800 Seattle, WA 98104 Technology Governance Program Evaluation Report FOR INTERNAL USE OF THE CITY OF GLENDALE ONLY Table of Contents Executive Summary 1 A. Objectives 1 B. Conclusions 2 Detailed Report 3 A. Introduction 3 B. Background 3 C. Objectives 3 D. Scope and Methodology 4 Findings and Recommendations 6 Process Improvement Opportunities 9 Appendix A: Definitions of Audit Findings Rankings 10 Technology Governance Program Evaluation Report | 1 FOR INTERNAL USE OF THE CITY OF GLENDALE ONLY EXECUTIVE SUMMARY Moss Adams LLP (Moss Adams) was contracted by the City of Glendale (the City) to evaluate the performance of the Technology Governance Program. We utilized a combination of interviews, document reviews, and testing to determine the effectiveness of the program. We reviewed a combination of 22 policies and procedures that comprised the existing Technology Governance Program. The objective of this portion of our review was to establish whether appropriate policies and procedures were in place and that they were complete and relevant to the City’s technology management structure. We then sought to determine ownership of these documents and whether the document owner performed an annual review and updated the policies and procedures. We also reviewed the City’s oversight of technology initiatives to ensure that processes in place were appropriate, and procedures were in place to centralize the purchasing of technology. This engagement was performed in accordance with Standards for Consulting Services established by the American Institute of Certified Public Accountants. Accordingly, we provide no opinion, attestation, or other form of assurance with respect to our work or the information upon which our work is based. This engagement was also performed with guidance issued by the Institute of Internal Auditor’s (IIA) International Professional Practices Framework (IPPF). This report was developed based on information gained from our interviews and analysis of sample documentation. The procedures we performed do not constitute an examination in accordance with generally accepted auditing standards or attestation standards. Our objectives for this internal audit were related to the City’s information security systems. Specifically, the internal audit focused on: • Assessing the City’s Information Systems Governance framework to determine whether the process of acquiring, scoping, and implementing IS projects is efficient and effective. • Reviewing the Information Systems Governance structure to ensure it is robust in minimizing risks. • Reviewing the long- and short-term vision of technology for currency and completeness. • Assess whether departments are following select requirements of the IT Governance structure. Technology Governance Program Evaluation Report | 2 FOR INTERNAL USE OF THE CITY OF GLENDALE ONLY The procedures and testing performed identified two areas that require improvement. These are highlighted below: Timely Review of Information Security and Technology Policies – Medium Risk 1 Finding The City has not recently reviewed or updated information security and technology policies. Recommendation We recommend that the Innovation and Technology Department review the information security and technology policies at least annually in order to stay current with the rapid changes in information technology and security threats. Approval of Information Security Policies and Procedures – Low Risk 2 Finding The City's information security policies do not identify the City Manager's or management’s approval. Recommendation We recommend that the Chief Information Officer, or a designate, ensure all information security policies are presented to management and the City Manager for approval after every update or review at least on an annual basis and that this review and approval be sufficiently documented. Although the focus of this internal audit was to identify opportunities for improvement, it is important to note areas of commendable operations. The City should be commended for the following accomplishment: • Policies and Procedures Implementation: The City’s documentation and implementation of technology and information security policies are highly commendable. The City noted and addressed key risks in terms of vulnerabilities and threats in the various policies we reviewed. We would like to thank City’s Innovation and Technology Department staff and management for their open and direct communications while assisting us with our review. Technology Governance Program Evaluation Report | 3 FOR INTERNAL USE OF THE CITY OF GLENDALE ONLY DETAILED REPORT Moss Adams was contracted by the City to perform an internal audit over the City’s Technology Governance function, which is assigned to the Innovation and Technology Department. This internal audit was performed as part of the Fiscal Year (FY) 2020-2021 Annual Audit Plan developed by the City’s Independent Internal Audit Program (IIAP). Our internal audit was performed between January and March 2021. This internal audit was limited in scope to technology governance. The City’s Innovation and Technology Department is responsible for technology governance, which includes the information security systems function. In general terms, technology governance speaks to accountability or who is responsible for what function. This includes the establishment of necessary policies, procedures, and processes that need to align with the short- and long-term goals of the City. The goal of technology governance is to make sure that all information resources and investments support the City’s goals effectively and efficiently. Technology governance needs to be led, not just supported, by executive leadership. The City has established the IT Steering Committee to evaluate procedures and make recommendations to the City Manager’s technology resources. The IT Steering Committee receives requests from City departments and makes recommendations based on alignment with the City’s needs. A key component of an effective technology governance function is proper management and oversight of critical data and proper evaluation of ongoing information technology acquisition and management. The City has established a program to protect City information resources outside of those managed within the Police Department and Utility Divisions. Our objectives for this internal audit were related to the City’s information security systems. Specifically, the internal audit focused on: • Assessing the City’s Information Systems Governance framework to determine whether the process of acquiring, scoping, and implementing information security projects is efficient and effective. • Reviewing the Information Systems governance structure to ensure it is robust in minimizing risks. • Reviewing the long- and short-term vision of technology for currency and completeness. • Assessing whether departments are following select requirements of the IT governance structure. Technology Governance Program Evaluation Report | 4 FOR INTERNAL USE OF THE CITY OF GLENDALE ONLY In order to obtain an understanding of the specific processes and overall information technology governance of the City, we conducted interviews with personnel in the City’s Innovation and Technology Department who have designated responsibilities related to creating information security policies, drafting and maintaining the information technology vision of the City, securing the City’s data, and ensuring the confidentiality, integrity, and availability of the City’s assets. We performed the following detailed testing procedures: • Policies and Procedures: We obtained and reviewed various information technology policies and procedures for adequacy, internal controls, and best practices. We also performed the following testing on the documents: ○ Reviewed the implementation and ongoing management of the technology governance program, including: − Delegation of program responsibilities − Risk assessment practices − Safeguard controls testing − Employee training − Board reporting ○ Control testing: − Tested for annual/ongoing City Manager approval of the program − Tested to confirm assignment of an Information Security Officer − Tested for required elements within the written program for NIST 800:53 guidelines − Tested for required elements within the IT Risk Assessment − Tested for control elements in the policies concerning IT controls − Tested for information security training of employees and directors − Testing for new hire background checks − Tested procedures for the handling of sensitive information − Tested for required elements of annual reporting to the City Manager • Technology Governance: To assess whether City management has sufficient controls over the City’s infrastructure and assets, we performed the following testing through document reviews and interviews conducted with control owners: ○ Reviewed the IT risk management process ○ Evaluated IT planning and budgeting ○ Evaluated management succession planning ○ Reviewed controls in areas where IT risks can potentially impact operations, including: − Information security − IT review − Insurance − Compliance with regulations ○ Reviewed the adequacy of communication of policies to City employees and requirement for acknowledgement of the Acceptable Use Policy Technology Governance Program Evaluation Report | 5 FOR INTERNAL USE OF THE CITY OF GLENDALE ONLY ○ Control testing: − Tested to confirm the existence of an IT Steering Committee or equivalent − Tested for succession planning − Tested for strategic plan adequacy ○ Reviewed policies and procedures for establishing and monitoring relationships with vendors and service providers ○ Ensured the Innovation and Technology Department conducts appropriate due diligence of key service providers • Change Management Controls and Segregation of Duties: We obtained and reviewed the City’s various change management documentation including user access changes and evidence of segregation of duties. We performed the following operations during our testing: ○ Reviewed evidence and documentation for segregation of duties between various IT data processing operations, functions, and users ○ Evaluated system security and management’s review process ○ Reviewed standard IT operating procedures ○ Reviewed system maintenance procedures ○ Reviewed the City's procedures for systems maintenance around the following: − Planned system changes − Updates − Patches − Upgrades Technology Governance Program Evaluation Report | 6 FOR INTERNAL USE OF THE CITY OF GLENDALE ONLY FINDINGS AND RECOMMENDATIONS 1 . Finding The City has not recently reviewed or updated information security and technology policies. Recommendation We recommend that the Innovation and Technology Department review the information security and technology policies at least annually in order to stay current with the rapid changes in information security threats. Condition: Based on our interviews with City employees and our review of policy documents, we noted information security and technology policies have not been reviewed recently, with some policies’ last review dating back as far as 2017. We noted specifically that the Information Security Governance Policy requires an annual review be performed by the Information Security Engineer and be presented to the City’s Chief Information Officer for approval. Criteria: Technology governance best practice requires management to review and update policies periodically, and the City’s Information Security Governance Policy requires it to be updated annually at a minimum. Keeping up with the pace of change in the information technology and security industry should be a priority for the City. Given the staggering pace at which vulnerabilities and threats evolve, policies and procedures must reflect the current technology landscape and align with these changes. Cause: Outside of the annual review requirement for the Information Security Governance Policy, the City has no specific requirement to review other information security and technology policies on a regular basis. We understand the Innovation and Technology Department began periodically reviewing policies in 2017 and that policy reviews could not be completed in 2020 because of the COVID-19 pandemic and because the City does not currently have an Information Security Engineer or other designated individual to review the policy. Effect: Outdated policies can leave the City at risk and may fail to comply with new laws and regulations. They also may not address new systems or technology, which can result in inconsistent practices or governance program gaps. Without regular reviews, the City’s policies and procedures may not be current with regulations, technology, and industry best practices. They may also lack consistency and be less effective. Recommendations: • The City should review policies at least annually as part of the technology governance process. • Updated information security and technology policies should be communicated to City employees and incorporated in employee training programs. Technology Governance Program Evaluation Report | 7 FOR INTERNAL USE OF THE CITY OF GLENDALE ONLY Management Response: Management Agreement Owner Target Completion Date Concur Arlene Chemello, Deputy CIO February 2022 Action Plan: Management agrees with the recommendation. As part of the security assessment initiative next fiscal year, Innovation & Technology will update information technology policies. The target completion date is February 2022. Following this update, management will establish an annual cadence of policy review and City Manager approval. 2 . Finding The City's information technology policies do not identify the City Manager's or management’s approval. Recommendation We recommend that the Chief Information Officer, or a designate, ensure all information security policies are presented to the City Manager for approval after every update or review at least on an annual basis and that this review and approval be sufficiently documented. Condition: Based on our interviews and detailed review, we determined that the Information Security Officer is in charge of maintaining and updating information security policies and that these policies are presented to the City Manager when created and when significant changes are made. However, there is no documentation to evidence the City Manager’s approval. Criteria: Technology governance best practices require that at least annually the information security policies should be reviewed and approved by the City Manager. Cause: Presently, there are no established policies or procedures that require the City Manager’s approval of the information technology policies. Effect: The lack of documenting City Manager approval of the information technology policies can create legal risk to the City. Well structured, updated information security policies can be a first line of defense against any threats, human-related error, or regulatory violation or investigation. Recommendation: The City should ensure that the information technology policies are presented to the City Manager for approval at least annually and that this review and approval be sufficiently documented. Technology Governance Program Evaluation Report | 8 FOR INTERNAL USE OF THE CITY OF GLENDALE ONLY Management Response: Management Agreement Owner Target Completion Date Concur Arlene Chemello, Deputy CIO February 2022 Action Plan: Management agrees with the recommendation. As part of the security assessment initiative next fiscal year, Innovation & Technology will update information technology policies and present them to the City Manager for review and approval. The target completion date is February 2022. Following this update, management will establish an annual cadence of policy review and City Manager approval. Technology Governance Program Evaluation Report | 9 FOR INTERNAL USE OF THE CITY OF GLENDALE ONLY PROCESS IMPROVEMENT OPPORTUNITIES Moss Adams identified opportunities for process improvements as a result of this internal audit. The table below summarizes these recommendations: CATEGORY PROCESS IMPROVEMENT RECOMMENDATIONS 1 City Information Security Risk Register The City currently does not have an Information Technology risk register in place. The IT risk register will help the City identify security risks and assess the threat they pose. The primary objective of an IT risk register is to identify and mitigate risks in order to prevent security incidents and control failures that could compromise City systems, applications, and data. Having this in place will help the City to understand its risk profile, identify and remediate security vulnerabilities, and mitigate costs of compliance with legal and regulatory requirements where necessary. We recommend the Innovation and Technology Department perform an assessment to identify all foreseeable IT and cybersecurity risks and document them in a register that allows for improved awareness and management of those risks. Technology Governance Program Evaluation Report | 10 FOR INTERNAL USE OF THE CITY OF GLENDALE ONLY APPENDIX A: DEFINITIONS OF AUDIT FINDINGS RANKINGS We utilized the City’s Independent Internal Audit Program risk rankings, presented below, and assigned rankings based on our professional judgment. A qualitative assessment of high, moderate, or low helps to prioritize implementation of corrective action, as shown in the following table. HIGH Critical control deficiencies that exposes the City to a high degree of combined risks. Recommendations from high-risk findings should be implemented immediately (preferably within three months) to address areas with most significant impact or highest likelihood of loss, misappropriation, or damage related to City assets. MODERATE Represents less than critical deficiencies that expose the City to a moderate degree of combined risks. Recommendations arising from moderate-risk findings should be implemented in a timely manner (preferably within six months) to address moderate risks and strengthen or enhance efficiency in internal controls on areas with moderate impact and likelihood of exposure. LOW Represents low-risk or control deficiencies, and the exposure is not likely to expose the City and its assets to significant losses. However, they should be addressed in order to improve efficiency and effectiveness of operations. Recommendations arising from low-risk findings should be implemented within 12 months.