Loading...
HomeMy WebLinkAboutAudit Reports - Public - Internal Audit Report Third-Party Risk Management - 3/21/2023Date: March 21, 2023 City of Glendale Internal Audit Report Third-Party Risk Management Securance Consulting . CONFIDENTIAL 2 Provided for: City of Glendale VERSION MANAGEMENT VERSION DATE APPROVED APPROVED BY DESCRIPTION 1.0.0 March 21, 2023 Securance Initial Draft 1.1.0 March 31, 2023 Securance Client Edits 1.2.0 April 1, 2023 Securance Final Version Final May 22, 2023 Securance Management’s Responses This report is intended solely for the management of the City of Glendale for its internal use and is not intended to, nor may, be relied upon by any other party (“Third Party”). Neither this deliverable nor its contents may be distributed to, discussed with, or otherwise disclosed to any Third Party without the prior written permission of Securance Consulting. Securance Consulting accepts no liability or responsibility to any Third Party that gains access to this report. © 2023 Securance LLC. Securance Consulting . CONFIDENTIAL 3 Provided for: City of Glendale TABLE OF CONTENTS SECTION I: EXECUTIVE SUMMARY Introduction and Scope ........................................................................................................................................................................................... 4 Finding Legend .......................................................................................................................................................................................................... 5 Summary of Findings ............................................................................................................................................................................................... 6 Conclusion ................................................................................................................................................................................................................. 6 SECTION II: THIRD-PARTY RISK MANAGEMENT AUDIT REPORT Background ................................................................................................................................................................................................................ 7 Specific Objectives and Detailed Scope ................................................................................................................................................................ 7 Approach and Methodology ................................................................................................................................................................................... 7 Findings and Recommendations ............................................................................................................................................................................ 8 SECTION III: SECURANCE VALUE Securance Value ...................................................................................................................................................................................................... 12 Securance Consulting . CONFIDENTIAL 4 Provided for: City of Glendale EXECUTIVE SUMMARY INTRODUCTION AND SCOPE The City of Glendale (Glendale) is a vibrant and welcoming metropolitan city with approximately 250,000 residents and nearly 2,000 employees working together to make it the community of choice. Glendale prides itself on unmatched customer service and quality of life, both of which are supported by diverse technologies and applications that must remain secure and available. In March 2023, Glendale contracted Securance to assess its third-party risk management practices (vendor risk management, or VRM). The objective of the engagement was to assess third-party risk management security and controls. The scope was limited to detailed reviews of Glendale’s third-party risk management policies, practices, and administration. To perform the assessment, we applied our proven methodologies and an approach tailored to Glendale’s IT environment. We compared all findings to industry standards and our internal risk management knowledgebase. Remainder of page left blank intentionally. Securance Consulting . CONFIDENTIAL 5 Provided for: City of Glendale FINDING LEGEND: Urgent-Risk (Level 5) – Immediate remediation required. Note: If finding is a technical vulnerability, it provides remote intruders with remote root or administrator capabilities. Critical-Risk (Level 4) – Immediate action recommended, with remediation ASAP. Note: If finding is a technical vulnerability, it provides intruders with remote user, but not remote administrator or root user, capabilities. High-Risk (Level 3) – Immediate action recommended, with remediation in 90 days. Note: If finding is a technical vulnerability, it provides hackers with access to specific information, including security settings, stored on the host. This level of vulnerabilities could result in potential misuse of the host by intruders. Medium-Risk (Level 2) – Action recommended, with remediation in 180 days. Note: If finding is a technical vulnerability, it may expose sensitive information, such as precise versions of services, from the host. With this information, hackers could research potential attacks to try against a host. Low-Risk/Informational (Level 1) – Effective control. No immediate changes recommended. Opportunity for slight improvement. Advisory Comment – Action suggested at the discretion of management. Note: Remediation timeframes are based on best practices and Securance’s experience. Securance Consulting . CONFIDENTIAL 6 Provided for: City of Glendale SUMMARY OF FINDINGS The following section summarizes our findings from the third-party risk management assessment. NO. FINDING TITLE 1 Vendor Risk Management (VRM) ✔ Total Findings: 0 0 1 0 0 0 No. 1: Vendor Risk Management (VRM) – we found that Glendale’s VRM is immature and lacks critical components, including a formal policy and procedures related to onboarding, monitoring, and offboarding; a cybersecurity questionnaire; and a vendor risk scoring methodology. CONCLUSION Based on our assessment, knowledge of Glendale’s VRM program, and cybersecurity consulting experience, we believe that opportunities exist to improve Glendale’s third-party risk management policies and practices. The remainder of this report provides a detailed analysis of our approach, methodology, and observations. Securance Consulting . CONFIDENTIAL 7 Provided for: City of Glendale 3rd PARTY RISK MANAGEMENT AUDIT REPORT BACKGROUND The City of Glendale (Glendale) is a vibrant and welcoming metropolitan city with approximately 250,000 residents and nearly 2,000 employees working together to make it the community of choice. Glendale prides itself on unmatched customer service and quality of life, both of which are supported by diverse technologies and applications that must remain secure and available. In March 2023, Glendale contracted Securance to assess its third-party risk management practices (vendor risk management, or VRM). SPECIFIC OBJECTIVES AND SCOPE The objective of the engagement was to assess third-party risk management security and controls. The scope was limited to detailed reviews of Glendale’s third-party risk management policies, practices, and administration. APPROACH AND METHODOLOGY Our assessment followed our proven methodology and included the following tasks: •Review of governance documents. •Interviews with IT personnel. •Review of collected evidence. Remainder of page left blank intentionally. Securance Consulting . CONFIDENTIAL 8 Provided for: City of Glendale FINDINGS AND RECOMMENDATIONS The following recommendations are based on our assessment and intended to improve Glendale’s third-party risk management practices. No. 1: Vendor Risk Management (VRM) VRM is the process of ensuring that the use of service providers and information technology (IT) suppliers does not create an unacceptable potential for business disruption or a negative impact on business performance. VRM programs often include a technology to help an organization assess, monitor, and manage risks introduced by third parties that provide IT products and services, or that have access to enterprise information. The lifecycle of VRM is depicted in the diagram below. The diagram can be summarized as follows: •A vendor management framework should provide governance, guidance, tools, and training to staff charged with implementing the program. •The organization should manage vendor risk by executing operational tasks, including risk analysis and due diligence before vendor selection, contract management, onboarding the technologies and services under contract, monitoring compliance with service level agreements, and offboarding technologies and services. In assessing Glendale’s third-party risk management program, we inquired and requested documentation to support each of the critical components of the VRM process. We requested the following documents: •VRM policies and procedures. •IT steering committee (i.e., Technology Governance Committee) charter and meeting minutes. Securance Consulting . CONFIDENTIAL 9 Provided for: City of Glendale No. 1: Vendor Risk Management continued •Vendor requirements checklist(s) and/or questionnaire(s). •Overview of technology supporting the VRM program. •Evidence of the use of a vendor risk scoring methodology. •A sample of IT vendor contracts for review. •Evidence of ongoing monitoring of vendors. •Evidence of onboarding/offboarding procedures. •For a sample of six IT vendors, we requested copies of the following documents: o Technology Governance Committee Review form – 2 of 6 provided. o Cybersecurity Software Review spreadsheet – 5 of 6 provided. o Executed contract – 5 of 6 provided, 1 technology not yet procured. We received and reviewed the following documents: •Technology Governance Committee Charter – a document that outlines the specific purpose, authority, and procedures of the committee. •Technology Governance Committee Request Review form – a collection of project information, including cost, complexity, and resource requirements. •Technical Requirements spreadsheet (e.g., Cybersecurity Software Review Checklist) – a document providing insight into the technical requirements of a third-party technology under consideration. We noted that this document does not contain cybersecurity related items, and as such, we do not consider it an effective cybersecurity checklist. •Procurement Sole Source and Special Procurement Request form – a form for documenting sole source and special procurements. •Sample selection results – except for the Technology Governance Committee Review form, all other requested documents were provided or deemed unnecessary due to the status of the contract. Glendale’s VRM program does not include a management-approved policy and supporting procedures related to onboarding, monitoring, and offboarding; a cybersecurity questionnaire; or a vendor risk scoring methodology. It was acknowledged that the current VRM program is immature, missing several critical components, and not consistently followed. Securance Consulting . CONFIDENTIAL 10 Provided for: City of Glendale No. 1: Vendor Risk Management continued Potential Risk: Without an effective VRM program, Glendale risks implementing a technology that is susceptible to breach or that is misaligned with its risk management goals. This increases the likelihood of the city’s data being compromised. Recommendation: We recommend that Glendale’s IT management implement a full lifecycle VRM program. At a minimum, this should include the following components: •A management-approved vendor risk management policy. o Management’s Response: Concur. The Innovation & Technology department will create a vendor risk management policy for review and approval by City leadership by October 31, 2023. •A vendor risk scoring methodology and/or cybersecurity questionnaire. o Management’s Response: Concur. The Innovation & Technology department will create a vendor risk scoring methodology and/or cybersecurity questionnaire by October 31, 2023. •A process for periodically reviewing each vendor’s cybersecurity posture. o Management’s Response: Concur. To effectively monitor and review each vendor’s cybersecurity posture additional staffing would be required. The department intends to request additional staffing in 24-25 FY Budget process. Until additional resources are available, the department will focus on the highest risk vendors as availability permits. •A process to modify contract language to include the following concepts: o Consider developing a purpose-oriented technology contract template. o Authorization for Glendale to audit vendor technologies or receive summaries of audits performed by the vendor. o Requirements for the vendor to provide Glendale with its annual SOC 2 report upon request. o Requirement for the vendor to respond to an annual cybersecurity questionnaire. Securance Consulting . CONFIDENTIAL 11 Provided for: City of Glendale No. 1: Vendor Risk Management continued o Requirement for the vendor to participate in off boarding (i.e., disentanglement) Glendale and its data from the vendor’s system. §Management’s Response: Concur. The Innovation & Technology department will work with the City Attorney’s Office to create a technology-oriented contract template by December 31, 2023. Remainder of page left blank intentionally. Securance Consulting . CONFIDENTIAL 12 Provided for: City of Glendale SECURANCE VALUE Securance Consulting would like to THANK YOU for your business. Aside from benefiting from the highest level of service possible, you also received unique advantages that only Securance delivers. Our hands-on approach is tailored to fit the needs of your internal audit and IT departments and unique technology environment. Our technical expertise, outstanding reputation, and personalized attention ensure you receive a level of service surpassed by no other technology risk management firm in the market. As a Securance customer, you can be confident in your sound decision to manage your technology risk by partnering with Securance! 13916 Monroes Business Park, Suite 102 • Tampa, FL 33635 • 877.578.0215 www.securanceconsulting.com