Loading...
HomeMy WebLinkAboutAudit Reports - Public - Internal Audit Report - 6/20/2024 Internal Audit Report Date: June 20, 2024 Securance Consulting CONFIDENTIAL 2 Provided for: City of Glendale VERSION MANAGEMENT Version Date Approved Approved By Brief Description 1.0.0 June 20, 2024 Securance Draft Report 1.1 June 21, 2024 Securance Client edits Final September 4, 2024 Securance Management’s Responses This report is intended solely for the management of the City of Glendale for its internal use and is not intended to, nor may, be relied upon by any other party (“Third Party”). Neither this deliverable nor its contents may be distributed to, discussed with, or otherwise disclosed to any Third Party without the prior written permission of Securance Consulting. Securance Consulting accepts no liability or responsibility to any Third Party who gains access to this report. © 2024 Securance LLC. Securance Consulting CONFIDENTIAL 3 Provided for: City of Glendale TABLE OF CONTENTS SECTION I: EXECUTIVE SUMMARY Introduction and Scope ................................................................................................................................................ 4 Finding Legend ............................................................................................................................................................ 5 Summary of Findings ................................................................................................................................................... 6 Conclusion ................................................................................................................................................................... 6 SECTION II: IT AUDIT REPORT Background .................................................................................................................................................................. 7 Specific Objectives and Detailed Scope ...................................................................................................................... 7 Approach and Methodology ........................................................................................................................................ 8 Observations and Recommendations .......................................................................................................................... 9 SECTION III: SECURANCE VALUE Securance Value ....................................................................................................................................................... 14 Securance Consulting CONFIDENTIAL 4 Provided for: City of Glendale EXECUTIVE SUMMARY Background The City of Glendale (Glendale) is a vibrant and welcoming metropolitan city with more than 250,000 residents and nearly 2,000 employees working together to make it the community of choice. Glendale prides itself on unmatched customer service and quality of life, both of which are supported by diverse technologies and applications that must remain secure and available. In May 2024, Glendale contracted Securance to assess enterprise software license management practices. Specific Objectives and Scope The objective of the engagement was to assess the design and operating effectiveness of software license procurement controls. The scope of the review was limited to the following enterprise systems: • Crisis Assistance Program (CAP) 60 • Collibra • Everbridge • iNovah • Kimley-Horn Integrated Transportation System • Lucity/Central Square • Microsoft Azure • Motorola PremierOne CAD • NeoGov • Origami • Palo Alto Threat Prevention • SCADA (iFix/Historian) • Syntech FuelMaster Plus • Tyler MUNIS • Velocity Security Management Approach and Methodology To achieve the objectives of this engagement, we designed a layered approach to understand, document, and assess the controls and configurations included in the scope. Our methodology included: • Review of available policies and procedures; and • Review of audit evidence provided in support of the assessment. The review was limited to the areas we considered necessary to complete the assessment and was not intended to cover Glendale’s entire information systems function. Securance Consulting CONFIDENTIAL 5 Provided for: City of Glendale Finding Legend: Urgent-Risk (Level 5) Immediate remediation required. Note: If finding is a technical vulnerability, it provides remote intruders with remote root or remote administrator capabilities. Critical-Risk (Level 4) Immediate action recommended with remediation ASAP. Note: If finding is a technical vulnerability, it provides intruders with remote user, but not remote administrator or root user, capabilities. High-Risk (Level 3) Immediate action recommended with remediation in 90 days. Note: If finding is a technical vulnerability, it provides hackers with access to specific information, including security settings, stored on the host. This level of vulnerability could result in potential misuse of the host by intruders. Medium-Risk (Level 2) Action recommended with remediation in 180 days. Note: If finding is a technical vulnerability, it may expose some sensitive information, such as precise versions of services, from the host. With this information, hackers could research potential attacks to try against a host. Low-Risk | Informational (Level 1) Effective control. No immediate changes recommended. Opportunity for slight improvement. Advisory Comment Action suggested at the discretion of management. Securance Consulting CONFIDENTIAL 6 Provided for: City of Glendale Summary of Findings The following section provides a summary of our findings from the internal IT audit. No. Finding Title 1 Enterprise Software Management ✔ 2 Active Directory – Police Department (PD) Password Policy ✔ Total Findings: 0 0 0 1 1 0 No. 1: Enterprise Software Management – we assessed a sample of software technologies for compliance with GASB 96, adherence to the principle of least privilege, and procurement method (i.e., via a stand-alone contract or through CDW). We learned that historically the IT department was not being consulted about all software purchases, which creates risks to Glendale’s technology environment. No. 2: Active Directory – Police Department (PD) Password Policy – we assessed PD’s password management process. Based on our assessment, PD’s password security policy is compliant with the Commission on Accreditation for Law Enforcement Agencies (CALEA) standards. Conclusion Based on our assessment, knowledge of Glendale’s software license and procurement process, and cybersecurity consulting experience, it appears that the administrative process supporting enterprise software license procurement and contract management appears effective. The remainder of this report provides a detailed analysis of our approach, methodology, and observations. Securance Consulting CONFIDENTIAL 7 Provided for: City of Glendale IT AUDIT REPORT Background The City of Glendale (Glendale) is a vibrant and welcoming metropolitan city with more than 250,000 residents and nearly 2,000 employees working together to make it the community of choice. Glendale prides itself on unmatched customer service and quality of life, both of which are supported by diverse technologies and applications that must remain secure and available. In May 2024, Glendale contracted Securance to assess enterprise software license management practices. Specific Objectives and Scope The objective of the engagement was to assess the design and operating effectiveness of software license procurement controls. The scope of the review was limited to the following enterprise systems: 1. Crisis Assistance Program (CAP) 60 – a solution for case management, HUD reporting, and processing resident applications for financial assistance from Glendale. 2. Collibra – an enterprise-oriented data governance platform for defining business terms, capturing data lineage, and storing a data glossary. 3. Everbridge – a solution that enables Glendale to connect with and inform the entire organization of an emergency, and facilitates two-way communication. 4. iNovah – a centralized cashiering and enterprise revenue management (ERM) solution that enables consolidation and integration with any payment channel. 5. Kimley-Horn Integrated Transportation System (KITS) – a traffic control system that provides continuous monitoring of traffic conditions and traffic signal operations. 6. Lucity/Central Square – a geographic information system (GIS)-powered enterprise asset management and work order solution for local governments. 7. Microsoft Azure – Microsoft’s public cloud computing platform, used by Glendale for the following services: a. Single sign-on (SSO) for third-party software as a service (SaaS) solutions and Glendale’s SaaS product, https://aztaxcentral.glendaleaz.com/. b. Virtual machine hosting. c. Snowflake – a big data solution known internally as the Modern Data Platform (MDP). Securance Consulting CONFIDENTIAL 8 Provided for: City of Glendale d. Power BI – Glendale’s business intelligence (BI) platform 8. Motorola PremierOne CAD – A solution that allows dispatchers to access all the data pertaining to a situation, including the incoming call, related records and first responder location and status. 9. NeoGov – a platform used for job announcements, employee applications, requisitions, employee onboarding forms, employee training, and performance management. 10. Origami – a cloud-based claims management solution used by Human Resources to consolidate Glendale’s claims data across all lines of coverage 11. Palo Alto Threat Prevention – a subscription service that is a part of the Palo Alto firewall. It leverages the visibility of the next-generation firewall to inspect all traffic, automatically preventing known threats, regardless of port, protocol or SSL encryption, and confronting threats at each phase of an attack. 12. SCADA (iFix/Historian) – a solution that transforms information and data from the human machine interface (HMI) software into text-based documents stored on the file share for review and analysis. 13. Syntech FuelMaster Plus – an all-in-one fuel storage, dispensing, and management system. 14. Tyler MUNIS Enterprise Resource Planning (ERP) – a system with modules for budget, financial management, payables, human resource/benefits, and payroll. 15. Velocity Security Management System – an access control and security operations management solution that includes badge access, video, alarm, smart card, biometrics, and other access and identity management operations. Approach and Methodology IT PROCESS RISK ASSESSMENT Securance’s procedures included: • Review of IT policies, procedures, and standards. • Review of supporting assessment evidence and artifacts. The review was limited to the areas we considered necessary to complete the audit and was not intended to address Glendale’s entire information systems function. Securance Consulting CONFIDENTIAL 9 Provided for: City of Glendale Observations and Recommendations The following recommendations, based on the results of Securance’s audit, are intended to improve the software license and procurement process. No. 1: Enterprise Software Management The initial step in this component of the audit was to develop a comprehensive listing of software used across the city by interviewing 21 department staff. Glendale resources completed that task and presented a software inventory to Securance for review. As part of this review, we were informed that historically the IT department was not being consulted when departments were selecting software solutions. This creates multiple risks for Glendale, including: • A lack of standardized security measures and/or a process for assessing software vendors’ security postures can lead to data breaches or unauthorized access. • Unvetted software may have security weaknesses that create entry points for cyber-attacks. • Uncoordinated software may not integrate well with existing systems, leading to data silos and operational inefficiencies. • Purchasing duplicate software, or software with the same functionality as an existing system, increases costs unnecessarily. • Non-compliance with Glendale’s data classification standards may occur. • The IT department may not be able to provide the necessary support and maintenance. However, in response to a 2023 Internal Audit Report – Third-Party Risk Management, The Innovation & Technology department concurred with the need to improve its vendor risk management program. As part of that improvement, the Innovation & Technology department has implemented a Technology Review Program which has been heavily involved in the analysis of assessment of the security posture of systems identified by other departments. This has reduced the occurrences of systems being procured without IT consultation. Additionally, the following tasks were performed on a sample of the software technologies: • Determine if user accounts are based on least privilege access • Confirm if the software was procured from CDW or via a stand-alone contract • Determine if the software requires disclosure, per GASB 96 No. 1: Enterprise Software Management continued Securance Consulting CONFIDENTIAL 10 Provided for: City of Glendale GASB Statement 96 requires a government to disclose descriptive information about its Subscription-Based IT Arrangements (SBITAs), excluding short-term SBITAs. If the duration of the SBITA is greater than 12 months, and the value is greater than $50,000, disclosure is required. Descriptive information includes subscription assets, accumulated amortization, and other payments not included in the measurement of a subscription liability. We reviewed Glendale’s 2023 annual financial report and noted a disclosure related to GASB 96. The adequacy of the disclosure should be reviewed by a certified public accountant (CPA). The following table summarizes our findings about the sample that we tested. Application Least Privileged Access Granted Current Contract CDW or Stand- Alone Contract GASB 96 Compliant Comment | Recommendation Crisis Assistance Program (CAP) 60 Role-based security. access is appropriate. No; last payment made 7/22/2022. Stand-alone Term: 7 years 2024 Value: ~$7.5K Collibra Role-based security. access is appropriate. Yes Stand-alone Term: 1 year 2024 Value: ~$500K GASB 96 disclosure required. Everbridge Role-based security. access is appropriate. Yes Stand-alone Term: 5 years 2024 Value: ~$960K GASB 96 disclosure required. iNovah Role-based security. access is appropriate. Yes Stand-alone Term: 7+ years 2024 Value: ~$53K GASB 96 disclosure required. Kimley-Horn Integrated Transportation System (KITS) Role-based security. access is appropriate. Yes Stand-alone Term: NA; professional services agreement 2024 Value: ~$75K GASB 96 disclosure required. Lucity/Central Square Role-based security. access is appropriate. Yes Stand-alone Term: 5 years 2024 Value: ~$151K GASB 96 disclosure required. Securance Consulting CONFIDENTIAL 11 Provided for: City of Glendale Application Least Privileged Access Granted Current Contract CDW vs Stand- Alone Contract GASB 96 Compliant Comment | Recommendation Microsoft Azure Role-based security. access is appropriate. Yes CDW Term: 3 years 2024 Value: ~$411K GASB 96 disclosure required. Motorola PremierOne CAD Role-based security. access is appropriate. Yes Stand-alone Term: 10 years 2024 Value: ~$43K GASB 96 disclosure required. NeoGov Role-based security. access is appropriate. Yes Stand-alone Term: 3 years 2024 Value: ~$148K GASB 96 disclosure required. Origami Role-based security. access is appropriate. Yes Stand-alone Term: 3 years 2024 Value: ~$27K Palo Alto Threat Role-based security. access is appropriate. Yes CDW Term: 5 years 2024 Value: ~$135K GASB 96 disclosure required. SCADA (iFix/Historian) Role-based security. access is appropriate. Yes Stand-alone Term: 3 years 2024 Value: ~$43K Syntech FuelMaster Plus Role-based security. access is appropriate. Yes Stand-alone Term: 5 years 2024 Value: ~$206K Tyler MUNIS Role-based security. access is appropriate. Yes Stand-alone Term: 10 years 2024 Value: ~$1.06M GASB 96 disclosure required. Velocity Security Management Role-based security. access is appropriate. Yes Stand-alone Term: 5 years 2024 Value: ~$16K Securance Consulting CONFIDENTIAL 12 Provided for: City of Glendale No. 1: Enterprise Software Management continued Potential Risk When software is procured without coordinating with the IT department, multiple risks can occur, as noted above. The most significant is that unvetted software may have security weaknesses, creating entry points for cyber-attacks. Recommendation We recommend that Glendale’s IT and senior city leadership establish clear policies and procedures for software procurement that require coordination with the IT department or participation by all departments in the Technology Review program. Management’s Response Concur. The Innovation & Technology department will work with senior city leadership to establish clear policies and procedures for software procurement by January 31, 2025. Securance Consulting CONFIDENTIAL 13 Provided for: City of Glendale No. 2: Active Directory – Police Department (PD) Password Policy As a follow-up to an audit finding in fiscal year 2023, related to Glendale’s password controls, we assessed the PDs compliance with relevant Commission on Accreditation for Law Enforcement Agencies (CALEA) password standards and noted the following: • The identity and access management policy governs the creation, configuration, and management of passwords. • PD’s password policy is enforced using Active Directory (AD) and is configured as follows: • Require passwords = yes. • Minimum length = 8 characters. • Maximum password age = 90 days. • Minimum password age = 7 days. • Complexity enabled = yes. • History = 12. • Lockout threshold = 5 invalid attempts. • Lockout duration = 30 minutes. • Multi-factor authentication (MFA) is implemented for remote access to PD’s environment via NetMotion. Based on our assessment, PD’s password security policy is compliant with CALEA password standards. Potential Risk Active Directory is the primary technology used for controlling user access to network resources, including select applications. As such, it plays a significant role in determining the network’s security posture. Weak passwords are a significant contributor to network breaches. Recommendation We commend Glendale’s IT management for implementing an effective password policy for PD that is compliant with CALEA standards. Management’s Response None required. Securance Consulting CONFIDENTIAL 14 Provided for: City of Glendale SECURANCE VALUE Securance Consulting would like to THANK YOU for your business. Aside from benefiting from the highest level of service possible, you also received unique advantages that only Securance delivers. Our hands-on approach is tailored to fit the needs of your internal audit and IT departments and unique technology environment. Our technical expertise, outstanding reputation, and personalized attention ensure you receive a level of service surpassed by no other technology risk management firm in the market. As a Securance customer, you can be confident in your sound decision to manage your technology risk by partnering with Securance! 13916 Monroes Business Park, Suite 102 • Tampa, FL 33635 • 877.578.0215 www.securanceconsulting.com