Thursday, November 21, 2024
Hawai'i Free Press

Current Articles | Archives

Monday, June 6, 2016
Auditor: City Computers Remain Vulnerable to Hackers
By News Release @ 4:04 AM :: 4123 Views :: Honolulu County

Audit of the City's Information Security and Risk Management Program

Dear Chair Martin and Councilmembers:   May 31, 2016

Our office has completed work on the Audit of the City's Information Security and Risk Management Program. This audit was self-initiated by the Office of the City Auditor pursuant to Section 3-502.1(c) of the Revised Charter of Honolulu and the City Auditor's Annual Work Plan for FY2014-15. The audit objectives were to:

(1) assess the state and effectiveness of the city's information technology (IT) security management program;

(2) assess the implementation of effective user security awareness and security related personnel policies to support IT security; and

(3) assess the capability and effectiveness of the city's cybersecurity operations.

Background

Information has evolved into a key asset for the city and requires protection from unauthorized users.  The city's increasing reliance on information technology to support government services requires the city's IT security programs to be effective. Security policies and procedures must meet operational and security objectives, and cybersecurity operations should remediate IT security weaknesses. User security awareness and IT-security related personnel policies must support IT security; and responses to IT security incidents must be effective to protect city data, processes, and systems.

Audit Results

Prior audits, consultant reports, and external financial information system audits of city security controls have itemized deficiencies and made recommendations for improving city IT security. Although the new Department of Information Technology (DIT) director has introduced several new technical initiatives to improve and protect the city systems, more needs to be done to ensure the city is not vulnerable to unauthorized access to its data assets, and established controls properly address potential threats.

More specifically, DIT needs to conduct risk assessments that identify and prioritize data assets that should be protected; implement controls that protect the prioritized assets from potential threats; and update security control policies and procedures. DIT needs to provide security awareness training; and test incident response plans.

In addition, DIT security information staff need authorization to implement security measures commensurate with their responsibilities; follow up on identified threats; improve communications within DIT and among city departments; and assess and validate security risks.

These improvements are needed to ensure unauthorized hackers and system breaches do not occur and, if a breach occurs, the city costs are minimized.

Management Response

The Managing Director and the Department of Information Technology director agreed with 11 of the recommendations and implemented most of the recommendations in response to the draft reports. Due to lack of funding, management did not agree to create an executive position for cybersecurity (see Recommendation #12). The management comments were responsive to the audit recommendations.

A copy of our final draft report is attached. We express our appreciation for the cooperation and assistance provided us by the staffs of the Office of the Managing Director, the Department of Information Technology, and the many other departmental staff and managers contacted during this audit. We are available to meet with you and your staff to discuss the review results and to provide more information. If you have any questions regarding the audit report, please call the auditor-in-charge, Wayne Kawamura….

Sincerely,

Edwin S.W. Young  City Auditor

  *   *   *   *   *

Chapter 4 Conclusions and Recommendations

The city’s increasing reliance on information technology (IT) to support government services requires the city’s IT security programs to be effective. Security policies and procedures must meet operational and security objectives, and cybersecurity operations should remediate IT security weaknesses. User security awareness and IT-security related personnel policies must support IT security; and responses to IT security incidents must be effective to protect city data, processes, and systems. Prior audits, consultant reports, and external financial information system audits of city security controls have itemized many deficiencies and made many recommendations for improving city security for its information systems.

Despite implementing many recommendations and greatly improving its IT technical security posture, we found the city is still vulnerable to unauthorized access to its data, resources, and information systems because it has not addressed typical IT security management concerns. The city and its Department of Information Technology (DIT) need to follow up on identified threats; improve communications within DIT and among city departments; and need to assess and validate security risks. City departments and DIT need to update security control policies and procedures; provide security awareness training; test incident response plans; and provide security information system staff authorization to implement security measures commensurate with their responsibilities. Without these improvements, the city remains highly vulnerable to disruption of services, unauthorized hacks, and system breaches that could cost the city millions in credit reports, identity theft protection, and other costs related to the unauthorized access to city information systems.

read … FULL REPORT

Links

TEXT "follow HawaiiFreePress" to 40404

Register to Vote

2aHawaii

Aloha Pregnancy Care Center

AntiPlanner

Antonio Gramsci Reading List

A Place for Women in Waipio

Ballotpedia Hawaii

Broken Trust

Build More Hawaiian Homes Working Group

Christian Homeschoolers of Hawaii

Cliff Slater's Second Opinion

DVids Hawaii

FIRE

Fix Oahu!

Frontline: The Fixers

Genetic Literacy Project

Grassroot Institute

Habele.org

Hawaii Aquarium Fish Report

Hawaii Aviation Preservation Society

Hawaii Catholic TV

Hawaii Christian Coalition

Hawaii Cigar Association

Hawaii ConCon Info

Hawaii Debt Clock

Hawaii Defense Foundation

Hawaii Family Forum

Hawaii Farmers and Ranchers United

Hawaii Farmer's Daughter

Hawaii Federation of Republican Women

Hawaii History Blog

Hawaii Jihadi Trial

Hawaii Legal News

Hawaii Legal Short-Term Rental Alliance

Hawaii Matters

Hawaii Military History

Hawaii's Partnership for Appropriate & Compassionate Care

Hawaii Public Charter School Network

Hawaii Rifle Association

Hawaii Shippers Council

Hawaii Together

HiFiCo

Hiram Fong Papers

Homeschool Legal Defense Hawaii

Honolulu Navy League

Honolulu Traffic

House Minority Blog

Imua TMT

Inouye-Kwock, NYT 1992

Inside the Nature Conservancy

Inverse Condemnation

July 4 in Hawaii

Land and Power in Hawaii

Lessons in Firearm Education

Lingle Years

Managed Care Matters -- Hawaii

MentalIllnessPolicy.org

Missile Defense Advocacy

MIS Veterans Hawaii

NAMI Hawaii

Natatorium.org

National Parents Org Hawaii

NFIB Hawaii News

NRA-ILA Hawaii

Obookiah

OHA Lies

Opt Out Today

Patients Rights Council Hawaii

Practical Policy Institute of Hawaii

Pritchett Cartoons

Pro-GMO Hawaii

RailRipoff.com

Rental by Owner Awareness Assn

Research Institute for Hawaii USA

Rick Hamada Show

RJ Rummel

School Choice in Hawaii

SenatorFong.com

Talking Tax

Tax Foundation of Hawaii

The Real Hanabusa

Time Out Honolulu

Trustee Akina KWO Columns

Waagey.org

West Maui Taxpayers Association

What Natalie Thinks

Whole Life Hawaii