Audit of the City's Information Security and Risk Management Program
Dear Chair Martin and Councilmembers: May 31, 2016
Our office has completed work on the Audit of the City's Information Security and Risk Management Program. This audit was self-initiated by the Office of the City Auditor pursuant to Section 3-502.1(c) of the Revised Charter of Honolulu and the City Auditor's Annual Work Plan for FY2014-15. The audit objectives were to:
(1) assess the state and effectiveness of the city's information technology (IT) security management program;
(2) assess the implementation of effective user security awareness and security related personnel policies to support IT security; and
(3) assess the capability and effectiveness of the city's cybersecurity operations.
Background
Information has evolved into a key asset for the city and requires protection from unauthorized users. The city's increasing reliance on information technology to support government services requires the city's IT security programs to be effective. Security policies and procedures must meet operational and security objectives, and cybersecurity operations should remediate IT security weaknesses. User security awareness and IT-security related personnel policies must support IT security; and responses to IT security incidents must be effective to protect city data, processes, and systems.
Audit Results
Prior audits, consultant reports, and external financial information system audits of city security controls have itemized deficiencies and made recommendations for improving city IT security. Although the new Department of Information Technology (DIT) director has introduced several new technical initiatives to improve and protect the city systems, more needs to be done to ensure the city is not vulnerable to unauthorized access to its data assets, and established controls properly address potential threats.
More specifically, DIT needs to conduct risk assessments that identify and prioritize data assets that should be protected; implement controls that protect the prioritized assets from potential threats; and update security control policies and procedures. DIT needs to provide security awareness training; and test incident response plans.
In addition, DIT security information staff need authorization to implement security measures commensurate with their responsibilities; follow up on identified threats; improve communications within DIT and among city departments; and assess and validate security risks.
These improvements are needed to ensure unauthorized hackers and system breaches do not occur and, if a breach occurs, the city costs are minimized.
Management Response
The Managing Director and the Department of Information Technology director agreed with 11 of the recommendations and implemented most of the recommendations in response to the draft reports. Due to lack of funding, management did not agree to create an executive position for cybersecurity (see Recommendation #12). The management comments were responsive to the audit recommendations.
A copy of our final draft report is attached. We express our appreciation for the cooperation and assistance provided us by the staffs of the Office of the Managing Director, the Department of Information Technology, and the many other departmental staff and managers contacted during this audit. We are available to meet with you and your staff to discuss the review results and to provide more information. If you have any questions regarding the audit report, please call the auditor-in-charge, Wayne Kawamura….
Sincerely,
Edwin S.W. Young City Auditor
* * * * *
Chapter 4 Conclusions and Recommendations
The city’s increasing reliance on information technology (IT) to support government services requires the city’s IT security programs to be effective. Security policies and procedures must meet operational and security objectives, and cybersecurity operations should remediate IT security weaknesses. User security awareness and IT-security related personnel policies must support IT security; and responses to IT security incidents must be effective to protect city data, processes, and systems. Prior audits, consultant reports, and external financial information system audits of city security controls have itemized many deficiencies and made many recommendations for improving city security for its information systems.
Despite implementing many recommendations and greatly improving its IT technical security posture, we found the city is still vulnerable to unauthorized access to its data, resources, and information systems because it has not addressed typical IT security management concerns. The city and its Department of Information Technology (DIT) need to follow up on identified threats; improve communications within DIT and among city departments; and need to assess and validate security risks. City departments and DIT need to update security control policies and procedures; provide security awareness training; test incident response plans; and provide security information system staff authorization to implement security measures commensurate with their responsibilities. Without these improvements, the city remains highly vulnerable to disruption of services, unauthorized hacks, and system breaches that could cost the city millions in credit reports, identity theft protection, and other costs related to the unauthorized access to city information systems.
read … FULL REPORT