Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
Local GovernmentInformation Technology& Cyber Security Audits
Douglas Jones, CIA, CGAP, CRMACity Auditor
Office of the City AuditorKansas City, Missouri
Association of Government AccountantsProfessional Development Seminar
Kansas City ChapterMarch 9, 2017
Agenda City Auditor’s Office history & background
Discussion of information technology and cyber security audits
Office of the City Auditor – Kansas City, Missouri 2
Kansas City, Missouri Kansas City covers 319 square miles
and has about 475,000 residents.
Council/Manager form of city government.
Elected officials – Mayor and 12 Councilmembers.
20 city departments with about 6,800 employees.
Current city budget is about $1.5B.Office of the City Auditor – Kansas City, Missouri 3
How long has Kansas City had a city auditor? Kansas City has
had a city auditor since at least 1875.
City auditor’s role changed in 1925 to independent audit function.
Appointed by Mayor and City Council.
Office of the City Auditor – Kansas City, Missouri 4
What is the mission of the City Auditor’s Office?
Office of the City Auditor – Kansas City, Missouri 5
Conduct independent assessments of the work of city government and
provide elected officials, management and the public with objective
information and recommendations to improve city operations and
strengthen city government’s accountability to the public.
How are audits selected? City Council may direct the city auditor to
conduct a specific audit.
The city auditor can initiate audits.
Office of the City Auditor – Kansas City, Missouri 6
Audit selection process considers a variety of inputs, including public suggestions.
Audit universe is Airport to Zoo.
How does the City Auditor’s Office share information? Copies of, audit reports, annual reports, and
other related documents are available on:◊ Our website kcmo.gov/cityauditor◊ The city’s open data catalog data.kcmo.org
Office of the City Auditor – Kansas City, Missouri 7
The public can submit their audit ideas: kcmo.gov/cityauditor/submit-audit-ideas
@KCMOCityAuditor
QUESTIONS???
Office of the City Auditor – Kansas City, Missouri 8
What IT & cyber security audits have been conducted?
Office of the City Auditor – Kansas City, Missouri 9
Information Technology & Cyber Security AuditsE-Service Systems Security (Oct 2009)City Should Document GIS Data (Nov 2010)Security of the Municipal Court Docketing System
(Feb 2014)Fire CAD System (Oct 2014)Employees' Response to Phishing Email Put City
Information Systems at Risk (Mar 2015)City Should Follow Recommended Practices to
Protect Personally Identifiable Information (Apr 2015)Mobile Device Security Risks (Nov 2016)
How do we perform IT & cyber security audits? Standards and recommended practices guide
our IT audits.◊ FISCAM (Federal Information System Controls Audit
Manual)◊ NIST (National Institute of Science & Technology)◊ COBIT (Control Objectives for Information
Technology)◊ ISACA (Information Systems Audit & Control Assoc.)
Knowledge and experience through certifications and performing the audits.
Focus primarily on general controls.Office of the City Auditor – Kansas City, Missouri 10
E-Service Systems Security (Oct 2009) Audit Objective: Are the city’s e-service
systems and related data secured?
E-Services allow the public to:
$10 million in online payments in 2009.Office of the City Auditor – Kansas City, Missouri 11
Findings E-Service systems and data appeared to be
reasonably secure.
Many recommended practices for E-Service security were followed, but not always included in written P&Ps.
City lacked an entity wide information security management program.
Office of the City Auditor – Kansas City, Missouri 12
RecommendationsDevelop an entity wide information security
management program.
Develop policies to improve security, strengthen internal controls, and improve internal communications.
Develop policies related to periodic reconciliation of on-line payments.
Office of the City Auditor – Kansas City, Missouri 13
Municipal Court Docketing System Security (Feb 2014) Audit Objective: Are controls in place to protect
the confidentiality, integrity, and availability of information in the Integrated Metropolitan Docketing System (IMDS) Plus system?
T
Office of the City Auditor – Kansas City, Missouri 14
The paperless docketing system handles all functions from automatic case creation to final disposition.
System contains sensitive criminal justice information, which must be protected.
FindingsMunicipal court needed to improve controls:◊ Access rights not terminated timely.◊ Security awareness not always provided or
documented.◊ No written policies & procedures regarding the
protection of criminal justice information.
The vendor had not:◊ Updated its disaster recovery plan.◊ Finalized its incident response procedure.◊ Established a geographically removed alternate
processing site.Office of the City Auditor – Kansas City, Missouri 15
RecommendationsDevelop requirements for protecting criminal
justice information and adopt written policies and procedures to meet established requirements.
Encourage the vendor to update and periodically test its disaster recovery plan; finalize its incident response procedure; and establish a geographically removed disaster recovery site.
Develop criteria for future information technology service provider contracts.
Office of the City Auditor – Kansas City, Missouri 16
Employees’ Response to Phishing Email Put City Information Systems at Risk (Mar 2015)Data breaches caused by phishing scams can
damage city systems, cost the city money, and shake the public’s trust and confidence in city government.
Office of the City Auditor – Kansas City, Missouri 17
Audit Objective: Are city employees prepared to respond appropriately to phishing email?
Employee Visits to Phishing Website
Office of the City Auditor – Kansas City, Missouri 18
226
114
0
50
100
150
200
250
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
Visi
ts
Hours
Visits Credentials Provided
Hour One: 3,115 phishing emails were delivered to city email accounts. City staff began visiting the phishing website.
Hour Two: Website visits peaked. ITD help desk started getting inquiries about the phishing email.
Hour Four: City Communications notified city staff about the phishing email. Website visits dropped significantly.
Results: Over 600 website visits. About 280 employees provided credentials.
Recommendations Implement an IT security awareness training
program.
Develop a comprehensive cyber security incident response plan.
Office of the City Auditor – Kansas City, Missouri 19
The City Should Follow Recommended Practices to Protect Personally Identifiable Information (Apr 2015)
Audit Objective: Is the city following recommended practices for protecting personally identifiable information that it collects and maintains?
Personally identifiable information is any information that can be used to identify or be linked to an individual – date of birth, social security number, medical information, etc.
Loss, misuse, or unauthorized disclosure could cause serious harm.
Office of the City Auditor – Kansas City, Missouri 20
All City Departments Collect and Store Personally Identifiable Information City has not identified all
PII being collected.
Only some aspects of protecting PII covered in policies & procedures.
Varied levels of access control and training.
Some safeguarding methods in use, but no incident response plan.
Office of the City Auditor – Kansas City, Missouri 21
Selected PIICollected and Stored
by DepartmentsType of
Information Depts
Date of Birth 19Social Security Number 18
Medical 16Bank Account 14Credit Card Number 9
Recommendations Identify all city collected and stored
personally identifiable information.
Periodically review and eliminate the collection of unnecessary information.
Develop citywide policies and procedures, including training and safeguards for information.
Develop an incident response plan.
Office of the City Auditor – Kansas City, Missouri 22
Mobile Device Security Risks (Nov 2016)
Office of the City Auditor – Kansas City, Missouri 23
Audit Objective: Has the city taken adequate steps to mitigate security risks related to smartphones and tablets used for city business?
Mobile devices are more susceptible to cyber attacks.
Approx. 750 city-owned and 230 personally-owned smartphones and tablets used for city business.
Findings City policies do not address some mobile
device security risks.
Required key security features are not consistently used.
Mobile device management software can enforce key security features.
Office of the City Auditor – Kansas City, Missouri 24
Recommendations The city can improve mobile device security
and mitigate risks by:◊ Updating city policies to include key security
requirements.◊ Training employees to set security features on
their devices and understand why these features are important.
◊ Implementing mobile device management software to ensure city data is more protected and enforce security requirements.
Office of the City Auditor – Kansas City, Missouri 25
DO Password protect your
device Activate screen lock Encrypt the device Keep operating system
and apps up-to-date Check app permission
requests before downloading
Disable location services when not in use
Turn off Bluetooth when not in use
Immediately report lost or stolen devicesOffice of the City Auditor – Kansas City, Missouri 26
DON’T Remove restrictions
imposed by device’s operating system
Download apps from untrusted third-party app stores and markets
Leave your mobile device unattended in public
Connect your device to unknown Wi-Fi networks or hotspots
Outcomes…so far IT created a new position – Chief Security
Officer.
Citywide cyber security awareness training initiated in February 2017.
City Manager has started the process to develop Administrative Regulation for PII.
Office of the City Auditor – Kansas City, Missouri 27
What projects have been released this year? Bike KC Inadequate to Achieve City Goals Mobile Device Security Risks Fire Department: Safeguarding Controlled Substances Recommended Practices Would Strengthen Hotline
Operations Contract Accessibility Could Be Improved Changes to Police Take-Home Program Could
Improve Vehicle Resource Management Worker's Compensation Program Contract
Administration Costs (memo) Police Department Comparative Information (memo) Annual Performance Audit Plan-Fiscal Year 2017 2016 Annual ReportOffice of the City Auditor – Kansas City, Missouri 28
What projects are in progress? Annual Audit Selection
Independence Avenue Community Improvement District (Public Suggestion)
Equal Employment Opportunity Processes
Health Department Performance Measures
Animal Control Division (Council Directed)
General Services’ Payment Process
Office of the City Auditor – Kansas City, Missouri 29
QUESTIONS???For more
information, to read our audit reports, or submit your audit
ideas, visit kcmo.gov/cityauditor
Follow us on twitter@KCMOCityAuditor
Office of the City Auditor – Kansas City, Missouri 30