Local GovernmentInformation Technology& Cyber Security Audits

Douglas Jones, CIA, CGAP, CRMACity Auditor

Office of the City AuditorKansas City, Missouri

Association of Government AccountantsProfessional Development Seminar

Kansas City ChapterMarch 9, 2017

Agenda City Auditor’s Office history & background

Discussion of information technology and cyber security audits

Office of the City Auditor – Kansas City, Missouri 2

Kansas City, Missouri Kansas City covers 319 square miles

and has about 475,000 residents.

Council/Manager form of city government.

Elected officials – Mayor and 12 Councilmembers.

20 city departments with about 6,800 employees.

Current city budget is about $1.5B.Office of the City Auditor – Kansas City, Missouri 3

How long has Kansas City had a city auditor? Kansas City has

had a city auditor since at least 1875.

City auditor’s role changed in 1925 to independent audit function.

Appointed by Mayor and City Council.

Office of the City Auditor – Kansas City, Missouri 4

What is the mission of the City Auditor’s Office?

Office of the City Auditor – Kansas City, Missouri 5

Conduct independent assessments of the work of city government and

provide elected officials, management and the public with objective

information and recommendations to improve city operations and

strengthen city government’s accountability to the public.

How are audits selected? City Council may direct the city auditor to

conduct a specific audit.

The city auditor can initiate audits.

Office of the City Auditor – Kansas City, Missouri 6

Audit selection process considers a variety of inputs, including public suggestions.

Audit universe is Airport to Zoo.

How does the City Auditor’s Office share information? Copies of, audit reports, annual reports, and

other related documents are available on:◊ Our website kcmo.gov/cityauditor◊ The city’s open data catalog data.kcmo.org

Office of the City Auditor – Kansas City, Missouri 7

The public can submit their audit ideas: kcmo.gov/cityauditor/submit-audit-ideas

@KCMOCityAuditor

QUESTIONS???

Office of the City Auditor – Kansas City, Missouri 8

What IT & cyber security audits have been conducted?

Office of the City Auditor – Kansas City, Missouri 9

Information Technology & Cyber Security AuditsE-Service Systems Security (Oct 2009)City Should Document GIS Data (Nov 2010)Security of the Municipal Court Docketing System

(Feb 2014)Fire CAD System (Oct 2014)Employees' Response to Phishing Email Put City

Information Systems at Risk (Mar 2015)City Should Follow Recommended Practices to

Protect Personally Identifiable Information (Apr 2015)Mobile Device Security Risks (Nov 2016)

How do we perform IT & cyber security audits? Standards and recommended practices guide

our IT audits.◊ FISCAM (Federal Information System Controls Audit

Manual)◊ NIST (National Institute of Science & Technology)◊ COBIT (Control Objectives for Information

Technology)◊ ISACA (Information Systems Audit & Control Assoc.)

Knowledge and experience through certifications and performing the audits.

Focus primarily on general controls.Office of the City Auditor – Kansas City, Missouri 10

E-Service Systems Security (Oct 2009) Audit Objective: Are the city’s e-service

systems and related data secured?

E-Services allow the public to:

$10 million in online payments in 2009.Office of the City Auditor – Kansas City, Missouri 11

Findings E-Service systems and data appeared to be

reasonably secure.

Many recommended practices for E-Service security were followed, but not always included in written P&Ps.

City lacked an entity wide information security management program.

Office of the City Auditor – Kansas City, Missouri 12

RecommendationsDevelop an entity wide information security

management program.

Develop policies to improve security, strengthen internal controls, and improve internal communications.

Develop policies related to periodic reconciliation of on-line payments.

Office of the City Auditor – Kansas City, Missouri 13

Municipal Court Docketing System Security (Feb 2014) Audit Objective: Are controls in place to protect

the confidentiality, integrity, and availability of information in the Integrated Metropolitan Docketing System (IMDS) Plus system?

T

Office of the City Auditor – Kansas City, Missouri 14

The paperless docketing system handles all functions from automatic case creation to final disposition.

System contains sensitive criminal justice information, which must be protected.

FindingsMunicipal court needed to improve controls:◊ Access rights not terminated timely.◊ Security awareness not always provided or

documented.◊ No written policies & procedures regarding the

protection of criminal justice information.

The vendor had not:◊ Updated its disaster recovery plan.◊ Finalized its incident response procedure.◊ Established a geographically removed alternate

processing site.Office of the City Auditor – Kansas City, Missouri 15

RecommendationsDevelop requirements for protecting criminal

justice information and adopt written policies and procedures to meet established requirements.

Encourage the vendor to update and periodically test its disaster recovery plan; finalize its incident response procedure; and establish a geographically removed disaster recovery site.

Develop criteria for future information technology service provider contracts.

Office of the City Auditor – Kansas City, Missouri 16

Employees’ Response to Phishing Email Put City Information Systems at Risk (Mar 2015)Data breaches caused by phishing scams can

damage city systems, cost the city money, and shake the public’s trust and confidence in city government.

Office of the City Auditor – Kansas City, Missouri 17

Audit Objective: Are city employees prepared to respond appropriately to phishing email?

Employee Visits to Phishing Website

Office of the City Auditor – Kansas City, Missouri 18

226

114

0

50

100

150

200

250

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

Visi

ts

Hours

Visits Credentials Provided

Hour One: 3,115 phishing emails were delivered to city email accounts. City staff began visiting the phishing website.

Hour Two: Website visits peaked. ITD help desk started getting inquiries about the phishing email.

Hour Four: City Communications notified city staff about the phishing email. Website visits dropped significantly.

Results: Over 600 website visits. About 280 employees provided credentials.

Recommendations Implement an IT security awareness training

program.

Develop a comprehensive cyber security incident response plan.

Office of the City Auditor – Kansas City, Missouri 19

The City Should Follow Recommended Practices to Protect Personally Identifiable Information (Apr 2015)

Audit Objective: Is the city following recommended practices for protecting personally identifiable information that it collects and maintains?

Personally identifiable information is any information that can be used to identify or be linked to an individual – date of birth, social security number, medical information, etc.

Loss, misuse, or unauthorized disclosure could cause serious harm.

Office of the City Auditor – Kansas City, Missouri 20

All City Departments Collect and Store Personally Identifiable Information City has not identified all

PII being collected.

Only some aspects of protecting PII covered in policies & procedures.

Varied levels of access control and training.

Some safeguarding methods in use, but no incident response plan.

Office of the City Auditor – Kansas City, Missouri 21

Selected PIICollected and Stored

by DepartmentsType of

Information Depts

Date of Birth 19Social Security Number 18

Medical 16Bank Account 14Credit Card Number 9

Recommendations Identify all city collected and stored

personally identifiable information.

Periodically review and eliminate the collection of unnecessary information.

Develop citywide policies and procedures, including training and safeguards for information.

Develop an incident response plan.

Office of the City Auditor – Kansas City, Missouri 22

Mobile Device Security Risks (Nov 2016)

Office of the City Auditor – Kansas City, Missouri 23

Audit Objective: Has the city taken adequate steps to mitigate security risks related to smartphones and tablets used for city business?

Mobile devices are more susceptible to cyber attacks.

Approx. 750 city-owned and 230 personally-owned smartphones and tablets used for city business.

Findings City policies do not address some mobile

device security risks.

Required key security features are not consistently used.

Mobile device management software can enforce key security features.

Office of the City Auditor – Kansas City, Missouri 24

Recommendations The city can improve mobile device security

and mitigate risks by:◊ Updating city policies to include key security

requirements.◊ Training employees to set security features on

their devices and understand why these features are important.

◊ Implementing mobile device management software to ensure city data is more protected and enforce security requirements.

Office of the City Auditor – Kansas City, Missouri 25

DO Password protect your

device Activate screen lock Encrypt the device Keep operating system

and apps up-to-date Check app permission

requests before downloading

Disable location services when not in use

Turn off Bluetooth when not in use

Immediately report lost or stolen devicesOffice of the City Auditor – Kansas City, Missouri 26

DON’T Remove restrictions

imposed by device’s operating system

Download apps from untrusted third-party app stores and markets

Leave your mobile device unattended in public

Connect your device to unknown Wi-Fi networks or hotspots

Outcomes…so far IT created a new position – Chief Security

Officer.

Citywide cyber security awareness training initiated in February 2017.

City Manager has started the process to develop Administrative Regulation for PII.

Office of the City Auditor – Kansas City, Missouri 27

What projects have been released this year? Bike KC Inadequate to Achieve City Goals Mobile Device Security Risks Fire Department: Safeguarding Controlled Substances Recommended Practices Would Strengthen Hotline

Operations Contract Accessibility Could Be Improved Changes to Police Take-Home Program Could

Improve Vehicle Resource Management Worker's Compensation Program Contract

Administration Costs (memo) Police Department Comparative Information (memo) Annual Performance Audit Plan-Fiscal Year 2017 2016 Annual ReportOffice of the City Auditor – Kansas City, Missouri 28

What projects are in progress? Annual Audit Selection

Independence Avenue Community Improvement District (Public Suggestion)

Equal Employment Opportunity Processes

Health Department Performance Measures

Animal Control Division (Council Directed)

General Services’ Payment Process

Office of the City Auditor – Kansas City, Missouri 29

QUESTIONS???For more

information, to read our audit reports, or submit your audit

ideas, visit kcmo.gov/cityauditor

Follow us on twitter@KCMOCityAuditor

Office of the City Auditor – Kansas City, Missouri 30