Mayor Michael Hancock | Michael Hancock Official Website
Mayor Michael Hancock | Michael Hancock Official Website
DENVER – City agencies are not always following the rules and safeguards for buying technology like computers, software, and subscriptions, possibly leaving the city at higher security risk, according to this month’s new audit report from Denver Auditor Timothy M. O’Brien, CPA.
“Cybersecurity is a top priority citywide,” Auditor O’Brien said. “Protecting city and resident data must be top of mind for individuals, agencies, and the highest city leadership.”
The audit team looked at how the city’s Technology Services agency administers, implements, and communicates requirements to city leaders and employees related to buying technology services and equipment.
Technology Services has had better control over devices used on the city’s network since the mayor updated Executive Order No. 18 in 2021, but the audit found city employees, agencies, and Technology Services could still do more to button up possible access points to the network.
“Although the city has strong safeguards in place to combat bad actors, accountability at the individual and agency level is still essential to everyday protection against a cybersecurity breach,” Auditor O’Brien said.
For example, the executive order says technology purchases are prohibited when using a purchase card. We found almost all agencies and departments citywide use purchase cards or the expense reimbursement process to bypass required approvals for technology equipment and services.
But it is important for Technology Services to be able to review new technology connected to the network to avoid security vulnerabilities that could be exploited by bad actors, which could result in downtime, lost and irretrievable data, ransom demands, or a loss of services to the public.
Not obtaining prior approval and bypassing the approval process exposes the city to several risks — including security vulnerabilities and incompatible equipment or software, data protection and privacy concerns, and missed opportunities to save taxpayer dollars using bulk-discount pricing.
Technology Services has taken steps to protect against these risks, including using a sophisticated security tool to detect when technology is added to the network, and the agency has the capability to shut down unauthorized hardware and software, as well as restrict access to websites used for cloud services.
But purchase cards are still frequently used to purchase unapproved technology. If purchase card use is unavoidable in some cases, the city should have a clear policy and procedure for using them, including workflows for Technology Services approval and monitoring.
“There is a lot of potential for something to go wrong here,” Auditor O’Brien said. “It’s in all of our best interest to have a properly functioning technology system.”
Technology Services should also create clear definitions for what constitutes a “technology purchase” and ensure city employees and agencies are educated about which purchases need Technology Services’ approval.
At the time of our audit, Technology Services relied on definitions in the executive order, which defines technology as any software, hardware, or cloud service that connects to the network. However, it does not address specific technologies like audio equipment, computer peripherals like web cams, and subscription services like newspapers.
Technology Services agreed with all six of our recommendations to improve the approval, monitoring, and education process for making technology purchases throughout the city.
Original source can be found here.
Alerts Sign-up