NEWSLETTERS
SUBSCRIBE
Colorado Politics

Print Edition

Log in
My Account
Log in
Subscribe
My Account
Log in

Denver auditor warns of cybersecurity threat from lack of updated IT policies

By 01/24/2020 | updated 6 years ago
Denver Auditor Timothy O'Brien

Denver Auditor Timothy O’Brien warned that the city should revise its outdated information technology policies, and ensure that the Department of Transportation and Infrastructure has adequate security over the systems that manage billions of dollars worth of city assets.

“We are operating in the past,” said O’Brien. “Technology Services needs to be able to take the lead to ensure a uniform approach to cybersecurity.”

In a report released on Thursday, auditors found that Executive Order 18 from 2005, which gave the Technology Services agency oversight of the city’s technology, was vague and outdated. The order failed to give the agency “the explicit authority to create and enforce policies” for risk controls across agencies.

Auditors also found that the Department of Transportation and Infrastructure, formerly the Department of Public Works, was using spreadsheets without effective safeguards to keep track of $2.8 billion of assets.

“Lacking these controls creates a higher cybersecurity risk, because a weakness in a system may allow a hacker to gain access,” O’Brien’s office cautioned. “Once an attacker has access to a system connected to the city’s network, the intruder can access the entire city network. This places the whole city at risk of a ransomware attack or loss of city data.”

The report pointed out that technology has changed drastically since 2005, and it heightens the security risk when each city agency is left to devise its own safeguards. Auditors concluded it was “very likely” that a “significant” number of the city’s 493 software applications have similar deficiencies.

The Technology Services agency agreed with the findings and indicated it would implement the auditors’ recommendations by July 2020.

Within the former Department of Public Works’ software programs, the auditors also discovered the lack of a formal process for adding, reviewing and removing access for users.

The department was “unaware” of whether it needed a protocol for removing unpaid summer interns’ access at the end of their internships. To illustrate the importance of proper controls, auditors cited the 2009 conviction of a state Department of Revenue employee for embezzling $11 million through other users’ accounts and inactive accounts.

The department agreed to implement the recommendations by June 2020.

Denver Auditor Timothy O’Brien
Photo courtesy of the Denver City Auditor’s Office
Tags
Avatar photo
Colorado Politics

Reporter

PREV

PREVIOUS

Colorado among states with highest rate of per capita marijuana dispensaries

Of the 33 states that have legalized retail and/or medical marijuana, Colorado has one of the highest rates of per capita dispensaries, as well as tax revenue. Verilife, a dispensary company with locations in six states, found that Colorado had 14.1 dispensaries per 100,000 residents as of 2018. That trailed three other states: Oregon, with […]

NEXT

NEXT UP

Kindergarten enrollment rises by nearly 12,000 in 2019

In the 2019-2020 school year, there were 11,913 more children enrolled in kindergarten than in the previous year, which the Colorado Department of Education attributed to a new full-day kindergarten funding law. Prior to House Bill 19-1262, the state only paid for 58% of the cost of kindergarten. Now, the cost is covered completely. “Thanks […]
Welcome Back.

Streak: 9 days i

Stories you've missed since your last login:

Stories you've saved for later:

Recommended stories based on your interests:

Edit my interests