Denver International Airport lacks strong oversight of its information technology vendors, potentially exposing the airport to numerous risks, according to a new audit that uncovered several lapses and inconsistencies. 

“The audit revealed the airport inadequately monitors its information technology vendors. It has no documented policies, procedures, or training plans for monitoring vendors, and the airport lacks a centralized system to track technology vendors,” Auditor Timothy O’Brien wrote in a memo outlining the audit’s findings.

“We also found the airport does not require service-level agreements in each technology contract, does not consistently document lessons learned after major incidents, and does not evaluate compliance with service-level objectives within its system of record,” he said.

Airport authorities said they agree with the auditors’ recommendations and are working toward remedying issues identified in the audit report. 

The airport hosts almost 250 third-party vendors operating IT systems, such as bagging, handling, badging, and security. Airport technology vendors provide everyday services, notably software solutions, technical support and security.

These systems also help oversee cybersecurity, the audit noted.

The report on the airport’s system for information technology vendors follows a 2022 citywide audit in the same area, which also found the city faced similar issues with the lack of comprehensive oversight for third parties. After that audit, the city had issued a new vendor management policy.

The latest audit focused on the airport’s Business Technologies Division, concluding the unit neither has a comprehensive strategic plan for vendor oversight nor “documented and approved policies and procedures” to guide its employees, enforce requirements and hold technology vendors accountable, auditors found.

The auditors said the division is also missing the following: Training plans to educate staffers about how best to monitor technology vendors, a centralized list of vendors, and procedures to periodically assess risks around security and architectural controls.

The auditors also found that the division does not hold vendors accountable by, for example, requiring service level agreements and objectives in technology contracts. It also does not consistently document lessons learned after major incidents or evaluate compliance with objectives.

Ultimately, the auditors said, the division’s delay in establishing a comprehensive governance structure for vendor management “puts Denver International Airport at risk of not getting what it pays for from its technology vendors and potentially exposes the airport to vulnerabilities.”

The lack of accountability risks damaging the airport’s “reputation,” auditors said, adding the airport could also lose revenue because of repeat incidents or recurring issues.

The auditors said they found, for example, that the airport was not assessing risks on a regular basis, increasing the possibility of accidental system exposure to hackers.

“Outsourcing work and expertise makes sense to efficiently use resources, but that shouldn’t mean outsourcing accountability,” O’Brien said in a statement. “The airport has a consistent history of lax oversight for its vendors and that can create significant risk when it comes to information technology.”

O’Brien added: “Cybersecurity should be an urgent priority for every department and agency in the City and County of Denver. Denver’s information technology teams are doing a good job of stopping attacks every day, but it is every division’s job to close every door and stop every risk that they can.”

O’Brien noted the public’s increased reliance on technology when traveling, notably web applications and data that third-party vendors provide via the internet. He said one of the airport’s highest priorities should be regular review of vendors for their existing security safeguards.

“Every app, every online service, every digital tool the city uses has to be monitored for cybersecurity and cost control,” O’Brien said. “Although city managers are very good at protecting the city, ensuring all possible safeguards are in place is essential to continued success.” 

Airport authorities agreed with the auditor’s recommendations.

They promised to document a vendor management strategic plan, finalize a management policy, and refine procedures clarifying that all technology procurement requires timely review and approval from the Business Technologies division.

They also agreed to implement and document a vendor review process, develop a training plan, and update the airport’s policy and procedures for vendor incidents with an eye toward learning from lessons.