Denver Auditor Timothy O’Brien warned that the city should revise its outdated information technology policies, and ensure that the Department of Transportation and Infrastructure has adequate security over the systems that manage billions of dollars worth of city assets.
“We are operating in the past,” said O’Brien. “Technology Services needs to be able to take the lead to ensure a uniform approach to cybersecurity.”
In a report released on Thursday, auditors found that Executive Order 18 from 2005, which gave the Technology Services agency oversight of the city’s technology, was vague and outdated. The order failed to give the agency “the explicit authority to create and enforce policies” for risk controls across agencies.
Auditors also found that the Department of Transportation and Infrastructure, formerly the Department of Public Works, was using spreadsheets without effective safeguards to keep track of $2.8 billion of assets.
“Lacking these controls creates a higher cybersecurity risk, because a weakness in a system may allow a hacker to gain access,” O’Brien’s office cautioned. “Once an attacker has access to a system connected to the city’s network, the intruder can access the entire city network. This places the whole city at risk of a ransomware attack or loss of city data.”
The report pointed out that technology has changed drastically since 2005, and it heightens the security risk when each city agency is left to devise its own safeguards. Auditors concluded it was “very likely” that a “significant” number of the city’s 493 software applications have similar deficiencies.
The Technology Services agency agreed with the findings and indicated it would implement the auditors’ recommendations by July 2020.
Within the former Department of Public Works’ software programs, the auditors also discovered the lack of a formal process for adding, reviewing and removing access for users.
The department was “unaware” of whether it needed a protocol for removing unpaid summer interns’ access at the end of their internships. To illustrate the importance of proper controls, auditors cited the 2009 conviction of a state Department of Revenue employee for embezzling $11 million through other users’ accounts and inactive accounts.
The department agreed to implement the recommendations by June 2020.