[ad_1]
Palo Alto city leaders often tout the city’s reputation as a technological powerhouse, but when it comes to preventing cybersecurity threats at City Hall, the city still has a long way to go.
It is according to a new check by Baker Tilly, the agency that acts as the city’s auditor and which, in 2020 and 2021, conducted an in-depth review of the city’s IT landscape. Its audit concluded that the city lacks a risk management framework to identify key threats and proactively address them. He also found that the city does not have a formal disaster recovery plan; that the management of the “playbook” program in its IT operation is obsolete; and that the city’s inability to “wipe” lost or stolen cell phones “may result in the unintentional disclosure of confidential organizational data to a malicious attacker”.
The good news for the city is that none of the issues identified by Baker Tilly’s audit as risks reach the “critical” level – the most urgent category. The bad news is that many of them are considered to be “high” risk. Areas of Palo Alto that have been identified as “high” risk are disaster recovery, malware defense, mobile device management, and incident response. Also included in this category is “strategy and governance”, which refers to the interplay between the day-to-day IT operation of the city and its overall needs and priorities.
The dominant theme among the various audit recommendations is that the city’s IT operation suffers from insufficient strategic planning and a lack of proactive preparation.
“The City currently has no formal IT risk management practices,” the audit said. “Typically, day-to-day operational controls are in place to mitigate IT risks, but gaps may still exist for unidentified IT risks, resources may not be prioritized to higher risk areas or strategically aligned, and the senior management or oversight bodies may not be made aware in a timely manner of the risks affecting the City. “
The audit argues that an effective IT strategy can bring many benefits to the city, including lower costs, better control, more efficient use of resources and better risk management. Failure to define the city’s threat landscape, he notes, can result in an inability to protect and respond when an event occurs.
“Understanding the threats to the city’s strategic plan is essential to ensure that risk management controls add value to the risk management process. Failure to define the City’s threat landscape can result in the inability to protect and respond to an event. Disruptions in technology and unmitigated risks can prevent or delay residents from receiving vital services, ”the audit said.
The audit notes that the city already has an existing strategic document that identifies and prioritizes critical assets. However, the city has not identified employee responsibilities or developed action plans for its city-wide strategy. Nor has it developed metrics to assess whether the plan’s goals are being met.
While the audit analyzed the city’s controls and practices regarding information security, these details are redacted from the publicized audit. However, the audit details the risk factors associated with each category. With regard to “strategy and governance”, the risks of the city include an IT service delivery that does not correspond to the organization; he also cites the possibility that the city council and general management are not aware of IT risks and their seriousness.
One of the audit recommendations is that the city review and update its disaster recovery plan based on the current IT environment. This plan should include, among other things, measures to manage offline communication and accessibility of buildings, software and hardware failures, downtime and data loss. It would also designate roles during disasters such as cyber attacks and environmental disasters.
In response to the audit, city staff largely agreed with its findings and noted that the city is currently in the process of recruiting a consultant who will help develop a new three-year IT strategy. The process, according to the city, “will involve all departments to identify critical services and software required for service delivery.”
The new audit comes at a time when several municipal operations are preparing to make major technological leaps. This includes a dramatic extension of the city’s fiber network create a municipal broadband service; a switch to “smart meters” for electricity, gas and water customers; and the Office of Transportation’s adoption of automated license plate readers and guidance systems in local garages.
The Board Policy and Services Committee is scheduled to discuss the new audit at its October 12 meeting.
[ad_2]
Source link