News

Palo Alto is insufficiently prepared for cyberthreats, a new audit finds

Review concludes city's IT operation suffers from dearth of strategic thinking

Palo Alto City Hall. Embarcadero Media file photo

Palo Alto's city leaders often tout the city's reputation as a technological powerhouse, but when it comes to preventing cybersecurity threats at City Hall, the city has plenty of room for improvement.

That's according to a new audit from Baker Tilly, the agency that serves as the city auditor and that in 2020 and 2021 conducted a thorough review of the city's information technology landscape. Its audit concluded that the city lacks a risk framework to identify key threats and proactively address them. It also found that the city does not have a formal disaster recovery plan; that the "playbook" program management in its information-technology (IT) operation is outdated; and that the city's inability to "wipe" mobile phones that get lost or stolen "may result in the unintentional disclosure of confidential organizational data to a malicious attacker."

The good news for the city is that none of the issues that the Baker Tilly audit identifies as risks rise to the "critical" level – the most urgent category. The bad news is that numerous are deemed to be "high" risk. Areas in Palo Alto that were singled out as "high" risk are disaster recovery, malware defense, mobile device management and incident response. Also included in this category is "strategy and governance," which refers to the interplay between the city's day-to-day IT operation and its broad needs and priorities.

The overarching theme among the audit's various recommendations is that the city's IT operation suffers from insufficient strategic planning and a lack of proactive preparation.

"The City does not currently have formal IT risk management practices," the audit states. "In general, day-to-day operational controls are in place to mitigate IT risks, but gaps may still exist for unidentified IT risks, resources may not be prioritized to higher risk or strategically aligned areas, and senior management or oversight bodies may not receive timely awareness of risks affecting the City."

What's local journalism worth to you?

Support Palo Alto Online for as little as $5/month.

Join

The audit argues that an effective IT strategy can bring many benefits to the city, including lower costs, greater control, more efficient use of resources and better risk management. Failure to define the city's threat landscape, it notes, may result in an inability to protect against and respond when an event occurs.

"Understanding the threats to the City's strategic plan is essential to ensuring risk management controls add value to the risk management process. Failure to define the City's threat landscape may result in the inability to protect against and respond in the instance where an event occurs. Disruptions in technology and unmitigated risks may prevent or delay residents from receiving vital services," the audit states.

The audit notes that the city already has an existing strategic document that identifies and prioritizes critical assets. However, the city has not identified employee responsibilities or developed action plans pertaining to its citywide strategy. It also has not developed metrics to evaluate whether the plan's objectives are being met.

While the audit analyzed the city's controls and practices pertaining to information security, these details are redacted from the publicly released audit. The audit does, however, detail the risk factors associated with each category. On "strategy and governance," the city's risks include having IT service delivery that is misaligned with the organization; it also cites the possibility the City Council and executive management would be unaware of IT risks and their severity.

Among the audit's recommendations is that the city revisit and update its disaster-recovery plan based on the current IT environment. This plan should include, among other things, measures to address offline communication and building accessibility, software and hardware failures, downtime and data loss. It would also designate roles during disasters such as cyberattacks and environmental catastrophes.

Stay informed

Get the latest local news and information sent straight to your inbox.

Stay informed

Get the latest local news and information sent straight to your inbox.

In responding to the audit, city staff largely agreed with its findings and noted that the city is now in the process of procuring a consultant who will help develop a new three-year IT strategy. The process, according to the city, will "involve all departments to identify critical services and software required for service delivery."

The new audit comes at a time when several municipal operations are preparing to make major technological leaps. These include a dramatic expansion in the city's fiber network to create a municipal broadband service; a transition to "smart meters" for electricity, gas and water customers; and the Office of Transportation's adoption of automated license plate readers and guidance systems at local garages.

The council's Policy and Services Committee is scheduled to discuss the new audit at its Oct. 12 meeting.

Follow Palo Alto Online and the Palo Alto Weekly on Twitter @paloaltoweekly, Facebook and on Instagram @paloaltoonline for breaking news, local events, photos, videos and more.

Stay informed on important city government news. Sign up for our FREE daily Express newsletter.

Palo Alto is insufficiently prepared for cyberthreats, a new audit finds

Review concludes city's IT operation suffers from dearth of strategic thinking

by / Palo Alto Weekly

Uploaded: Thu, Oct 7, 2021, 8:25 am

Palo Alto's city leaders often tout the city's reputation as a technological powerhouse, but when it comes to preventing cybersecurity threats at City Hall, the city has plenty of room for improvement.

That's according to a new audit from Baker Tilly, the agency that serves as the city auditor and that in 2020 and 2021 conducted a thorough review of the city's information technology landscape. Its audit concluded that the city lacks a risk framework to identify key threats and proactively address them. It also found that the city does not have a formal disaster recovery plan; that the "playbook" program management in its information-technology (IT) operation is outdated; and that the city's inability to "wipe" mobile phones that get lost or stolen "may result in the unintentional disclosure of confidential organizational data to a malicious attacker."

The good news for the city is that none of the issues that the Baker Tilly audit identifies as risks rise to the "critical" level – the most urgent category. The bad news is that numerous are deemed to be "high" risk. Areas in Palo Alto that were singled out as "high" risk are disaster recovery, malware defense, mobile device management and incident response. Also included in this category is "strategy and governance," which refers to the interplay between the city's day-to-day IT operation and its broad needs and priorities.

The overarching theme among the audit's various recommendations is that the city's IT operation suffers from insufficient strategic planning and a lack of proactive preparation.

"The City does not currently have formal IT risk management practices," the audit states. "In general, day-to-day operational controls are in place to mitigate IT risks, but gaps may still exist for unidentified IT risks, resources may not be prioritized to higher risk or strategically aligned areas, and senior management or oversight bodies may not receive timely awareness of risks affecting the City."

The audit argues that an effective IT strategy can bring many benefits to the city, including lower costs, greater control, more efficient use of resources and better risk management. Failure to define the city's threat landscape, it notes, may result in an inability to protect against and respond when an event occurs.

"Understanding the threats to the City's strategic plan is essential to ensuring risk management controls add value to the risk management process. Failure to define the City's threat landscape may result in the inability to protect against and respond in the instance where an event occurs. Disruptions in technology and unmitigated risks may prevent or delay residents from receiving vital services," the audit states.

The audit notes that the city already has an existing strategic document that identifies and prioritizes critical assets. However, the city has not identified employee responsibilities or developed action plans pertaining to its citywide strategy. It also has not developed metrics to evaluate whether the plan's objectives are being met.

While the audit analyzed the city's controls and practices pertaining to information security, these details are redacted from the publicly released audit. The audit does, however, detail the risk factors associated with each category. On "strategy and governance," the city's risks include having IT service delivery that is misaligned with the organization; it also cites the possibility the City Council and executive management would be unaware of IT risks and their severity.

Among the audit's recommendations is that the city revisit and update its disaster-recovery plan based on the current IT environment. This plan should include, among other things, measures to address offline communication and building accessibility, software and hardware failures, downtime and data loss. It would also designate roles during disasters such as cyberattacks and environmental catastrophes.

In responding to the audit, city staff largely agreed with its findings and noted that the city is now in the process of procuring a consultant who will help develop a new three-year IT strategy. The process, according to the city, will "involve all departments to identify critical services and software required for service delivery."

The new audit comes at a time when several municipal operations are preparing to make major technological leaps. These include a dramatic expansion in the city's fiber network to create a municipal broadband service; a transition to "smart meters" for electricity, gas and water customers; and the Office of Transportation's adoption of automated license plate readers and guidance systems at local garages.

The council's Policy and Services Committee is scheduled to discuss the new audit at its Oct. 12 meeting.

Comments

Bystander
Registered user
Another Palo Alto neighborhood
on Oct 7, 2021 at 11:29 am
Bystander, Another Palo Alto neighborhood
Registered user
on Oct 7, 2021 at 11:29 am

Preaching to the choir here.


Online Name
Registered user
Embarcadero Oaks/Leland
on Oct 7, 2021 at 12:26 pm
Online Name, Embarcadero Oaks/Leland
Registered user
on Oct 7, 2021 at 12:26 pm

No surprise here since for years the city couldn't be bothered to test its systems for traffic alerts so we can avoid road construction, utility rebates, reporting problems with storm drains etc. before releasing them to us so we can waste our time and that of our plumbers and contractors.

And those are just the few systems with which I have personal experience.

How absurd that the city has for years designed systems that can't be queried by addresses to see how long a problem has existed and/or to see if something's finally been repaired.

But that's why they get the big bucks and lucrative retirement plans.


R. Cavendish
Registered user
another community
on Oct 7, 2021 at 1:05 pm
R. Cavendish, another community
Registered user
on Oct 7, 2021 at 1:05 pm

QUOTE: "...the city is now in the process of procuring a consultant who will help develop a new three-year IT strategy."

A typical City of Palo Alto strategy...hire a consultant to do what its internal and highly paid administrators are incapable of doing.

I would imagine that the city has an MIS Director responsible for overseeing firewalls, inter/intranet security, and misplaced smartphones.

Curious...how much will this three-year consultant service contract cost the city (aka PA taxpayers) and will the implementation of further cyber-security measures be effective for at least five years?

Just guessing but probably not.


Online Name
Registered user
Embarcadero Oaks/Leland
on Oct 7, 2021 at 1:37 pm
Online Name, Embarcadero Oaks/Leland
Registered user
on Oct 7, 2021 at 1:37 pm

Hey, maybe our last highly paid IT czar is still available, you know -- the guy who went to Oracle after doing Oracle's bidding while being paid by Palo Alto and who suddenly left when his conflicts of interest surfaced.


Don't miss out on the discussion!
Sign up to be notified of new comments on this topic.

Post a comment

In order to encourage respectful and thoughtful discussion, commenting on stories is available to those who are registered users. If you are already a registered user and the commenting form is not below, you need to log in. If you are not registered, you can do so here.

Please make sure your comments are truthful, on-topic and do not disrespect another poster. Don't be snarky or belittling. All postings are subject to our TERMS OF USE, and may be deleted if deemed inappropriate by our staff.

See our announcement about requiring registration for commenting.