Palo Alto's city leaders often tout the city's reputation as a technological powerhouse, but when it comes to preventing cybersecurity threats at City Hall, the city has plenty of room for improvement.
That's according to a new audit from Baker Tilly, the agency that serves as the city auditor and that in 2020 and 2021 conducted a thorough review of the city's information technology landscape. Its audit concluded that the city lacks a risk framework to identify key threats and proactively address them. It also found that the city does not have a formal disaster recovery plan; that the "playbook" program management in its information-technology (IT) operation is outdated; and that the city's inability to "wipe" mobile phones that get lost or stolen "may result in the unintentional disclosure of confidential organizational data to a malicious attacker."
The good news for the city is that none of the issues that the Baker Tilly audit identifies as risks rise to the "critical" level – the most urgent category. The bad news is that numerous are deemed to be "high" risk. Areas in Palo Alto that were singled out as "high" risk are disaster recovery, malware defense, mobile device management and incident response. Also included in this category is "strategy and governance," which refers to the interplay between the city's day-to-day IT operation and its broad needs and priorities.
The overarching theme among the audit's various recommendations is that the city's IT operation suffers from insufficient strategic planning and a lack of proactive preparation.
"The City does not currently have formal IT risk management practices," the audit states. "In general, day-to-day operational controls are in place to mitigate IT risks, but gaps may still exist for unidentified IT risks, resources may not be prioritized to higher risk or strategically aligned areas, and senior management or oversight bodies may not receive timely awareness of risks affecting the City."
The audit argues that an effective IT strategy can bring many benefits to the city, including lower costs, greater control, more efficient use of resources and better risk management. Failure to define the city's threat landscape, it notes, may result in an inability to protect against and respond when an event occurs.
"Understanding the threats to the City's strategic plan is essential to ensuring risk management controls add value to the risk management process. Failure to define the City's threat landscape may result in the inability to protect against and respond in the instance where an event occurs. Disruptions in technology and unmitigated risks may prevent or delay residents from receiving vital services," the audit states.
The audit notes that the city already has an existing strategic document that identifies and prioritizes critical assets. However, the city has not identified employee responsibilities or developed action plans pertaining to its citywide strategy. It also has not developed metrics to evaluate whether the plan's objectives are being met.
While the audit analyzed the city's controls and practices pertaining to information security, these details are redacted from the publicly released audit. The audit does, however, detail the risk factors associated with each category. On "strategy and governance," the city's risks include having IT service delivery that is misaligned with the organization; it also cites the possibility the City Council and executive management would be unaware of IT risks and their severity.
Among the audit's recommendations is that the city revisit and update its disaster-recovery plan based on the current IT environment. This plan should include, among other things, measures to address offline communication and building accessibility, software and hardware failures, downtime and data loss. It would also designate roles during disasters such as cyberattacks and environmental catastrophes.
In responding to the audit, city staff largely agreed with its findings and noted that the city is now in the process of procuring a consultant who will help develop a new three-year IT strategy. The process, according to the city, will "involve all departments to identify critical services and software required for service delivery."
The new audit comes at a time when several municipal operations are preparing to make major technological leaps. These include a dramatic expansion in the city's fiber network to create a municipal broadband service; a transition to "smart meters" for electricity, gas and water customers; and the Office of Transportation's adoption of automated license plate readers and guidance systems at local garages.
The council's Policy and Services Committee is scheduled to discuss the new audit at its Oct. 12 meeting.