|
Getting your Trinity Audio player ready...
|
Palo Alto’s city leaders often tout the city’s reputation as a technological powerhouse, but when it comes to preventing cybersecurity threats at City Hall, the city has plenty of room for improvement.
That’s according to a new audit from Baker Tilly, the agency that serves as the city auditor and that in 2020 and 2021 conducted a thorough review of the city’s information technology landscape. Its audit concluded that the city lacks a risk framework to identify key threats and proactively address them. It also found that the city does not have a formal disaster recovery plan; that the “playbook” program management in its information-technology (IT) operation is outdated; and that the city’s inability to “wipe” mobile phones that get lost or stolen “may result in the unintentional disclosure of confidential organizational data to a malicious attacker.”
The good news for the city is that none of the issues that the Baker Tilly audit identifies as risks rise to the “critical” level – the most urgent category. The bad news is that numerous are deemed to be “high” risk. Areas in Palo Alto that were singled out as “high” risk are disaster recovery, malware defense, mobile device management and incident response. Also included in this category is “strategy and governance,” which refers to the interplay between the city’s day-to-day IT operation and its broad needs and priorities.
The overarching theme among the audit’s various recommendations is that the city’s IT operation suffers from insufficient strategic planning and a lack of proactive preparation.
“The City does not currently have formal IT risk management practices,” the audit states. “In general, day-to-day operational controls are in place to mitigate IT risks, but gaps may still exist for unidentified IT risks, resources may not be prioritized to higher risk or strategically aligned areas, and senior management or oversight bodies may not receive timely awareness of risks affecting the City.”
The audit argues that an effective IT strategy can bring many benefits to the city, including lower costs, greater control, more efficient use of resources and better risk management. Failure to define the city’s threat landscape, it notes, may result in an inability to protect against and respond when an event occurs.
“Understanding the threats to the City’s strategic plan is essential to ensuring risk management controls add value to the risk management process. Failure to define the City’s threat landscape may result in the inability to protect against and respond in the instance where an event occurs. Disruptions in technology and unmitigated risks may prevent or delay residents from receiving vital services,” the audit states.
The audit notes that the city already has an existing strategic document that identifies and prioritizes critical assets. However, the city has not identified employee responsibilities or developed action plans pertaining to its citywide strategy. It also has not developed metrics to evaluate whether the plan’s objectives are being met.
While the audit analyzed the city’s controls and practices pertaining to information security, these details are redacted from the publicly released audit. The audit does, however, detail the risk factors associated with each category. On “strategy and governance,” the city’s risks include having IT service delivery that is misaligned with the organization; it also cites the possibility the City Council and executive management would be unaware of IT risks and their severity.
Among the audit’s recommendations is that the city revisit and update its disaster-recovery plan based on the current IT environment. This plan should include, among other things, measures to address offline communication and building accessibility, software and hardware failures, downtime and data loss. It would also designate roles during disasters such as cyberattacks and environmental catastrophes.
In responding to the audit, city staff largely agreed with its findings and noted that the city is now in the process of procuring a consultant who will help develop a new three-year IT strategy. The process, according to the city, will “involve all departments to identify critical services and software required for service delivery.”
The new audit comes at a time when several municipal operations are preparing to make major technological leaps. These include a dramatic expansion in the city’s fiber network to create a municipal broadband service; a transition to “smart meters” for electricity, gas and water customers; and the Office of Transportation’s adoption of automated license plate readers and guidance systems at local garages.
The council’s Policy and Services Committee is scheduled to discuss the new audit at its Oct. 12 meeting.
Preaching to the choir here.
No surprise here since for years the city couldn’t be bothered to test its systems for traffic alerts so we can avoid road construction, utility rebates, reporting problems with storm drains etc. before releasing them to us so we can waste our time and that of our plumbers and contractors.
And those are just the few systems with which I have personal experience.
How absurd that the city has for years designed systems that can’t be queried by addresses to see how long a problem has existed and/or to see if something’s finally been repaired.
But that’s why they get the big bucks and lucrative retirement plans.
QUOTE: “…the city is now in the process of procuring a consultant who will help develop a new three-year IT strategy.”
A typical City of Palo Alto strategy…hire a consultant to do what its internal and highly paid administrators are incapable of doing.
I would imagine that the city has an MIS Director responsible for overseeing firewalls, inter/intranet security, and misplaced smartphones.
Curious…how much will this three-year consultant service contract cost the city (aka PA taxpayers) and will the implementation of further cyber-security measures be effective for at least five years?
Just guessing but probably not.
Hey, maybe our last highly paid IT czar is still available, you know — the guy who went to Oracle after doing Oracle’s bidding while being paid by Palo Alto and who suddenly left when his conflicts of interest surfaced.