Information Technology Risk Management

Photo illustration showing a pointed finger tapping one of a series of holographic locks.

Objective

  • To assess how well the city’s information technology risk management program identifies, assesses, and addresses risk citywide.
  • To determine whether the city’s Technology Services agency has created necessary guidance for staff to understand their roles and responsibilities and sufficiently manage information technology risk.

Background

Managing information technology risk involves the City and County of Denver and its Technology Services agency identifying, assessing, and responding to potential threats and vulnerabilities.

A risk management program documents potential cyber threats, data breaches, system failures, and other hazards that threaten the confidentiality, integrity, and availability of systems and city services. With this information, leaders are empowered to address risk based on available resources.

Why this matters

In 2021, Denver’s mayor authorized Technology Services to manage all technology that operates on or connects to the city’s network. But disputes with some agencies about Technology Services’ authority over their connected subnetworks limits Technology Services’ ability to identify all potential risks.

Without a comprehensive, citywide information technology risk management framework, Technology Services officials cannot have the full knowledge they need to deploy available resources in the most effective manner and respond appropriately to technology threats citywide.

Findings

FINDING — Technology Services lacks a citywide comprehensive information technology risk management program

The city’s Technology Services agency has no citywide comprehensive information technology risk management framework, and it lacks full cooperation from some agencies and city staff. This prevents Technology Services from having a complete understanding of potential risks and vulnerabilities across the city.

Although Technology Services assesses risks for most systems it directly manages, the agency does not have defined ways to work with agencies outside its control to ensure risks are identified, assessed, and responded to. Specifically, we found:

  • No periodic, comprehensive, and citywide information technology risk assessment and no authorization for a citywide risk management executive to take the lead.
  • No comprehensive, citywide information technology risk management policy or specific procedures.
  • No documented roles and responsibilities — or training program — for Technology Services’ agency relationship managers and other staff responsible for information technology risk management.
  • No source of record to assess and monitor information technology risks.
  • No partnerships with independent agencies to share data about potential risks.
  • Inconsistent completion of mandatory cybersecurity awareness training across city agencies.

Recommendations

1.1 Designate a responsible executive – The city’s Technology Services agency should designate a leader who is responsible for developing and implementing a comprehensive, citywide information technology risk assessment as part of a formal risk management program. To ensure this leader can effectively implement the program, Technology Services officials should empower this person to enhance the citywide information technology risk management policy as well as develop associated standards and procedures, as noted in Recommendation 1.2.

Agency Response – Agree; Implementation expected by Sept. 30, 2024

1.2 Develop a citywide risk assessment process – The city’s Technology Services agency should establish and document a process for a comprehensive, citywide information technology risk assessment that includes the city’s cultural facilities and independent agencies and that identifies all critical- and high-rated risks.

This risk assessment process should include:

  • Working with and collecting risks from all agency and Technology Services staff who are tasked with information technology risk management activities.
  • Presenting those risks to executive leadership teams within Technology Services and individual city agencies.
  • Creating a process to determine how to rank and respond to each risk.
  • Defining roles and responsibilities — and any other pertinent and related policies and procedures — to identify and collect information technology risks, report them in a risk register, and escalate critical- and high-rated risks to Technology Services leaders.

This process should complement the updated information technology risk management policy called for in Recommendation 1.3.

Agency Response – Agree; Implementation expected by June 30, 2025

1.3 Update existing policy – The city’s Technology Services agency should update the information technology risk management policy to incorporate a comprehensive, citywide information technology risk assessment process.

At a minimum, this updated policy should address:

  • Implementing a periodic, citywide information technology risk assessment.
  • Documenting processes to identify, document, monitor, and resolve citywide information technology risks.
  • Defining roles and responsibilities for all staff who perform information technology risk management functions.
  • Requiring information technology risk management training for all employees involved in managing information technology risks.

Agency Response – Agree; Implementation expected by Dec. 31, 2024

1.4 Create a single source of record – The city’s Technology Services agency should create a centralized system to serve as a single source of record in tracking and monitoring information technology risks as part of the comprehensive risk assessment called for in Recommendation 1.2. Technology Services should also continuously monitor and update this source of record — including with the status of remediation efforts — and periodically inform Technology Services executive leaders of progress throughout the year.

At a minimum, this centralized system should contain all critical- and high-rated risks identified throughout the city during the comprehensive, citywide information technology risk assessment as well as any additional risks identified throughout the year.

Agency Response – Agree; Implementation expected by June 30, 2025

1.5 Develop risk management training – The city’s Technology Services agency should develop a training program for employees tasked with information technology risk management. At a minimum, this training should cover defined roles and responsibilities and provide guidance on documenting risks, communicating risks to leaders, and following up on a risk’s mitigation status.

Agency Response – Agree; Implementation expected by June 30, 2025

1.6 Create written information-exchange agreements – In line with federal guidance, the city’s Technology Services agency should take the following steps so it can realize a citywide understanding of potential threats and vulnerabilities to the city’s networks and technology infrastructure:

  1. Technology Services should work with the Mayor’s Office and the City Attorney’s Office to create information-exchange agreements between Technology Services and any independent agencies not required to comply with Executive Order No. 18. These agreements should establish a formal process to share information about critical- and high-rated technology risks, with clear roles and responsibilities for both parties. The agreements should include the information or data to be exchanged including the identified risks and a risk rating for each, any security and privacy requirements, and relevant controls.
  2. If an independent agency does not agree to share risks through a signed information-exchange agreement, then Technology Services should communicate this lack of cooperation to the mayor for them to determine timely next steps to gain the independent agency’s cooperation.
  3. If the mayor declines to act, then Technology Services should consider asking the City Council for support through a city ordinance that would bolster the city’s ability to manage information technology risks. In that event, Technology Services should document its decision whether to seek support from the council.

Agency Response – Agree; Implementation expected by June 30, 2025

1.7 Enforce acceptable use agreements and cybersecurity awareness training – In addition to ensuring cybersecurity awareness training is delivered to all required network users, the city’s Technology Services agency should develop a communications and enforcement strategy to ensure citywide compliance in employees’ signing of the acceptable use agreement and in their completing required quarterly cybersecurity training.

To ensure this enforcement strategy is effective, Technology Services should:

  1. Provide warning notices before each quarterly deadline to any users who have not yet completed the assigned training.
  2. Notify the users’ managers of the incomplete training.
  3. Escalate the names of any users who fail to complete the required trainings to their respective agency’s executive leaders.
  4. Include the citywide cybersecurity completion percentage as a metric in the annual performance evaluation for Technology Services leaders.

Agency Response – Agree; Implementation expected by Feb. 1, 2025

Auditor's Letter

June 20, 2024

We audited how the city’s Technology Services agency handles information technology risks and how effectively it oversees a comprehensive risk assessment process to track and address information technology risks citywide. I now present the results of this audit.

The audit found Technology Services lacks several key components to effectively assess citywide information technology risks. Specifically, the policy and procedures for information technology risk management are incomplete, roles and responsibilities are not clearly defined, and no central system of record exists to track how city staff address information technology risks. Additionally, Technology Services is not fully using its authority to oversee all technology on the city’s network, and it is not ensuring all city employees consistently complete mandatory cybersecurity awareness training to do their part in protecting city systems.

By implementing recommendations to strengthen policies, create procedures, provide training, and establish partnerships with independent agencies through information-exchange agreements, Technology Services will be better able to monitor and mitigate all information technology risks citywide.

This performance audit is authorized pursuant to the City and County of Denver Charter, Article V, Part 2, Section 1, “General Powers and Duties of Auditor.” We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

We appreciate the leaders and team members in Technology Services who shared their time and knowledge with us during the audit. Please contact me at 720-913-5000 with any questions.

Denver Auditor

Auditor's Signature
Timothy O'Brien, CPA


Timothy O'Brien Official Headshot

AUDITOR TIMOTHY O'BRIEN, CPA
Denver Auditor


Denver Auditor's Office

201 W. Colfax Ave. #705 Denver, CO 80202
Emailauditor@denvergov.org
Call: 720-913-5000
Follow us on Facebook     Connect with us on Twitter

Auditors Office Logos for Footer: Denver Auditor, Denver Labor