1.1 Designate a responsible executive – The city’s Technology Services agency should designate a leader who is responsible for developing and implementing a comprehensive, citywide information technology risk assessment as part of a formal risk management program. To ensure this leader can effectively implement the program, Technology Services officials should empower this person to enhance the citywide information technology risk management policy as well as develop associated standards and procedures, as noted in Recommendation 1.2.
Agency Response – Agree; Implementation expected by Sept. 30, 2024
1.2 Develop a citywide risk assessment process – The city’s Technology Services agency should establish and document a process for a comprehensive, citywide information technology risk assessment that includes the city’s cultural facilities and independent agencies and that identifies all critical- and high-rated risks.
This risk assessment process should include:
- Working with and collecting risks from all agency and Technology Services staff who are tasked with information technology risk management activities.
- Presenting those risks to executive leadership teams within Technology Services and individual city agencies.
- Creating a process to determine how to rank and respond to each risk.
- Defining roles and responsibilities — and any other pertinent and related policies and procedures — to identify and collect information technology risks, report them in a risk register, and escalate critical- and high-rated risks to Technology Services leaders.
This process should complement the updated information technology risk management policy called for in Recommendation 1.3.
Agency Response – Agree; Implementation expected by June 30, 2025
1.3 Update existing policy – The city’s Technology Services agency should update the information technology risk management policy to incorporate a comprehensive, citywide information technology risk assessment process.
At a minimum, this updated policy should address:
- Implementing a periodic, citywide information technology risk assessment.
- Documenting processes to identify, document, monitor, and resolve citywide information technology risks.
- Defining roles and responsibilities for all staff who perform information technology risk management functions.
- Requiring information technology risk management training for all employees involved in managing information technology risks.
Agency Response – Agree; Implementation expected by Dec. 31, 2024
1.4 Create a single source of record – The city’s Technology Services agency should create a centralized system to serve as a single source of record in tracking and monitoring information technology risks as part of the comprehensive risk assessment called for in Recommendation 1.2. Technology Services should also continuously monitor and update this source of record — including with the status of remediation efforts — and periodically inform Technology Services executive leaders of progress throughout the year.
At a minimum, this centralized system should contain all critical- and high-rated risks identified throughout the city during the comprehensive, citywide information technology risk assessment as well as any additional risks identified throughout the year.
Agency Response – Agree; Implementation expected by June 30, 2025
1.5 Develop risk management training – The city’s Technology Services agency should develop a training program for employees tasked with information technology risk management. At a minimum, this training should cover defined roles and responsibilities and provide guidance on documenting risks, communicating risks to leaders, and following up on a risk’s mitigation status.
Agency Response – Agree; Implementation expected by June 30, 2025
1.6 Create written information-exchange agreements – In line with federal guidance, the city’s Technology Services agency should take the following steps so it can realize a citywide understanding of potential threats and vulnerabilities to the city’s networks and technology infrastructure:
- Technology Services should work with the Mayor’s Office and the City Attorney’s Office to create information-exchange agreements between Technology Services and any independent agencies not required to comply with Executive Order No. 18. These agreements should establish a formal process to share information about critical- and high-rated technology risks, with clear roles and responsibilities for both parties. The agreements should include the information or data to be exchanged including the identified risks and a risk rating for each, any security and privacy requirements, and relevant controls.
- If an independent agency does not agree to share risks through a signed information-exchange agreement, then Technology Services should communicate this lack of cooperation to the mayor for them to determine timely next steps to gain the independent agency’s cooperation.
- If the mayor declines to act, then Technology Services should consider asking the City Council for support through a city ordinance that would bolster the city’s ability to manage information technology risks. In that event, Technology Services should document its decision whether to seek support from the council.
Agency Response – Agree; Implementation expected by June 30, 2025
1.7 Enforce acceptable use agreements and cybersecurity awareness training – In addition to ensuring cybersecurity awareness training is delivered to all required network users, the city’s Technology Services agency should develop a communications and enforcement strategy to ensure citywide compliance in employees’ signing of the acceptable use agreement and in their completing required quarterly cybersecurity training.
To ensure this enforcement strategy is effective, Technology Services should:
- Provide warning notices before each quarterly deadline to any users who have not yet completed the assigned training.
- Notify the users’ managers of the incomplete training.
- Escalate the names of any users who fail to complete the required trainings to their respective agency’s executive leaders.
- Include the citywide cybersecurity completion percentage as a metric in the annual performance evaluation for Technology Services leaders.
Agency Response – Agree; Implementation expected by Feb. 1, 2025