I n f o r m a t i o n S y s t e m s C y b e r s e c u r i t y A s s e s s m e n t

Similar documents
FOLLOW-UP REPORT Industrial Control Systems Audit

STATE OF NORTH CAROLINA

Internal Audit Report. Electronic Bidding and Contract Letting TxDOT Office of Internal Audit

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Internal Audit Department

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

In 2017, the Auditor General initiated an audit of the City s information technology infrastructure and assets.

BOARD OF COUNTY COMMISSIONERS

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

Title of Nomination: Security Policies and Standards Project/System Manager: Donna Crutcher Title: State Security Manager Agency: Department:

IS Audit and Assurance Guideline 2001 Audit Charter

STATE OF NORTH CAROLINA OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA FAYETTEVILLE STATE UNIVERSITY

Information Technology General Control Review

UNIVERSITY OF NORTH CAROLINA CHAPEL HILL

SOC for cybersecurity

NYS DFS Cybersecurity Requirements. Stephen Head Senior Manager Risk Advisory Services

Predstavenie štandardu ISO/IEC 27005

UNIVERSITY OF NORTH CAROLINA CHARLOTTE

STATE OF NORTH CAROLINA

Table of Contents. Preface xvii PART ONE: FOUNDATIONS OF MODERN INTERNAL AUDITING

Certified Information Systems Auditor (CISA)

REPORT Bill Bradbury, Secretary of State Cathy Pollino, Director, Audits Division

FDIC InTREx What Documentation Are You Expected to Have?

Cybersecurity & Privacy Enhancements

PUBLIC UTILITIES COMMISSION:

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

Subject: University Information Technology Resource Security Policy: OUTDATED

STAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:

SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions

IS Audit and Assurance Guideline 2002 Organisational Independence

Position Description IT Auditor

SALARY $ $72.54 Hourly $3, $5, Biweekly $8, $12, Monthly $103, $150, Annually

Request for Proposal (RFP)

Certified Information Security Manager (CISM) Course Overview

REVIEW OF MANAGEMENT AND OVERSIGHT OF THE INTEGRATED BUSINESS MANAGEMENT SYSTEM (IBMS) January 16, 2009

REPORT 2015/149 INTERNAL AUDIT DIVISION

Contracting for an IT General Controls Audit

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

Sage Data Security Services Directory

Postal Inspection Service Mail Covers Program

SSAE 18 & new SOC approach to compliance. Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services

Department Of Public Utilities Multi Vendor Reading System (MVRS) 12 Months ended December 31, 2011

IT Strategic Planning: Making Your IT Organization Efficient and Effective

NERC Staff Organization Chart

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

From Russia With Love

NATIONAL INFRASTRUCTURE COMMISSION CORPORATE PLAN TO

IT Vulnerabilities: What an IT Auditor Should be Thinking About

ISA99 - Industrial Automation and Controls Systems Security

Credit Card Data Compromise: Incident Response Plan

NERC Staff Organization Chart Budget

Three Year Follow up Request to Grand Jury Updated March 2, 2018

CISA Training.

Interpreting the FFIEC Cybersecurity Assessment Tool

DUNS CAGE 5T5C3

General Information Technology Controls Follow-up Review

The Texas A&M University System Internal Audit Department MONTHLY AUDIT REPORT

Information for entity management. April 2018

Information Technology Audit

Plenary Session: Branch Cybersecurity Controls Thursday, February 22 1:15 p.m. 2:15 p.m.

REPORT 2015/010 INTERNAL AUDIT DIVISION

Disaster Recovery Planning. Office of Information Technology Services

2016 Nationwide Cyber Security Review: Summary Report. Nationwide Cyber Security Review: Summary Report

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

Information Security Continuous Monitoring (ISCM) Program Evaluation

Security and Privacy Governance Program Guidelines

Any observations not included in this report were discussed with your staff at the informal exit conference and may be subject to follow-up.

Bringing Cybersecurity to the Boardroom Bret Arsenault

Reviewed by ADM(RS) in accordance with the Access to Information Act. Information UNCLASSIFIED.

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

Vulnerability Assessments and Penetration Testing

Security Survey Executive Summary October 2008

REPORT 2015/186 INTERNAL AUDIT DIVISION

COURSE BROCHURE CISA TRAINING

POSITION DESCRIPTION

10/18/2016. Preparing Your Organization for a HHS OIG Information Security Audit. Models for Risk Assessment

Emerging Issues: Cybersecurity. Directors College 2015

Opportunities to Integrate Technology Into the Classroom. Presented by:

Information Security Officer (ISO) Education

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

External Supplier Control Obligations. Cyber Security

Bonnie A. Goins Adjunct Industry Professor Illinois Institute of Technology

Information Security Policy

Exploring Emerging Cyber Attest Requirements

Understanding and Evaluating Service Organization Controls (SOC) Reports

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

Global Statement of Business Continuity

Federal Acquisition Service Authorized Federal Supply Schedule Price List

NYDFS Cybersecurity Regulations

Courses. X E - Verify that system acquisitions policies and procedures include assessment of risk management policies X X

No IT Audit Staff? How to Hack an IT Audit. Presenters. Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP

Tech Advantage Benchmarking Your Cyber Security Program. March 5, 2014

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

KENYA SCHOOL OF GOVERNMENT EMPLOYMENT OPORTUNITY (EXTERNAL ADVERTISEMENT)

EVALUATION AND APPROVAL OF AUDITORS. Deliverable 4.4.3: Design of a governmental Social Responsibility and Quality Certification System

OF ACCOUNTANTS IAASB CAG MEETING MARCH 7, 2011

Cloud Vendor Security Risk Assessments: An Update from the HEISC Shared Assessments Working Group. Charles Escue, Indiana University

Application for Certification

Transcription:

ASSESSMENT REPORT An Agency of City and County of Denver I n f o r m a t i o n S y s t e m s C y b e r s e c u r i t y A s s e s s m e n t September 2017 Office of the Auditor Audit Services Division City and County of Denver Timothy M. O Brien, CPA Denver Auditor

The Auditor of the City and County of Denver is independently elected by the citizens of Denver. He is responsible for examining and evaluating the operations of City agencies and contractors for the purpose of ensuring the proper and efficient use of City resources and providing other audit services and information to City Council, the Mayor, and the public to improve all aspects of Denver s government. The Audit Committee is chaired by the Auditor and consists of seven members. The Audit Committee assists the Auditor in his oversight responsibilities regarding the integrity of the City s finances and operations, including the reliability of the City s financial statements. The Audit Committee is structured in a manner that ensures the independent oversight of City operations, thereby enhancing citizen confidence and avoiding any appearance of a conflict of interest. Audit Committee Timothy M. O Brien, CPA, Chairman Rudolfo Payan, Vice Chairman Jack Blumenthal Leslie Mitchell Florine Nath Charles Scheibe Ed Scholz Audit Management Timothy M. O Brien, CPA, Auditor Valerie Walling, CPA, CMC, Deputy Auditor Heidi O Neil, CPA, CGMA, Director of Financial Audits Kevin Sear, CPA, CIA, CISA, CFE, CGMA, Audit Manager Audit Team Shannon Kuhn, CISA, Audit Supervisor Jared Miller, CFE, CISA, Lead Auditor Nick Jimroglou, CISA, Lead Auditor Contractors Cornerstone Partners Bill Evert, Partner Donald McLaughlin, Lead Consultant Brian Cather, Lead Consultant You can obtain copies of this report by contacting us: Office of the Auditor 201 West Colfax Avenue, #705 Denver CO, 80202 (720) 913-5000 Fax (720) 913-5247 Or download and view an electronic copy by visiting our website at: www.denvergov.org/auditor Report year: 2017

City and County of Denver 201 West Colfax Avenue, #705 Denver, Colorado 80202 720-913-5000 Fax 720-913-5253 www.denvergov.org/auditor AUDITOR S REPORT September 21, 2017 A third party has completed an Information Systems Cybersecurity Assessment. The assessment found some areas of strength, and some areas that need improvement, which have been communicated to the City s Technology Services department for further evaluation. This assessment is authorized pursuant to the City and County of Denver Charter, Part 2, Section 1, General Powers and Duties of Auditor We extend appreciation to Technology Services and the personnel who assisted and cooperated with us during the assessment. Denver Auditor s Office Timothy M. O Brien, CPA Auditor Page 1 Timothy M. O Brien, CPA Denver Auditor

Cornerstone Partners LLC 1550 Larimer St. Suite 129 Denver, CO 80202 www.cpcyber.com 303-226-7029 An Agency of City and County of Denver - Information Systems Cybersecurity Assessment September 21, 2017

An Agency of City and County of Denver Information Systems Cybersecurity Assessment Background Cornerstone Partners LLC ( Cornerstone ) was tasked by the Auditor to evaluate the Information Systems cybersecurity of an agency of the City and County of Denver ( City ) for Technology Services and the Auditor's Office. As part of deliverables, Cornerstone will present a report to the Audit Committee and findings will be sent to Technology Services. The results of the report will be limited to discussing any findings, vulnerabilities and risks found on an agency of the City and County of Denver. A key to this improvement process is balancing the need for public access and transparency, while managing the implementation of both centralized and decentralized cybersecurity strategies. Currently, the City has a decentralized approach to information systems requirements, which affects how risk is approached and managed by the City. When applying and evaluating the information systems cybersecurity for the agency of the City, one must weigh how the results of this assessment would influence the understanding of their overall risk levels and vulnerabilities. This understanding will help drive the allocation of valuable resources that are required for maintaining and actively improving its information system requirements and capabilities. The differing approaches to risk tolerance, levels of maturity between offices and departments, and the public facing requirement of the City affects the way they implement control measures and risk control processes.

Scope of Work The scope of this engagement began with understanding the current posture of the agency of the City. The City s operating requirements of openness, transparency, and accessibility was crucial in understanding the scope of work. Cornerstone understands how the City must balance the public facing data requirements with the need to protect and ensure the confidentiality, integrity, and availability of data on its information systems. This engagement focused on assessing the information systems cybersecurity of an agency of the City utilizing the National Institute of Science and Technology (NIST) Cybersecurity Framework (figure 1). Figure 1 The Methodology Cornerstone collected evidence and performed testing to enable an effective cybersecurity assessment of the agency of the City and County of Denver. The NIST methodology uses five key functional process areas of cybersecurity; however, the fourth and fifth key functional process areas, event response and event recovery, were not in scope during this engagement. The areas in scope included: Risk Identification: Tools, strategies, and techniques for the identification and tracking of potential risks, and the organization s willingness to accept cybersecurity risk. Event Protection and Prevention: Tools, strategies, and techniques used to safeguard and ensure delivery of critical information technology infrastructures and systems. Event Detection: Tools, strategies, and techniques used to detect potential and actual occurrences of a cybersecurity event taking place, or an event that has taken place.

The Results The assessment incorporated three parts: wireless, application, and network security. Wireless security would include any WiFi Access Points or the configuration of wireless networks at the agency s locations. The application security would include any configurations of applications that are critical to the agency s mission. The network security would include any device, connection, or asset the agency s employees could access. Risk Identification The risk identification function contains the basic ground work for understanding and managing cybersecurity risk to assets, data, and systems capabilities. Event Protection and Prevention The event protection and prevention function is focused on helping the organization develop and implement safeguards to reduce the impact of a potential cybersecurity event. Event Detection The event detection function is focused on assisting the organization on developing and implementing safeguards to detect the presence of a cybersecurity threat. By detecting cybersecurity events in a timely manner, the organization can reduce the potential impact the threat can have on the organization. Conclusion Cornerstone assessed the cybersecurity of an agency of the City and County of Denver for the Auditor and Technology Services. Cornerstone utilized the NIST Cybersecurity Framework and identified strengths and weaknesses using the three-aforementioned key functional process areas of cybersecurity. A combined assessment of strengths and weaknesses in these three process areas was communicated to Technology Services and the Auditor. Additionally, Cornerstone s assessment of the agency of the City, along with the associated findings, were reported to Technology Services.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback