Item - 2007.AU4.3
Tracking Status
- This item was considered by Audit Committee on September 24, 2007. It is being forwarded to City Council without recommendations. It will be considered by City Council on October 22, 2007.
AU4.3 - Internet Usage Review
- Decision Type:
- ACTION
- Status:
- Without Recs
- Wards:
- All
Committee Recommendations
The Audit Committee submits this Item to City Council without recommendation.
Decision Advice and Other Information
The Audit Committee submits the staff recommendations contained in the report (July 31, 2007) from the Auditor General:
The Auditor General recommends that:
1. The Chief Information Officer implement a user authentication system for all users accessing the Internet.
2. The Chief Information Officer, in consultation with the Executive Director of Human Resources Division and the City Solicitor, implement systematic Internet usage monitoring for compliance with the City’s Acceptable Use Policy, including:
a. developing criteria for Internet use that may not be in compliance with the policy, particularly relating to Internet time, bandwidth usage and visits or attempts to visit inappropriate sites;
b. utilizing appropriate analysis tools to generate exception reports identifying users with Internet activity deemed to be inappropriate according to established criteria;
c. providing Divisional management with detailed reports and technical support to facilitate review of apparent violations of the City’s Acceptable Use Policy;
d. establishing written procedures outlining the types and frequency of management reports on Internet usage and the responsibility for review and follow-up of such reports; and
e. communicating to all City staff reiterating the City’s Acceptable Use Policy, clarifying the responsibility of the City and users, and advising of the procedures in place to monitor compliance with the Policy.
3. The Chief Information Officer conduct an ongoing review of top sites visited that are likely for personal use, have highly automated activity, or carry security risks such as instant messaging or email and determine whether further site restrictions are warranted.
4. The Chief Information Officer take appropriate steps to ensure Internet connections of all City computers are consistently configured so that Internet logs record all Internet activity of all users but exclude visits to City internal sites.
Origin
Summary
Our review indicated that controls appear adequate in restricting access to inappropriate Internet sites and activities using excessive computing resources. However, there are inadequate controls in monitoring excessive personal use at the individual level. Our review found that approximately 200 users or two per cent of all users appear to have spent excessive time on the Internet for personal use and not in compliance with the Acceptable Use Policy. Management needs to implement system changes and proactive measures to monitor compliance with the Acceptable Use Policy.
Financial Impact
The implementation of recommendations in this report will improve the monitoring for compliance with the City’s Acceptable Use Policy. It would also improve system efficiency, minimize system security risks, and reduce personal use. The extent of any resources required to implement the recommendations in this report is not determinable at this time.
Background Information
https://www.toronto.ca/legdocs/mmis/2007/au/bgrd/backgroundfile-6698.pdf
Appendix 1- Internet Usage Review
https://www.toronto.ca/legdocs/mmis/2007/au/bgrd/backgroundfile-6699.pdf
Appendix 2 - Internet Usage Review - Management's Response to Auditor General's Review
https://www.toronto.ca/legdocs/mmis/2007/au/bgrd/backgroundfile-6700.pdf