Item - 2009.AU11.4

Tracking Status

  • City Council adopted this item on October 26, 2009 with amendments.
  • This item was considered by the Audit Committee on October 20, 2009 and adopted without amendment. It will be considered by City Council on October 26, 2009.

AU11.4 - Review of Disposal of Surplus IT Equipment - Security, Environmental and Financial Risks

Decision Type:
ACTION
Status:
Amended
Wards:
All

City Council Decision

City Council on October 26 and 27, 2009, adopted the following:

 

1.         City Council request the Chief Information Officer to re-evaluate the agreement with the vendor who is currently providing information technology asset disposal services.  Such re-evaluation take into account the experience of the vendor particularly in the area of data security and environmental concerns and where appropriate ensure that the vendor is capable of providing the level of service required.

 

2.         City Council request the Chief Information Officer to review all provisions in the agreement with the third party information technology asset disposal vendor and direct the vendor to comply with all provisions in the agreement.  Further policies, procedures be established to ensure that the City is able to confirm compliance.  Regular audits including the development of audit programmes be conducted to confirm compliance.  Documentary evidence of all such compliance audits be retained and approved by supervisory staff.

 

3.         City Council request the Chief Information Officer, on a random basis, to confirm that hard drives submitted to the auctioneer have been successfully erased.  Specialized data recovery tools be used to determine whether or not hard drives have been successfully deleted.

 

4.           City Council request the Chief Information Officer to ensure that disposal processes for surplus information technology assets are in conformance with regulatory procedures and all such disposals are supported by an adequate audit trail for subsequent verification by City staff.

 

5.         City Council request the Chief Information Officer to ensure that receipts from the sale of equipment are reconciled to the actual equipment sold.

 

6.         City Council request the Chief Information Officer to report to the Government Management Committee on the existing policy for the disposal of surplus information and technology equipment, such report to also address the feasibility of amending the City's policy to allow for the sale of surplus information and technology equipment to employees.

Background Information (Committee)

(May 4, 2009) Report from the Auditor General - Review of Disposal of Surplus IT Equipment - Security, Environmental and Financial Risks
https://www.toronto.ca/legdocs/mmis/2009/au/bgrd/backgroundfile-22125.pdf
Appendix 1 - Auditor General's Office (May 4, 2009) Review of Disposal of Surplus IT Equipment - Security, Environmental and Financial Risks
https://www.toronto.ca/legdocs/mmis/2009/au/bgrd/backgroundfile-22126.pdf
Appendix 2 - Management's Response to the Auditor General's Review
https://www.toronto.ca/legdocs/mmis/2009/au/bgrd/backgroundfile-22127.pdf

Motions (City Council)

1 - Motion to Amend Item (Additional) moved by Councillor Howard Moscoe (Carried)

That City Council request the Chief Information Officer to report to the Government Management Committee on the existing policy for the disposal of surplus information and technology equipment, such report to also address the feasibility of amending the City's policy to allow for the sale of surplus information and technology equipment to employees.

Vote (Amend Item (Additional)) Oct-26-2009 5:54 PM

Result: Carried Majority Required - AU11.4 - Moscoe - Motion 1
Total members that voted Yes: 21 Members that voted Yes are Paul Ainslie, Sandra Bussin (Chair), Raymond Cho, Frank Di Giorgio, John Filion, Adam Giambrone, Mark Grimes, Doug Holyday, Cliff Jenkins, Joe Mihevc, Denzil Minnan-Wong, Howard Moscoe, Frances Nunziata, Case Ootes, Cesar Palacio, Anthony Perruzza, Bill Saundercook, David Shiner, Karen Stintz, Adam Vaughan, Michael Walker
Total members that voted No: 14 Members that voted No are Brian Ashton, Shelley Carroll, Janet Davis, Glenn De Baeremaeker, Mike Del Grande, Suzan Hall, A.A. Heaps, Norman Kelly, Chin Lee, Gloria Lindsay Luby, Peter Milczyn, Ron Moeser, Gord Perks, Kyle Rae
Total members that were Absent: 10 Members that were absent are Maria Augimeri, Mike Feldman, Paula Fletcher, Rob Ford, Giorgio Mammoliti, Pam McConnell, David Miller, Joe Pantalone, John Parker, Michael Thompson

Motion to Adopt Item as Amended (Carried)

Vote (Adopt Item as Amended) Oct-26-2009 5:55 PM

Result: Carried Majority Required - AU11.4 - Adopt the Item, as amended
Total members that voted Yes: 28 Members that voted Yes are Paul Ainslie, Sandra Bussin (Chair), Shelley Carroll, Raymond Cho, Janet Davis, Frank Di Giorgio, John Filion, Adam Giambrone, Mark Grimes, A.A. Heaps, Doug Holyday, Cliff Jenkins, Norman Kelly, Chin Lee, Joe Mihevc, Denzil Minnan-Wong, Howard Moscoe, Frances Nunziata, Case Ootes, Cesar Palacio, Gord Perks, Anthony Perruzza, Kyle Rae, Bill Saundercook, David Shiner, Karen Stintz, Adam Vaughan, Michael Walker
Total members that voted No: 7 Members that voted No are Brian Ashton, Glenn De Baeremaeker, Mike Del Grande, Suzan Hall, Gloria Lindsay Luby, Peter Milczyn, Ron Moeser
Total members that were Absent: 10 Members that were absent are Maria Augimeri, Mike Feldman, Paula Fletcher, Rob Ford, Giorgio Mammoliti, Pam McConnell, David Miller, Joe Pantalone, John Parker, Michael Thompson

AU11.4 - Review of Disposal of Surplus IT Equipment - Security, Environmental and Financial Risks

Decision Type:
ACTION
Status:
Adopted
Wards:
All

Committee Recommendations

The Audit Committee recommends that:

 

1.         City Council request the Chief Information Officer to re-evaluate the agreement with the vendor who is currently providing information technology asset disposal services.  Such re-evaluation take into account the experience of the vendor particularly in the area of data security and environmental concerns and where appropriate ensure that the vendor is capable of providing the level of service required.

 

2.         City Council request the Chief Information Officer to review all provisions in the agreement with the third party information technology asset disposal vendor and direct the vendor to comply with all provisions in the agreement.  Further policies, procedures be established to ensure that the City is able to confirm compliance.  Regular audits including the development of audit programmes be conducted to confirm compliance.  Documentary evidence of all such compliance audits be retained and approved by supervisory staff.

 

3.         City Council request the Chief Information Officer, on a random basis, to confirm that hard drives submitted to the auctioneer have been successfully erased.  Specialized data recovery tools be used to determine whether or not hard drives have been successfully deleted.

 

4.           City Council request the Chief Information Officer to ensure that disposal processes for surplus information technology assets are in conformance with regulatory procedures and all such disposals are supported by an adequate audit trail for subsequent verification by City staff.

 

5.         City Council request the Chief Information Officer to ensure that receipts from the sale of equipment are reconciled to the actual equipment sold.

Origin

(May 4, 2009) Report from the Auditor General

Summary

The objective of this review was to determine whether the City’s management and oversight of the disposal of surplus Information Technology (IT) equipment adequately addresses potential risks such as:

 

-           ensuring information residing on computer equipment such as hard drives is  effectively erased or destroyed

-           ensuring that surplus equipment is disposed of in an environmentally responsible manner, and

-           ensuring the City receives its share of the funds from the disposal of the assets.

 

The review identified the need to address a number of important areas relating to contract compliance.  The City needs to address these issues in order to mitigate the risks pertaining to the inappropriate disposal of surplus IT assets.  There is also a need to ensure that the qualifications of the current third party vendor are re-evaluated.

 

Although recommendations in this report focus on improving controls over the disposal of surplus IT equipment at the City the recommendations may be relevant to the City’s Agencies, Boards, Commissions and Corporations and should be reviewed, evaluated and implemented as deemed appropriate.

Background Information

(May 4, 2009) Report from the Auditor General - Review of Disposal of Surplus IT Equipment - Security, Environmental and Financial Risks
https://www.toronto.ca/legdocs/mmis/2009/au/bgrd/backgroundfile-22125.pdf
Appendix 1 - Auditor General's Office (May 4, 2009) Review of Disposal of Surplus IT Equipment - Security, Environmental and Financial Risks
https://www.toronto.ca/legdocs/mmis/2009/au/bgrd/backgroundfile-22126.pdf
Appendix 2 - Management's Response to the Auditor General's Review
https://www.toronto.ca/legdocs/mmis/2009/au/bgrd/backgroundfile-22127.pdf

Motions

1 - Motion to Adopt Item moved by Councillor John Parker (Carried)

That the Audit Committee recommend to City Council adoption of the recommendations contained in the report (May 4, 2009) from the Auditor General.

Source: Toronto City Clerk at www.toronto.ca/council