Item - 2016.AU5.10

Tracking Status

  • City Council adopted this item on March 31, 2016 without amendments.
  • This item was considered by the Audit Committee on March 7, 2016 and adopted without amendment. It will be considered by City Council on March 31, 2016.

AU5.10 - Audit of Information Technology Vulnerability and Penetration Testing - Phase 1: External Penetration Testing

Decision Type:
ACTION
Status:
Adopted
Wards:
All

City Council Decision

City Council on March 31 and April 1, 2016, adopted the following:

 

1.  City Council request the Chief Information Officer to establish the City baseline for cybersecurity applicable to all of the City’s Information Technology systems and infrastructure and to direct all City divisions, agencies, and corporations to adhere to this standard.  The Chief Information Officer establish protocols for monitoring and enforcing compliance with this City-wide standard.

 

2.  City Council request the Chief Information Officer to develop a cybersecurity program that includes ongoing vulnerability assessment and penetration testing using current tools used by industry subject matter experts.  The testing tools adopted by the City should be updated regularly and provide ongoing reporting and metrics around existing and newly discovered threats.

 

3.  City Council adopt the confidential recommendations contained in Confidential Attachment 1 to the report (February 16, 2016) from the Auditor General.

 

4.  City Council direct that Confidential Attachment 1 to the report (February 16, 2016) from the Auditor General remain confidential in its entirety as it contains confidential information involving the security of property belonging to the City or one of its agencies and corporations. 

 

Confidential Attachment 1 to the report (February 16, 2016) from the Auditor General remains confidential in its entirety in accordance with the provisions of the City of Toronto Act, 2006, as it contains confidential information involving the security of property belonging to the City or one of its agencies and corporations. 

Confidential Attachment - The security of the property of the City or one of its agencies and corporations

Background Information (Committee)

(February 16, 2016) Report from the Auditor General - Audit of Information Technology Vulnerability and Penetration Testing - Phase 1: External Penetration Testing
https://www.toronto.ca/legdocs/mmis/2016/au/bgrd/backgroundfile-90751.pdf
Confidential Attachment 1

Motions (City Council)

Motion to Adopt Item (Carried)

AU5.10 - Audit of Information Technology Vulnerability and Penetration Testing - Phase 1: External Penetration Testing

Decision Type:
ACTION
Status:
Adopted
Wards:
All

Confidential Attachment - The security of the property of the City or one of its agencies and corporations

Committee Recommendations

The Audit Committee recommends that:

 

1.  City Council request the Chief Information Officer to establish the City baseline for cybersecurity applicable to all of the City’s IT systems and infrastructure and to direct all City divisions, agencies, and corporations to adhere to this standard.  The Chief Information Officer establish protocols for monitoring and enforcing compliance with this City-wide standard.

 

2.  City Council request that the Chief Information Officer to develop a cybersecurity program that includes ongoing vulnerability assessment and penetration testing using current tools used by industry subject matter experts.  The testing tools adopted by the City should be updated regularly and provide ongoing reporting and metrics around existing and newly discovered threats.

 

3.  City Council adopt the Confidential Recommendations contained in Confidential Attachment 1 to the report (February 16, 2016) from the Auditor General.

 

4.  City Council direct that Confidential Attachment 1 remain confidential in its entirety as it contains confidential information involving the security of property belonging to the City or one of its agencies and corporations. 

Origin

(February 16, 2016) Report from the Auditor General

Summary

Insufficient preparation to manage cyber threats is widely considered one of the most critical operational risks facing organizations today.  According to KPMG, “Cyber security has become an enormous issue in the last few years and its importance continues to grow.  Major corporations’ networks and systems continue to be subject to hacking and attack”, and it “is therefore essential for Audit Committees to understand what management is doing to mitigate IT risks.” 

 

Security breaches of information technology (IT) systems can have profound effects on organizations.  The confidentiality, integrity and availability of IT systems is essential for the operations of the City.  It is important that the City maintains the public’s trust that its websites and the City’s data are secure.

 

The Auditor General’s 2015 Audit Work Plan included an audit of information technology network vulnerabilities within the City.  This report provides the results of the external vulnerability assessment and penetration testing of internet facing applications used by the public.  A separate assessment of controls over the internal IT network of the City will be completed later in 2016.

 

This report contains two recommendations along with management’s response to each recommendation.  Additionally, a confidential report with confidential recommendations and management’s response to each recommendation is included in Attachment 1.

Background Information

(February 16, 2016) Report from the Auditor General - Audit of Information Technology Vulnerability and Penetration Testing - Phase 1: External Penetration Testing
https://www.toronto.ca/legdocs/mmis/2016/au/bgrd/backgroundfile-90751.pdf
Confidential Attachment 1

Motions

1 - Motion to Adopt Item moved by Councillor Stephen Holyday (Carried)
Source: Toronto City Clerk at www.toronto.ca/council