Item - 2016.AU7.13

The Audit Committee recommends that:

1.  City Council adopt the Confidential Recommendations contained in Confidential Attachment 1 to the report (October 24, 2016) from the Auditor General.

2.  City Council direct that Confidential Attachment 1 to the report (October 24, 2016) from the Auditor General remain confidential in its entirety as it contains confidential information involving the security of property belonging to the City or one of its agencies and corporations. 

The Audit Committee recessed its public session and met in closed session to consider confidential information on this Item as it relates to the security of property belonging to the City or one of its agencies and corporations. 

In early 2016, the Auditor General completed the external vulnerability assessment and penetration testing of the City’s information technology (IT) network.  The external testing involved vulnerability assessment and penetration testing of the City systems, applications and infrastructure from externally exposed links, such as, websites and servers.  The goal was getting from outside to inside.

This Phase II, Part 1 report relates to the internal testing of the City’s IT network, servers and systems.  This included targets similar to external testing, but from within the organization, i.e., the tester has some limited access to the City facilities, network and applications.  The goal was to identify vulnerabilities that can be exploited from inside the City to gain access to City systems and infrastructure for malicious intent.  The Auditor General has decided to present the results early to enable management to take timely action.  

Phase II testing is divided into two parts:

·        Part 1 – Accessibility of Network and Servers

·        Part 2 - Application Vulnerability Assessment and Penetration Testing

The existing segmented approach for ownership of IT security and administration has resulted in varied policies, procedures and enforcement of security practices across the City.  Similar to the findings reported in the Phase I audit, the results of Phase II, Part 1 – Accessibility of Network and Servers reinforces the need to have a single corporate view of IT security within the City.  KPMG, in their report entitled Cyber security: it’s not just about technology[1], notes that “Effectively managing cyber security risk means putting in place the right governance and the right supporting processes, along with the right enabling technology”.

Divisions that have independent IT units that acquire systems and implement applications present the risk of having security practices that may not align with Corporate IT standards and may also not have required security expertise.  It is important for Corporate IT to be accountable for managing City-wide information security.

The details of our findings are provided in the confidential attachment to this report.  The Auditor General will retest the vulnerabilities identified after the implementation of the recommendations to ensure that the issues identified in this report have been appropriately remediated by management.