Item - 2017.AU8.6
Tracking Status
- City Council adopted this item on April 26, 2017 without amendments and without debate.
- This item was considered by the Audit Committee on March 24, 2017 and adopted without amendment. It will be considered by City Council on April 26, 2017.
AU8.6 - Information Technology Vulnerability Assessment and Penetration Testing - Wrap-up of Phase I and Phase II
- Decision Type:
- ACTION
- Status:
- Adopted on Consent
- Wards:
- All
City Council Decision
City Council on April 26, 27 and 28, 2017, adopted the following:
1. City Council request the City Manager to review how best to create and implement a Chief Information Security Officer's role reporting administratively to the Chief Information Officer and functionally to the City Manager. The Chief Information Security Officer should coordinate with the Chief Information Officer:
a. to develop information technology security baseline standards at the City, and report to the City Manager and Chief Information Officer on compliance to established baseline standards; and
b. to work with City Agencies and Corporations to align baseline standards and leverage best practices.
2. City Council direct that Confidential Attachment 1 to the report (March 10, 2017) from the Auditor General remain confidential in its entirety as it contains confidential information that pertains to the security of property belonging to the City or one of its Agencies and Corporations.
Confidential Attachment 1 to the report (March 10, 2017) from the Auditor General remains confidential in its entirety in accordance with the provisions of the City of Toronto Act, 2006 as it contains confidential information that pertains to the security of property belonging to the City or one of its Agencies and Corporations.
Confidential Attachment - The security of property belonging to the City of one of its Agencies or Corporations
Background Information (Committee)
https://www.toronto.ca/legdocs/mmis/2017/au/bgrd/backgroundfile-101892.pdf
Confidential Attachment 1 - Results of the Vulnerability Assessment and Penetration Testing
Attachment 2 - Management's Response to the Auditor General's Review of Information Technology Vulnerability Assessment and Penetration Testing-Wrap-up of Phase I and Phase II
https://www.toronto.ca/legdocs/mmis/2017/au/bgrd/backgroundfile-101894.pdf
AU8.6 - Information Technology Vulnerability Assessment and Penetration Testing - Wrap-up of Phase I and Phase II
- Decision Type:
- ACTION
- Status:
- Adopted
- Wards:
- All
Confidential Attachment - The security of property belonging to the City of one of its Agencies or Corporations
Committee Recommendations
The Audit Committee recommends that:
1. City Council request the City Manager to review how best to create and implement a Chief Information Security Officer's role reporting administratively to the Chief Information Officer and functionally to the City Manager. The Chief Information Security Officer should coordinate with the Chief Information Officer:
a. To develop information technology security baseline standards at the City, and report to the City Manager and Chief Information Officer on compliance to established baseline standards.
b. To work with City Agencies and Corporations to align baseline standards and leverage best practices.
2. City Council direct that Confidential Attachment 1 to the report (March 10, 2017) from the Auditor General remain confidential in its entirety as it contains confidential information involving the security of property belonging to the City or one of its Agencies and Corporations.
Origin
Summary
The alarming increase in cybercrimes and threats to critical information and infrastructure including the high cost of data breaches across industry led the Auditor General to perform vulnerability assessment and penetration testing at the City.
In early 2016, the Auditor General completed an external vulnerability assessment and penetration testing of the City’s information technology (IT) network. The testing included the external facing applications and firewall to determine if unauthorized access to the City's corporate network and systems could be gained from the outside.
The Phase I report on External Penetration Testing (with confidential attachment) was tabled at the March 30, 2016 Council meeting.
http://www.toronto.ca/legdocs/mmis/2016/au/bgrd/backgroundfile-90751.pdf
Later in 2016, an internal vulnerability assessment and testing of the City’s IT network, servers and systems was performed. The goal was to identify vulnerabilities that could be exploited by someone from within the City (contractors, employees, persons accessing City buildings) who may have access to the City’s IT network, servers and systems.
The Phase II, Part 1 report on Internal Penetration Testing – Accessibility of Network and Servers (with confidential attachment) was tabled at the November 8, 2016 Council meeting.
http://www.toronto.ca/legdocs/mmis/2016/au/bgrd/backgroundfile-97617.pdf
As mentioned in our Phase II report, testing was divided into two parts. This current report includes results of Phase II, Part 2 - Application Vulnerability Assessment and Penetration Testing, as well as a wrap-up of all our penetration testing audits completed in 2016.
Additional information is included in the confidential attachment 1. The Auditor General will continue to perform these types of audits to ensure the City's critical information and infrastructure are adequately protected.
Background Information
https://www.toronto.ca/legdocs/mmis/2017/au/bgrd/backgroundfile-101892.pdf
Confidential Attachment 1 - Results of the Vulnerability Assessment and Penetration Testing
Attachment 2 - Management's Response to the Auditor General's Review of Information Technology Vulnerability Assessment and Penetration Testing-Wrap-up of Phase I and Phase II
https://www.toronto.ca/legdocs/mmis/2017/au/bgrd/backgroundfile-101894.pdf