Item - 2019.AU3.12

The Audit Committee recommends that:

1. City Council request the City Manager, the Chief Information Officer and the City Clerk to co-ordinate and develop standard incident management procedures including communication protocols to address incidents involving cyber attacks/information breaches. The procedures and protocols should include:

a. Guidelines describing the sequence of actions that should take place as soon as staff become aware of a cyber attack/information breach incident.

b. Communication protocols detailing key contact names, functions and contact information for staff to receive guidance.

c. Reports to be completed by the affected organization, detailing the date of incident, systems affected, information compromised, and other relevant details.

d. Communications to the media/public, where required, including privacy protocols.

The incident management procedures and communication protocols should be liaised across the City, including agencies and corporations.

2.  City Council request the City Manager, in consultation with the Chief Information Officer, to implement appropriate cyber security training which should be mandatory for all City staff.

This report responds to Audit Committee's request to report on the Information and Technology Division's outstanding audit recommendation wherein the Chief Information Officer was requested to develop a Cyber Security Program that supported ongoing vulnerability assessment and penetration testing using industry standards applied by subject matter experts.

The City already has a foundation of cyber security measures in place to protect the City's information technology systems. The Auditor General's recommendations will enhance existing cyber security practices and assist with the detection, prevention and responses to future cyber threats. The City launched its formal Cyber Security Program in 2017 to enhance security capabilities given the increasing complexity in cyber security. The objective of this Program is to identify and mitigate IT-related risks that directly affect the corporate technology environment that City Divisions rely upon when servicing the residents and the public who expect the provision of secure and reliable City services.

One component of the Cyber Security Program includes the analysis of resources and funding requirements to develop and implement improvements to vulnerability assessments and penetration testing functions. In addition, the City plans to implement new vulnerability management capabilities as part of a strategy to engage a Managed Security Services Provider (MSSP) and develop partnerships with industry experts.

Further to the above recommendation, the Chief Information Officer, in collaboration with the Auditor General's Office, will be issuing a comprehensive Audit Report to Audit Committee for its meeting on October 25, 2019.  This report will provide a comprehensive review of all audit recommendations (including both public and confidential) received to date.

In our report entitled "Audit of Information Technology Vulnerability and Penetration Testing – Phase 1: External Penetration Testing" we highlighted to the City management that insufficient preparation to manage cyber threats is widely considered as one of the most critical operational risks facing the organizations. The City, as well as its agencies and corporations are not immune from these risks.

The Auditor General recently became aware that two small entities within the City were reportedly attacked by ransomware and their systems compromised.[1] In both situations, the incidents were not communicated to the Chief Information Officer because protocols do not exist.  

Ransomware is a form of attack where user systems and/or files become non-operable after the attack. The attackers then demand payment for restoring access to the system and/or files. These attacks are not new to Canadian municipalities; recently, two other municipalities were attacked by ransomware, one in Quebec and one in Ontario. One of the municipalities was demanded $65,000 to restore the data; for the other, the ransom details are not public. Cyber security attacks are increasingly becoming more complicated, difficult to detect and costly for compromised organizations.

The purpose of this report is to highlight the importance and urgency for the City to have a standard incident management process developed and implemented across City divisions, its agencies and corporations so that the Chief Information Officer can analyze these attacks in an effort to enhance City-wide cyber security. The Auditor General, realizing the emerging risks, in each of her reports on IT vulnerability assessments and IT infrastructure audits issued during 2016 to 2018, recommended that the City:

- develop baseline IT security standards to provide guidance across the City to address cyber security threats,

- implement a cyber security program, and

- create an independent role of the Chief Information Security Officer (CISO).

In addition, the Auditor General, in her communications with the Information and Technology Division, identified the need to have a centralized process, guidelines and communication protocols available to all organizations within the City to deal with cyber security threats and incidents. Adequate controls must be put in place to maintain confidentiality of sensitive information.

The Auditor General's planned follow-up is due in the later half of 2019. An update of the status of the implementation of recommendations will be tabled at future Audit Committee meetings.