Item - 2021.AU10.4
Tracking Status
- City Council adopted this item on November 9, 2021 with amendments.
- This item was considered by Audit Committee on November 2, 2021 and was adopted with amendments. It will be considered by City Council on November 9, 2021.
AU10.4 - Auditor General's Cybersecurity Review: Toronto Fire Services Critical Systems Review
- Decision Type:
- ACTION
- Status:
- Amended
- Wards:
- All
City Council Decision
City Council on November 9, 10 and 12, 2021, adopted the following:
1. City Council adopt the confidential instructions to staff in Confidential Attachment 1 to the report (October 25, 2021) from the Auditor General.
2. City Council adopt the confidential instructions to staff in the confidential attachment to motion 1 by Councillor Stephen Holyday.
3. City Council request the Fire Chief and General Manager - Emergency Management, Toronto Fire Services to report to the Audit Committee by the end of the first quarter of 2022 with an update on the implementation status of the Auditor General's recommendations in Confidential Attachment 1 to the report (October 25, 2021) from the Auditor General.
4. City Council request the City Manager to report to the next meeting of the Audit Committee on the ongoing governance structure that will be in place to effectively identify, plan for and mitigate cybersecurity risks across the City of Toronto, including all City divisions, agencies and corporations, and the governance framework to ensure that City divisions, agencies and corporations are effectively managing their cybersecurity risks and responding as new risks arise.
5. City Council direct the City Manager, in consultation with the Chief Information Security Officer, to develop a confirmation program for all senior managers with responsibility in addressing cyber risks identified in City agencies and corporations, starting with the critical systems, and to report on the confirmation program, including rates of compliance, remediation plans and strategies to reduce risk and ensure corporate compliance in the first quarter of 2022 and biannually thereafter in conjunction with planned reporting to the General Government and Licensing Committee.
6. City Council request the Boards of Directors at the Toronto Public Library, Toronto Hydro and the Canadian National Exhibition Association, the Board of Health and the Toronto Police Services Board to provide confirmation as outlined in Part 5 above.
7. City Council direct the Chief Information Security Officer to develop a process to report to the General Government and Licensing Committee on instances of non-compliance and associated 30/60/90 day remediation plans.
8. City Council request the Auditor General to consider auditing the confirmation program for compliance.
9. City Council request the City Manager to make online cybersecurity training available, to the extent possible, to City agencies and corporations.
10. City Council direct that Confidential Attachment 1 to the report (October 25, 2021) from the Auditor General be released publicly at the discretion of the Auditor General, after discussions with the appropriate City Officials.
11. City Council direct that the confidential instructions to staff in the confidential attachment to motion 1 by Councillor Stephen Holyday remain confidential in their entirety, as they pertain to the security of the property of the City of Toronto or one of its agencies and corporations.
12. City Council direct that the confidential presentation (November 2, 2021) from the Auditor General be released publicly at the discretion of the Auditor General, after discussions with the appropriate City Officials.
13. City Council direct that the confidential presentation (November 2, 2021) from the Fire Chief and General Manager - Emergency Services, Toronto Fire Services remain confidential in its entirety, as it pertains to the security of the property of the City of Toronto or one of its agencies and corporations.
Confidential Attachment 1 to the report (October 25, 2021) from the Auditor General remains confidential in its entirety at this time in accordance with the provisions of the City of Toronto Act, 2006, as it pertains to the security of the property of the City of Toronto or one of its agencies and corporations. Confidential Attachment 1 to the report (October 25, 2021) from the Auditor General will be released publicly at the discretion of the Auditor General, after discussions with the appropriate City Officials.
The confidential instructions to staff in the confidential attachment to motion 1 by Councillor Stephen Holyday remain confidential in their entirety in accordance with the provisions of the City of Toronto Act, 2006, as they pertain to the security of the property of the City of Toronto or one of its agencies and corporations.
The confidential presentation (November 2, 2021) from the Auditor General remains confidential in its entirety at this time in accordance with the provisions of the City of Toronto Act, 2006, as as it pertains to the security of the property of the City of Toronto or one of its agencies and corporations. The confidential presentation (November 2, 2021) from the Auditor General will be released publicly at the discretion of the Auditor General, after discussions with the appropriate City Officials.
The confidential presentation (November 2, 2021) from the Fire Chief and General Manager - Emergency Services, Toronto Fire Services, remains confidential in its entirety in accordance with the provisions of the City of Toronto Act, 2006, as it pertains to the security of the property of the City of Toronto or one of its agencies and corporations.
City Council Decision Advice and Other Information
City Council recessed its public session and met as Committee of the Whole in closed session on November 10, 2021 to consider confidential information on this Item as it pertains to the security of the property of the City of Toronto or one of its agencies and corporations.
Confidential Attachment - The security of the property of the City of Toronto or one of its agencies and corporations.
Background Information (Committee)
https://www.toronto.ca/legdocs/mmis/2021/au/bgrd/backgroundfile-172402.pdf
Confidential Attachment 1 - Auditor General's Cybersecurity Review: Toronto Fire Services Critical Systems Review
(November 2, 2021) Confidential presentation from the Auditor General on Auditor General's Cybersecurity Review: Toronto Fire Services Critical Systems Review
(November 2, 2021) Confidential presentation from the Fire Chief and General Manager - Emergency Services, Toronto Fire Services on Cyber Security Review: Toronto Fire Services Progress To Date
Background Information (City Council)
Motions (City Council)
Speaker Nunziata advised that City Council had completed its closed session consideration of Item AU10.4. A motion on confidential instructions was placed in the closed session. City Council would now proceed with the public debate on the item.
That:
1. City Council direct the City Manager, in consultation with the Chief Information Security Officer to develop a confirmation program for all senior managers with responsibility in addressing cyber risks identified in City Agencies and Corporations, starting with the critical systems, and to report on the confirmation program, including rates of compliance, remediation plans and strategies to reduce risk and ensure corporate compliance in the first quarter of 2022 and biannually thereafter in conjunction with planned reporting to the General Government and Licensing Committee.
2. City Council request the Boards of Directors at the Toronto Public Library, the Board of Health, the Toronto Police Services Board, Toronto Hydro and The Canadian National Exhibition Association to provide confirmation as outlined in Part 1 above.
3. City Council direct the Chief Information Security Officer to develop a process to report to the General Government and Licensing Committee on instances of non-compliance and associated 30/60/90 day remediation plans.
4. City Council request the Auditor General to consider auditing the confirmation program for compliance.
5. City Council request the City Manager to make online cybersecurity training available, to the extent possible, to Agencies and Corporations.
6. City Council adopt the confidential instructions to staff in the Confidential Attachment to this motion.
7. City Council direct that the confidential instructions to staff in the Confidential Attachment to this motion remain confidential in their entirety as they pertain to the security of the property of the City of Toronto or one of its agencies and corporations.
AU10.4 - Auditor General's Cybersecurity Review: Toronto Fire Services Critical Systems Review
- Decision Type:
- ACTION
- Status:
- Amended
- Wards:
- All
Confidential Attachment - The security of the property of the City of Toronto or one of its agencies and corporations.
Committee Recommendations
The Audit Committee recommends that:
1. City Council adopt the confidential instructions to staff in Confidential Attachment 1 to the report (October 25, 2021) from the Auditor General.
2. City Council request the Fire Chief and General Manager - Emergency Management, Toronto Fire Services to report to the Audit Committee by the end of the first quarter of 2022 with an update on the implementation status of the Auditor General's recommendations in Confidential Attachment 1 to the report (October 25, 2021) from the Auditor General.
3. City Council request the City Manager to report to the next meeting of the Audit Committee on the ongoing governance structure that will be in place to effectively identify, plan for and mitigate cybersecurity risks across the City of Toronto, including all City divisions, agencies and corporations, and the governance framework to ensure that City divisions, agencies and corporations are effectively managing their cybersecurity risks and responding as new risks arise.
4. City Council direct that Confidential Attachment 1 to the report (October 25, 2021) from the Auditor General be released publicly at the discretion of the Auditor General, after discussions with the appropriate City Officials.
5. City Council direct that the confidential presentation (November 2, 2021) from the Auditor General be released publicly at the discretion of the Auditor General, after discussions with the appropriate City Officials.
6. City Council direct that the confidential presentation (November 2, 2021) from the Fire Chief and General Manager - Emergency Services, Toronto Fire Services remain confidential in its entirely, as it pertains to the security of the property of the City of Toronto or one of its agencies and corporations.
Decision Advice and Other Information
The Audit Committee recessed its public session to meet in closed session to consider this item, as it pertains to the security of the property of the City of Toronto or one of its agencies and corporations.
Origin
Summary
Cyberattacks are widely considered to be one of the most critical operational risks facing organizations.
This Phase 1 report includes the results of a review of critical systems in Toronto Fire Services (TFS).
This report contains two administrative recommendations. The confidential findings and recommendations from our review are contained in Confidential Attachment 1.
Background Information
https://www.toronto.ca/legdocs/mmis/2021/au/bgrd/backgroundfile-172402.pdf
Confidential Attachment 1 - Auditor General's Cybersecurity Review: Toronto Fire Services Critical Systems Review
(November 2, 2021) Confidential presentation from the Auditor General on Auditor General's Cybersecurity Review: Toronto Fire Services Critical Systems Review
(November 2, 2021) Confidential presentation from the Fire Chief and General Manager - Emergency Services, Toronto Fire Services on Cyber Security Review: Toronto Fire Services Progress To Date
Motions
That:
1. City Council request the City Manager to report to the next meeting of the Audit Committee on the ongoing governance structure that will be in place to effectively identify, plan for and mitigate cybersecurity risks across the City of Toronto, including all City divisions, agencies and corporations, and the governance framework to ensure that City divisions, agencies and corporations are effectively managing their cybersecurity risks and responding as new risks arise.
That:
1. City Council request the Fire Chief and General Manager - Emergency Management, Toronto Fire Services to report to the Audit Committee by the end of the first quarter of 2022 with an update on the implementation status of the Auditor General's recommendations in Confidential Attachment 1 to this report.
That:
1. City Council direct that the confidential presentation (November 2, 2021) from the Auditor General be released publicly at the discretion of the Auditor General, after discussions with the appropriate City Officials.
2. City Council direct that the confidential presentation (November 2, 2021) from the Fire Chief and General Manager - Emergency Services, Toronto Fire Services remain confidential in its entirely, as it pertains to the security of the property of the City of Toronto or one of its agencies and corporations.