Item - 2021.AU8.8

The Audit Committee recommends that:

1.  City Council request the Chief Technology Officer to enhance the management of cybersecurity and privacy risks, as part of its information technology project governance, by:

a.  ensuring that cybersecurity and information privacy requirements and related budget are part of the acquisition, development, design, and testing phases of technology projects; and the Office of the Chief Information Security Officer and the City Clerk must review and endorse the requirements and budget allocated for cybersecurity and information privacy for all City technology initiatives, transformations, and procurements;

b.  ensuring that a process is in place to identify, analyze, and communicate all cybersecurity and information privacy risks to all stakeholders at each project phase through a documented risk mitigation plan; and the identified risks are either mitigated or formally accepted by the division head/project sponsor and communicated to the City's Senior Leadership Team before the system is launched;

c.  ensuring that the remediation of open risks is completed within a specified timeline and are signed off by the division head/project sponsor before moving to the next project development stage; and

d.  identifying new or reallocated resource requirements required by the Office of the Chief Information Security Officer or the City Clerk needed to support the information technology project through its life cycle.

2.  City Council request the Chief Technology Officer to extend the actions in Recommendation 1 above to existing in-progress technology projects and all future implementations.

3.  City Council request the Chief Technology Officer to enhance the City's incident response process by: 

a.  ensuring that all incidents are logged in a consistent manner and addressed and communicated to the appropriate stakeholders in a timely manner;

b.  actively monitoring remediation actions and ensuring that processes are in place to test the post-remediation environment;

c.  coordinating with the City Clerk to integrate the privacy incident response process with the Office of the Chief Information Security Officer's Cyber Incident Response Plan and the Technology Services Division's Major Incident Management Process; and

d.  integrating the applicable sections of the Technology Services Division's Major Incident Management Process into the Office of the Chief Information Security Officer's Cyber Incident Response Plan.

4.  City Council request the Chief Technology Officer to consider the actions in Recommendation 3 above in addition to the previous recommendation in the supplementary report (June 19, 2019) from the Auditor General headed "Establishment of City Wide Cyber Security Breach Incident Management Procedures Required" (Item 2019.AU3.12a).

5.  City Council request the Chief Technology Officer to enhance project governance by:

a.  ensuring that all projects fully comply with the Project Review Team gating approvals; and exceptions relating to cybersecurity and privacy must be reviewed by the Chief Information Security Officer and the City Clerk for a go/no-go decision;

b.  ensuring that project management gating criteria include a clear support transition plan when projects move from development to operations or from one stage to the next, depending on which project management methodology is used, such as Agile project management; and

c.  ensuring that project managers are trained in change management methodology.

6.  City Council request the Chief Technology Officer to:

a.  in coordination with the Chief Information Security Officer and the City Clerk, prioritize and direct resources to develop a training program for project managers and key staff involved in the implementation of technology initiatives to receive cybersecurity and information privacy training focused on managing technology projects; and

b.  conduct an assessment to determine the feasibility of extending this training program to major agencies and corporations.

7.  City Council request the Chief Technology Officer to enhance the project governance and project management framework by ensuring that:

a.  all stakeholders' roles and responsibilities are clearly defined and key stakeholders are involved from the pre-procurement stage;

b.  a clear support transition plan when a project is moved from development to operations at Gate 4, the last gate before the system is moved to operations;

c.  the Chief Information Security Officer and the City Clerk are part of the project steering committee for all key technology initiatives and transformations; and

d.  criteria are developed to determine projects with high risks that have not been mitigated prior to moving to production be escalated to the Senior Leadership Team; and the developed criteria should be shared with the City Manager for City-wide implementation.

8.  City Council request the Chief Technology Officer to enhance the project management framework by:

a.   including a review of internal controls for systems that involve financial transactions; and

b.  involving the Controller or the Director, Internal Audit in the review of user roles in relation to financial transaction processing to ensure that the appropriate segregation of duties is maintained for all user roles.

9.  City Council request the Chief Technology Officer improve the user permissions framework of the Human Resources application, including:

a.  conducting a cybersecurity and information privacy review of the various roles created in the Human Resources system;

b.  reviewing the users with a Super Administrator role and limiting the number of users with that role considering the industry's best practices and professional bodies;

c.  ensuring that user access roles are designed with cybersecurity and information privacy in mind; and access roles should be provided to users on a "need to have" basis;

d.  defining a process for the approval of access roles for support staff; instead of providing Super Administrator access, support staff should be provided access on a "need to have" basis; and

e.  eliminating the use of generic and anonymous accounts; if these roles are needed as an exception for operational reasons, detailed monitoring and logging procedures should be developed and implemented for these roles; and, in addition, the review of elevated access roles and the use of generic or anonymous users should be extended to the SAP enterprise application.

10.  City Council request the Chief Technology Officer to develop standards and minimum criteria for logging user activity details for information technology systems, with steps including, but not limited, to:

a.  ensuring that user access logs capture account activity for users with elevated access, such as users with Super Administrator or Divisional Administrator roles; and

b.  implementing a user activity review process for roles with elevated access on a periodic basis to ensure that access is aligned with the roles.

11.  City Council request the Chief Technology Officer to implement a process to ensure that comprehensive system testing and user acceptance testing is part of the overall information technology project management methodology, including:

a.  assigning staff having functional subject matter expertise in the Technology Services Division, cybersecurity subject matter expertise in the Office of the Chief Information Security Officer, and privacy subject matter expertise in the City Clerk's Office to review the test scope, test cases, and test cycle defect management;

b.  ensuring that user acceptance testing is started early in the project stage and performed by respective divisions (users); and, in situations where testing is performed by staff other than the User Division, the test results must be formally approved by the respective Division Lead contact on the project; and

c.  ensuring that each test cycle goes through a formal approval process and mandatory security and privacy testing prior to commencing the next test cycle.

12.  City Council request the Chief Technology Officer to:

a.  research options to automate the move of configuration of systems, including cybersecurity and privacy configuration, from testing to the production environment; and

b.  alternatively, include a peer review (Quality Assurance) to verify post-implementation configuration in the system after it has been moved to the production environment.

13.  City Council request the Chief Procurement Officer, in consultation with the Chief Information Security Officer and the City Clerk, to report to the General Government and Licensing Committee by the end of the third quarter of 2021 on how to embed privacy and security by design principles and mandatory privacy and cybersecurity requirements from the Chief Information Security Officer and the City Clerk into the City's current procurement process and a governance process to manage exceptions.

14.  City Council direct the Chief Information Security Officer to prepare a complete inventory of all business applications, systems, and connected technology assets in the City and its applicable agencies and corporations by the end of the third quarter of 2021 and City Council direct all Division Heads and request, as appropriate, the City's applicable agencies and corporations to provide the complete inventory information above to the Chief Information Security Officer and to identify a single accountable business owner for each inventory item.

15.  City Council request the Chief Information Security Officer to report to the General Government and Licensing Committee on a transformation and implementation plan for an independent and centralized information technology risk and compliance, privacy, and cybersecurity function or functions which addresses organizational design, governance, oversight, accountability, authority, procurement, services, talent, human, and financial resources.

The Audit Committee recessed its public session to meet in closed session to consider this item, as it relates to the security of the property of the City or local board, litigation or potential litigation, including matters before administrative tribunals, affecting the City or local board, and advice that is subject to solicitor-client privilege, including communications necessary for that purpose.

The City of Toronto implemented a new human resource (HR) system in 2019 to replace its old HR modules in human resource management and administration. This new integrated HR system provides an end-to-end workflow, from recruitment to hiring and onboarding for new staff. It collects and stores a significant amount of human resources information for employees and elected officials. Because of this, it is extremely important that the system has strong cybersecurity and privacy controls in place.

In early 2020, the Auditor General became aware of a cybersecurity incident related to the implementation of this new system. Given the importance of information privacy and cybersecurity, the Auditor General immediately initiated a review of the system implementation process in the context of overall information security at the City.

Cybersecurity and information privacy have always been high priority areas for the Auditor General. Since 2015, the Auditor General has performed a number of audits of the City's IT infrastructure and critical systems, and has recommended controls to improve cybersecurity and information privacy. The Auditor General will continue to perform audits and assess evolving cybersecurity and information privacy risks.

The objective of this review was to assess the implementation of information privacy and cybersecurity controls of this new HR system. The findings are categorized into three areas where the City needs to improve cybersecurity and information privacy:

-  strengthening project governance;

-  improving user access controls and activity logging processes; and

-  strengthening on end-to-end system testing including user acceptance testing.

We have made 10 recommendations to address the weaknesses identified during our review. Implementation of our recommendations will strengthen project governance and improved controls to address cybersecurity and information privacy risks when implementing large technology systems.

Detailed management comments and action plan for each of the recommendations is provided in Appendix 1 included in the attached report.