on September 19, 2022 by Staff in Uncategorized, Comments Off on A better monitoring of websites and apps would better protect Denver

A better monitoring of websites and apps would better protect Denver

The city would be more secure from hackers if it controlled third-party information technology vendors in a more comprehensive and centralized method, as per an audit released this month by Denver Auditor Timothy M. O’Brien, CPA.

“Every app, every online service, every digital tool the city uses has to be monitored for cybersecurity and cost control,” Auditor O’Brien said. “Although city managers are very good at protecting the city, ensuring all possible safeguards are in place is essential to continued success.”

 

With continual advances in information technology, both the private and public sectors are increasingly relying on web-based applications and the data that vendors from outside supply through the web. We discovered that the city’s Technology Services agency has no complete system for managing the vendors of these external applications and it does not have any accountability for them in the event of a problem.

 

One of the most important considerations is to regularly review third-party vendors’ security measures. If Technology Services relies on outdated security information, it could leave city officials uninformed of weaknesses in the security of a vendor and expose the city to the risk of losing its data and affecting its reputation.

 

Additionally, the city needs to monitor these vendors to ensure that they provide sufficient services as agreed upon. The city must clearly define its objectives and expectations — such as the availability of a site to users or the provision of services for the general public -and if there’s an interruption in these services the vendor must pay appropriate penalties.

 

Unfortunately, we found some incidents since January 2021 , when the products of various vendors had an interruption in service without compensation to the city. We found 31% of the 26 vendors we examined had critical incidents. In none of those instances did the city try to recover restitution for the disruption in services -for instance, one vendor had 20 separate incidents relating to the same system.

 

“If the city never holds vendors accountable, then more vendors will test the limits of what they can get away with using taxpayer resources,” Auditor O’Brien said.

 

We found only one instance in which a vendor was reimbursed by the city for failing to meet its objectives. The vendor, however, declared to the city that it owed the city the penalty.

 

The city should ensure that the contracts and agreements have specific, clearly defined, and measurable objectives as well as clear language that gives the city recourse when vendors fail to meet those objectives. Managers also then need to monitor when vendors separate from the city.

 

The city also needs to keep the vendor management data all in one place. Data from vendors is currently scattered over at least five different systems. With such a dispersed approach, the city risks vendor issues not being reported, contracts expiring that can lead to legal risks, and inadequate communication that could be stopped altogether.

 

“With so many different applications and services out there, it is very easy to lose track of which agency is using which program, let alone when contracts are about to expire or whether a security check has been done recently,” Auditor O’Brien said.

 

If technology vendors fail to adequately safeguard city data or if they fail to deliver services as promised the city’s officials and citizens could suffer, and the reputation of the city could be at risk. A successful information technology vendor management process reduces costs, provides excellent service, and reduces risk to ensure that the company receives the most value from its vendors.

 

For this process for managing vendors We recommend that the city implement key strategies, such as dedicated staffing monitoring contracts, closing vendor contracts, education, and reviewing security assessments. Although a comprehensive process has not been developed however, the city has made some small progress. Technology Services officials drafted a vendor management policy in 2021 but they delayed implementing it until after the review was complete.

 

“We hope that because agency officials already have a draft policy and because they agreed to all our recommendations, they will make the needed changes quickly and completely,” Auditor O’Brien said.

Comments are disabled.