Posted on September 19, 2022
DENVER — The city would be better protected against hackers if it managed third-party information technology vendors more comprehensively and centrally, according to an audit conducted this month by Denver Auditor Timothy M. O’Brien, CPA.
“Every app, every online service, every digital tool the city uses needs to be monitored for cybersecurity and cost control,” Auditor O’Brien said. “While city managers are very good at protecting the city, ensuring that all possible safeguards are in place is essential for continued success.”
With the continuous advancements in information technology, both public and private sectors are relying more on web applications and data that external vendors provide via the Internet. We found that the city’s technology services agency does not have a comprehensive structure to manage the vendors of these external applications and does not hold them accountable when things go wrong.
One of the highest priorities should be regular reviews of third-party vendors for their existing security measures. If technology departments rely on outdated security information, city officials can ignore gaps in a vendor’s security environment and put the city at risk of losing data and damaging its reputation.
In addition, the city must monitor these providers to ensure that they provide sufficient services as agreed. The city must clearly define service goals and expectations – such as having a website available to users or providing services to the public – and if those services fail, the provider must pay the penalties appropriate.
Unfortunately, we have seen incidents since January 2021 when various products provided by vendors experienced a service disruption without compensation to the city. We found that 31% of the 26 vendors we tested had critical incidents. In none of these cases has the city attempted to collect compensation for the disruption of services – including one provider with 20 separate incidents related to a single system.
“If the city never holds vendors accountable, then more vendors will test the limits of what they can do using taxpayer resources,” Auditor O’Brien said.
We found only one instance where a supplier reimbursed the city for not meeting its targets. However, this seller told the city he owed the fines.
The city should ensure that its contracts and agreements include specific, defined, and measurable goals and clear language that gives the city recourse when suppliers fail to meet those goals. Managers also need to monitor when vendors part ways with the city.
Finally, the city needs to store its vendor management data in one place. Supplier data is currently scattered across at least five systems. With such a decentralized approach, the city risks incidents with suppliers going unnoticed, expiring contracts leading to legal risk and miscommunication that could cease entirely.
“With so many different apps and services, it’s very easy to lose track of which agency is using which program, let alone when contracts are about to expire or if a security check has recently been completed,” said listener O’Brien. .
If technology providers fail to adequately protect city data or deliver services as promised, city agencies and residents could be affected and the city’s reputation could be at risk. An effective IT vendor management process controls costs, promotes excellent service, and reduces risk to ensure that the organization gets the most value from its vendors.
As part of this vendor management process, we recommend that the city implement key strategies, including dedicated staffing, contract monitoring, vendor contract closure, training and review of security assessments. Although a full process has not been created, the city has made limited progress. Heads of technology services drafted a vendor management policy in 2021, but they intentionally waited to finalize it until after this audit was complete.
“We hope that because agency officials already have a draft policy and because they have accepted all of our recommendations, they will make the necessary changes quickly and comprehensively.”
AUDITOR TIMOTHY O’BRIEN, CPA