Published on September 19, 2022
Lea el artículo en español
DENVER – The city would be better protected from hackers if it managed third-party information technology vendors in a more comprehensive and centralized way, according to an audit out this month from Denver Auditor Timothy M. O’Brien, CPA.
“Every app, every online service, every digital tool the city uses has to be monitored for cybersecurity and cost control,” Auditor O’Brien said. “Although city managers are very good at protecting the city, ensuring all possible safeguards are in place is essential to continued success.”
With continual advances in information technology, both the public and private sectors are relying more on web applications and data that outside vendors provide via the internet. We found the city’s Technology Services agency has no comprehensive structure for managing vendors of these external applications and it does not hold them accountable when things go wrong.
One of the highest priorities should be regular review of third-party vendors for their existing security safeguards. If Technology Services relies on outdated security information, it may leave city officials unaware of deficiencies in a vendor’s security environment and could put the city at risk of losing data and harming its reputation.
Additionally, the city needs to monitor these vendors to ensure they provide sufficient services as agreed upon. The city needs to clearly define objectives and service expectations — such as the availability of a website to users or providing services to the public — and if there is a breakdown in those services, then the vendor should pay appropriate penalties.
Unfortunately, we found some incidents since January 2021 when various vendor-provided products had a service interruption without compensation to the city. We found 31% of the 26 vendors we tested had critical incidents. In none of those cases did the city attempt to collect restitution for the disruption in services — including one vendor with 20 separate incidents related to a single system.
“If the city never holds vendors accountable, then more vendors will test the limits of what they can get away with using taxpayer resources,” Auditor O’Brien said.
We identified only one case when a vendor reimbursed the city for failing to meet its objectives. However, this vendor self-reported to the city that it owed the penalties.
The city needs to ensure its contracts and agreements include specific, defined, and measurable objectives as well as clear language that gives the city recourse when vendors fail to meet those objectives. Managers also then need to monitor when vendors separate from the city.
Finally, the city needs to store its vendor management data all in one place. Vendor data is currently dispersed across at least five systems. With such a decentralized approach, the city risks vendor incidents going unnoticed, contracts expiring that result in legal risk, and poor communication that could cease altogether.
“With so many different applications and services out there, it is very easy to lose track of which agency is using which program, let alone when contracts are about to expire or whether a security check has been done recently,” Auditor O’Brien said.
If technology vendors do not adequately protect city data or if they do not deliver services as promised, city agencies and residents could be affected and the city’s reputation would be at risk. An effective information technology vendor management process controls costs, promotes excellent service, and reduces risks to ensure the organization gets the best value from its vendors.
As part of this vendor management process, we recommend the city implement critical strategies including dedicated staffing, contract monitoring, closing out vendor contracts, training, and reviewing security assessments. Although a comprehensive process has not been created, the city has made some limited progress. Technology Services officials drafted a vendor management policy in 2021, but they intentionally waited to finalize it until after this audit was completed.
“We hope that because agency officials do already have a draft policy and because they agreed to all our recommendations, they will make the needed changes quickly and completely.”
AUDITOR TIMOTHY O’BRIEN, CPA