Elected officials in Palo Alto, California, on Monday night voted to adopt the recommendations of an audit of the city’s cybersecurity and risk-management practices, particularly regarding its disaster recovery planning and database management.
The vote by the Palo Alto City Council followed the Sept. 30 publication of the audit, which found that while the Silicon Valley community is capable of mitigating cybersecurity risks on a day-to-day basis, its Information Technology Department lacks formalized risk management practices and a documented disaster recovery plan in the event of a major cyber incident such as a ransomware attack.
“The City of Palo Alto’s Information Technology Department exists ‘to provide innovative technology solutions that support City departments in delivering quality services to the community’ according to their mission statement,” reads the audit, which was prepared by Baker Tilly, a nationwide accounting firm that’s serving as the city’s auditor. “These services support transportation, utilities, streets, fire, police and ambulance service provision. Disruptions in technology and unmitigated risks may prevent or delay residents from receiving vital services.”
The report notes that the Palo Alto municipal government has ambitions to offer digital services to keep up with the many global tech firms that are based in the 66,000-person city. But auditors also found that the city has limited visibility into the IT assets spread across its departments, which can increase the risks of unnecessary spending and weak security.
Baker Tilly also reported that Palo Alto hasn’t formalized a data classification policy, which creates compliance risks as officials collect data in accordance with an array of federal regulations, such as the Health Information Portability and Accountability Act. Auditors recommended the city finalize the policy, including “requirements for public, internal, confidential, restricted data and the impact of the data’s confidentiality, integrity and availability.”
None of the shortcomings auditors found were deemed to create “critical” risks, but the report placed a few in the “high” category, including the absence of a disaster recovery plan. Incident response management is included in major cybersecurity frameworks, such as the Center for Internet Security’s 18 controls, yet Palo Alto never formally implemented a 2014 playbook that was written after a previous IT audit.
“Lack of a tested recovery plan may result in the inability for the City to respond in the event of a disaster and the disruption of operations and resident services,” the audit read. Baker Tilly also wrote that the plan should be updated for the current IT environment and adopted citywide, with emphases on addressing offline communications, data losses and how to work through cyberattacks and environmental disasters alike.
In its response, the Palo Alto IT department largely agreed with the auditors’ assessments, writing that it’s in the process of finding a vendor to help develop a new three-year strategy that includes a risk-management framework, which could be adopted in the 2022 fiscal year.
“Implementing a proactive IT risk management process is critical because the IT Departments provides numerous technology needs Citywide for Palo Alto,” the department’s response read. “The strategy should be communicated to all stakeholders to ensure there is an understanding of their respective risk management roles and responsibilities. Critical assets should be identified and prioritized to determine what services and products are necessary for service delivery.”