The city of St. Louis’ IT office made several revisions to its security policies following a recent review by the Missouri State Auditor, the city’s chief information officer, Cindy Riordan, told StateScoop on Monday. Among the changes are more restrictions on access to the city’s main data center and updated contracting rules to require vendors to meet certain security standards.
The report, published last Thursday by State Auditor Nicole Galloway, faulted the Information Technology Services Agency, or ITSA, for not establishing and following policies to control how many people have access to sensitive areas, like the data center, or keeping an accurate inventory of its equipment. The audit also found that ITSA did not consistently ask its vendors to provide documentation about security protocols.
“Inadequate physical security could lead to the loss of property, the disruption of service and functions, and the unauthorized disclosure of data and information,” the report reads.
Although the document includes a warning about the evolving nature of cybersecurity threats, the auditing process was focused on physical security. Galloway’s inspectors found that several ITSA workers whose responsibilities do not require access to areas housing sensitive resources were nevertheless granted entry. The audit also revealed that three former agency employees who resigned or retired in the past two years still had access, as did one city employee who transferred out of the agency in 2017. The report states that ITSA’s leaders did not review who had physical access “because they did not consider it high risk.”
Riordan said ITSA cracked down on access to the data center after the auditor’s review.
“We did make a written policy and reviewed people who had physical access to that space,” she said. “Everything’s always changing in technology.”
She added that the data center is located in a city-government building that has its own security protocols in place.
The auditors reviewed several of ITSA’s contracts with its software vendors, but only found one document that stated the vendor would provide “appropriate security functionality” in its work for the city. Inspectors also found that ITSA did not make it a policy to ask contractors to provide documentation proving their products met data security frameworks set by the National Institute of Standards and Technology, ISACA and other standards-setting organizations.
Riordan wrote in her responses to the audit that “very few” of the city’s software vendors have access to the agency’s data, but that the ones that do are “well-known for meeting, if not setting” data-protection standards. And she told StateScoop that the vendor in a contract that was found to lack security protocols met the industry standards anyway.
“The vendor had appropriate security, we just didn’t have the language in our contract to require it,” she said. “We do now have boilerplate language.”
In her overview of ITSA, Galloway attributes some of the shortcomings her office found to a longstanding vacuum at the top of the IT agency. Riordan, who was appointed St. Louis’s CIO in December 2017, was ITSA’s first permanent leader in nine years. Previously, big IT decisions were made by other city officials who “partially assigned” to guide city tech policies, the audit reads. But Riordan, who before her appointment served as an operations manager and business analyst for other city agencies, disagreed with Galloway’s description of ITSA as a formerly rudderless agency.
“The IT staff here is very cognizant of the right ways to implement security and implement our systems,” she said. “I don’t know if I would blame the lack of official leadership.”
Still, Riordan welcomed the audit’s findings as an opportunity to improve ITSA.
“We are much more cognizant now,” she said. “It’s helpful to circle back and grow.”