5. Information Systems Security

  • No City department or entity is responsible for overseeing the City's information systems security, resulting in inconsistent and inadequate system security in City departments. Only 14 of 55 City departments, or 25.4 percent, have information system security plans, and of these 14 departments, the plans are often incomplete. As a result there is an unacceptably high level of risk that the City's information systems could be compromised through unauthorized access.

  • In a review of ten City departments, only four had assessed the vulnerability of their information systems to unauthorized access. These vulnerability assessments found that department employees entered confidential data into their personal data drives; vendors and contractors had broad access to department information systems; and the public had broad access to the internet on public access computers. According to one department's Information Technology Director, although the department maintains important public and financial records, the department lacks sufficient resources to ensure that the department's information is secure.

  • None of the ten City departments consistently implemented policies and practices to protect their systems' security. Although one department has a policy to install and update anti-virus software on each workstation, the department's review of its own practices found that not all workstations and servers had current security patches and anti-virus definitions.

  • The City lacks a specific personnel classification that is responsible for departments' information system security functions or a set of core competencies required for information technology positions. Nine separate civil service classifications are responsible for security management, although information system security management is not included in the job description, skills or functions for most of these classifications.

  • Currently, the Department of Emergency Management, Fire Department, and Police Department participate jointly in the e911 system, but lack a formal decision-making process to determine how each department could link the City's administrative applications and the e911 system more efficiently without compromising system security. This results in (a) duplicate systems requiring manual extraction of data or (b) segmented system applications and databases which fragment work flow and increase data entry and duplication errors. The Committee on Information Technology should develop decision-making guidelines for City departments that share information systems to allow more efficient management of these systems. This is especially important as the need for City departments to share systems increases in order to provide better public services.

Information Systems Security

Information security can broadly be defined as an assembly of people, processes and technology that are aligned to prevent the unauthorized access to an enterprise's telecommunications, data storage systems, and business applications. The risk of unauthorized access to such system includes but is not limited to:

  • Tampering with or destroying computer files or applications so as to render them unreliable or unusable;

  • Gaining access to sensitive information to which an individual is not entitled such as financial or personal data that is of a confidential nature; and,

  • Executing business transactions for which the individual is not properly authorized or that go undetected by the affected entity.

The following principals are critical to the provision of an effective information security program1:

1) System Architecture: System architecture refers to the manner in which a telecommunications system, and the array of computer applications and data storage systems hosted thereon are designed and built. An agency should incorporate various electronic and physical safeguards into its system architecture.

2) Planning: An organization should establish a comprehensive set of policies and procedures that describe: (a) the information security objectives of the organization; (b) the manner in which people, process and technology will be deployed to effectively safeguard the information assets of the organization; and (c) the standards of conduct to which individuals accessing the organization's computer systems are expected to adhere.

3) Implementation: An effective information security program is contingent upon an effective implementation program, including: (a) organizing and staffing, (b) employee training and awareness; and, (c) ongoing monitoring and assessment.

City Departments' Inconsistent Information Technology Security Practices

The City lacks a central department or oversight body to implement and enforce information technology security practices. The Administrative Code does not assign any City entity with responsibility for ensuring the safety and security of the City's information systems. As a result, City departments are unclear about their responsibility to maintain adequate security for their information systems.

Neither the Committee on Information Technology or the Department of Telecommunications and Information Technology have explicit responsibility for setting information system security standards. The absence of a single City entity with responsibility for ensuring the safety and security of the City's information systems has also left individual departments on their own in the development of security plans, without the benefit of an authoritative guide for the design and implementation of such policies. As a result, the policies developed by individual departments are frequently either incomplete or reflect a lack of understanding with respect to the fundamentals of information security.

Only 14 City departments, or 25.4 percent of 55 City departments, reported that they had an information technology security plan in place. Of these 14 departments' security plans, one-half lacked at least one of the three elements of an effective security program, described above, including (a) system architecture, (b) planning and (c) implementation, and more than one-third lacked any of the three elements described above.

Information System Security Vulnerability Assessment

A closer review of ten City departments2 identified a number of weaknesses in the security practices that could jeopardize the information assets of individual departments and that of the City's communications network as a whole.

Only four of the ten departments had conducted a vulnerability assessment of the department's communications, data storage, and enterprise application systems in the past two years. Two of the departments stated that the assessment had found deficiencies, including:

  • Confidential department data was entered into department employees' personal data drives.

  • Contractors and vendors had broad access to department modems.

  • Public access computers had broad access to internet sites.

  • User password policies did not meet industry standards.

  • Workstations and servers were not current with the latest security patches and antivirus definitions.

According to one department's Information Technology Director, although the department is responsible for important public and financial records, the department lacks sufficient resources to assess the department's system security, and consequently cannot ensure that the department's information is secure. Departments' Information System Security PoliciesThe ten City departments did not uniformly implement information system security best practices. Consequently, department staff were insufficiently informed of system security needs and the department's information system was vulnerable to security breeches.All ten departments reported implementing certain policies and practices, including:

  • Installation and updates of anti-virus software on each workstation;

  • Restricted physical access to the department's servers; and

  • Prohibiting end-users from installing third party software on their workstation.

However, as noted above, one department's vulnerability assessment showed that, despite the policy to install and update anti-virus software on each workstation, not all workstations and servers were current with the latest security patches and antivirus definitions.

Eight of the ten departments reported implementing policies to:

  • Prohibit external connections, such as modems, that bypass the City's firewall; and

  • Require employees who access the department's network from outside the system to use a secure communications protocol.

Only six of the ten departments required employees to change their passwords at periodic intervals. Only four of the ten departments set up the workstations to notify employees during log on that the use of the computer system is for authorized use only.

Five of the ten departments required that one or more members of the Information Technology staff attend at least one conference, workshop or seminar on information system security annually.

Three departments reported that they had not distinguished between public and confidential or restricted records maintained in their information systems nor trained employees on the distinction. Although the departments which had legal requirements to maintain confidential or restricted records, such as Public Health, Elections, and the Human Services Agency, reported doing so, other departments had failed to implement policies or practices defining public and restricted records.

City Personnel Responsible for Information System Security

The City lacks a specific personnel classification that is responsible for departments' information system security functions or a set of core competencies required for information technology positions. Nine separate civil service classifications, ranging from 1073 IS Director to 1022 IS Administrator II are assigned responsibility for departments' information system security, as shown in Table 5.1.

Table 5.1
Personnel Classifications Used by Selected City Departments for
Information Technology Systems Security

Classification

Classification Description

1073

IS Director

1071

IS Manager

1070

IS Project Director

1054

IS Business Analyst - Principal

1044

IS Engineer Principal

1043

IS Engineer Senior

1042

IS Engineer Journey

1023

IS Administrator III

1022

IS Administrator II

Source: Budget Analyst survey

Based on a review of job descriptions for the above nine classifications, only the 1022 IS Administrator II and 1023 IS Administrator III positions are explicitly responsible for managing information system security. The job descriptions for 1070 IS Project Director and 1071 IS Manager positions imply responsibility for information systems security within the broader information system management responsibilities. The job responsibilities for the other classifications - 1054 IS Business Analyst and the IS Engineer series positions - do not include ongoing responsibility for managing information systems and system security.

Implementing Security Policies Among Departments

Systems Communications Issues and Inefficiencies

Because the Committee on Information Technology has been limited in overseeing the City's information technology functions, City departments have no formal process to manage shared information technology systems. The Department of Emergency Management and the Fire and Police Departments share the e911 system, which is comprised of several subsystems related to emergency communications, response, and information systems applications coordinated by the Department of Emergency Management.

Information security policy established by the Police Department, based on California Law Enforcement Telecommunications Systems (CLETS) guidelines, prevents the linkage of the e911 system to the citywide network. The Department of Emergency Management contends that while there was no express statutory requirement or written departmental policy that mandated the e911 system be separate from the citywide network, the decision to do so was largely based on (a) network security concerns and (b) issues regarding the permissible use of emergency communications bond and fee revenue.

According to information technology staff in the Department of Emergency Management, the e911 system needs to be physically separate from the citywide network given the vulnerabilities in the citywide system - many of which still persist. Because the citywide system is connected to the Internet, the system is less secure and more prone to viruses and other technical complications which can result in network failures. The e911 system, which was developed using secure fiber optic ring technology, is much more advanced than the citywide system and is not connected to the Internet.

Additionally, the e911 system is linked to CLETS, which contains criminal history, vehicle, and wanted-suspect files. CLETS interfaces with California Department of Justice files in Sacramento as well as with Federal Bureau of Investigation National Crime Information files in Washington, DC. Given the classified nature of this information, accordingly any network linked to CLETS must be highly secure to ensure restricted access to authorized personnel only. According to the Department of Emergency Management, any departmental request to link outside networks to the e911 system would require approval from the California Department of Justice and in some cases the Federal Bureau of Investigation.3

Because finance and administrative staff in the Fire Department must frequently utilize data and applications in both systems, these individuals currently have two separate computers to access the e911 and citywide systems respectively. This two-computer system is inefficient and costly to maintain. According to the Fire Department, costs for maintaining the two-computer system are approximately $70,000 annually which include costs for 130 duplicate computers and additional software licenses, associated maintenance and replacement costs, and the cost of the duplicate infrastructure (i.e. additional routers, switches) needed to support the system. As a result, most of these workstations are extremely old and create multiple support problems for information technology staff. Moreover, because of the ongoing need to maintain this equipment, existing information technology resources can not be dedicated to new projects.

Additionally, because the two systems cannot communicate with one another, e911 systems data is not readily available for use in citywide systems applications. Currently, scheduling information for Fire Department field staff, which is stored in the e911 system, must be manually pulled and entered into the citywide system, which contains the payroll processing application. According to the Department of Emergency Management, once the City's payroll system is updated, a secure interface can be developed between the two systems, allowing for the electronic transfer of data. Similarly, other Fire Department functions, such as reporting and billing for false alarms, require additional staff time due to the lack of systems communications. False alarm incidents, which are reported in the e911 system, must be manually extracted and populated into the citywide system for repeat offence billing.

The Police Department has issues similar to the Fire Department although the main problem is not separate networks. Rather, according to the Police Department, the lack of uniform, citywide information security policies and procedures has led to segmented systems applications and databases which fragment work flow and increase data entry and duplicative errors.

Security risks on the citywide network have improved as technology has advanced, but these improvements still lack the sophistication of the e911 system. Information technology staff from the Fire and Emergency Management Departments agree that sufficient security measures could be developed (i.e. firewalls, encryptions, and narrow pathways) to allow for limited systems communications for the purposes of conducting specified administrative tasks, although linkages to the e911 system would still require full agreement from each respective department and state approval given CLETS.

Currently, the three departments participating in the e911 system have procedures to allow administrative changes to the shared system. However, these departments lack a formal process to determine to what extent more efficient linkages could be made between the City's administrative applications and the e911 system without compromising system security. The departments are dependent on working through their different understandings of security and bond financing requirements for the e911 system and the impact on linking to the City system without guidelines for decision making. The Committee on Information Technology needs to develop a formal decision-making process for City departments that share information systems to allow more efficient management of these systems. This is especially important as the need for City departments to share systems increases in order to provide better public services.

Conclusion

The City lacks a central authority to establish and oversee the City's information system security, resulting in inconsistent and inadequate system security in City departments. Very few City departments have information system security plans, and for those that do have plans, the plans are often incomplete. As a result there is an unacceptably high level of risk that the City's information systems could be compromised through unauthorized access.

The Committee on Information Technology, which provides leadership and coordination of the City's information technology pursuant to the Administrative Code, should assist City departments in planning for their information system security. The Committee on Information Technology should develop a risk assessment plan, identifying which departments are most vulnerable to security breeches and procedures and resources necessary to reduce security risks, and establish baseline information system security procedures for the City departments.

Responsibility for information system security within City departments needs to be clearly defined. The Committee on Information and Technology should identify the set of skills necessary to manage information system security and ensure that these skill sets are included in the job functions of select information technology classifications. Only positions with the identified system security skills and job functions should then be assigned responsibility for the departments' information system security.

Recommendations:

The Chair of the Committee on Information Technology should:

5.1 Establish policies and standards for each City department to develop a risk assessment plan that (a) identifies the City departments with the greatest security risks, and (b) resources necessary to reduce security risks.

5.2 Recommend annual funding for City departments' information system security programs based upon the risk assessment.

5.3 Establish criteria for City departments' information system security policies and procedures.

5.4 Define job skills and functions necessary to manage departments' information system security programs.

5.5 Develop formal decision-making guidelines for City departments that share information systems.

Costs and Benefits

City departments will incur costs to evaluate and implement programs to increase information system security. The Committee on Information Technology should develop a plan to identify and reduce City departments' information system security risks and recommend annual funding based on that plan as part of the annual budget process.

1 Network Security Fundamentals, Gert DeLaet & Gert Schauwers A9 2005 Cisco Systems Inc ISBN 1-58705-167-2.

2 These ten departments are: Treasurer/Tax Collector, Assessor/Recorder, Elections, Recreation and Park, General Services Agency, Human Services Agency, Building Inspection, Planning, Public Health, and Fire.

3 Because CLETS is linked to the e911 system, according to IT staff from the Department of Emergency Management, such approval is necessary whether or not systems communications would permit direct access to CLETS.