"The City does not currently have formal IT risk management practices," the audit states. "In general, day-to-day operational controls are in place to mitigate IT risks, but gaps may still exist for unidentified IT risks, resources may not be prioritized to higher risk or strategically aligned areas, and senior management or oversight bodies may not receive timely awareness of risks affecting the City."

The good news for the city is that none of the issues that the Baker Tilly audit identifies as risks rise to the "critical" level – the most urgent category. The bad news is that numerous are deemed to be "high" risk. Areas in Palo Alto that were singled out as "high" risk are disaster recovery, malware defense, mobile device management and incident response. Also included in this category is "strategy and governance," which refers to the interplay between the city's day-to-day IT operation and its broad needs and priorities.

That's according to a new audit from Baker Tilly, the agency that serves as the city auditor and that in 2020 and 2021 conducted a thorough review of the city's information technology landscape. Its audit concluded that the city lacks a risk framework to identify key threats and proactively address them. It also found that the city does not have a formal disaster recovery plan; that the "playbook" program management in its information-technology (IT) operation is outdated; and that the city's inability to "wipe" mobile phones that get lost or stolen "may result in the unintentional disclosure of confidential organizational data to a malicious attacker."

Among the audit's recommendations is that the city revisit and update its disaster-recovery plan based on the current IT environment. This plan should include, among other things, measures to address offline communication and building accessibility, software and hardware failures, downtime and data loss. It would also designate roles during disasters such as cyberattacks and environmental catastrophes.

While the audit analyzed the city's controls and practices pertaining to information security, these details are redacted from the publicly released audit. The audit does, however, detail the risk factors associated with each category. On "strategy and governance," the city's risks include having IT service delivery that is misaligned with the organization; it also cites the possibility the City Council and executive management would be unaware of IT risks and their severity.

The audit notes that the city already has an existing strategic document that identifies and prioritizes critical assets. However, the city has not identified employee responsibilities or developed action plans pertaining to its citywide strategy. It also has not developed metrics to evaluate whether the plan's objectives are being met.

"Understanding the threats to the City's strategic plan is essential to ensuring risk management controls add value to the risk management process. Failure to define the City's threat landscape may result in the inability to protect against and respond in the instance where an event occurs. Disruptions in technology and unmitigated risks may prevent or delay residents from receiving vital services," the audit states.

The audit argues that an effective IT strategy can bring many benefits to the city, including lower costs, greater control, more efficient use of resources and better risk management. Failure to define the city's threat landscape, it notes, may result in an inability to protect against and respond when an event occurs.

The new audit comes at a time when several municipal operations are preparing to make major technological leaps. These include a dramatic expansion in the city's fiber network to create a municipal broadband service; a transition to "smart meters" for electricity, gas and water customers; and the Office of Transportation's adoption of automated license plate readers and guidance systems at local garages.

In responding to the audit, city staff largely agreed with its findings and noted that the city is now in the process of procuring a consultant who will help develop a new three-year IT strategy. The process, according to the city, will "involve all departments to identify critical services and software required for service delivery."

Palo Alto is insufficiently prepared for cyber threats, a new audit finds

Review concludes city's IT operation suffers from dearth of strategic thinking