City of Ottawa IT system faces 'significant' risk, Auditor General Ken Hughes finds
Most departments have 'low maturity level' when it comes to assessing, handling security risks
The City of Ottawa's information technology is facing "significant" risks, and could be vulnerable to security breaches, Ottawa's auditor general is warning.
In his annual report tabled Thursday, Ken Hughes pointed out a number of potential holes in the way the city manages its IT network.
For one, the city lacks a full inventory of all the programs and networks being used by its many departments, Hughes said, adding it has no way to prioritize the "riskiest risks". Some employees have installed cloud-based applications without the IT department being involved, he added.
As well, there are some city staff with "little or no technical training" responsible for identifying technological risks and coming up with strategies to handle them, said Hughes.
"There's a low maturity level of most city departments for IT risk management," Hughes told councillors on the city's audit committee. "This is primarily due to governance and leadership issues."
Security hack last November
It was one year ago this November that the City of Ottawa's website was hacked to display the name of a police officer involved in the investigation of a local teen charged after allegedly calling in fake emergencies across North America.
For about one hour, the city's website displayed the name of the Ottawa police officer and an image of a dancing banana.
That incident was supposed to be discussed in a private, in-camera session Thursday afternoon.
"[This] will require investment in the coming years," said Kirkpatrick, who's leaving the city manager's job next March. "Estimates will be developed and considered as part of the budget priorities for 2017."
'Bit of a Wild West'
Kitchissippi Coun. Jeff Leiper, the vice-chair of the city's information technology subcommittee, said he's "not surprised" by Hughes' findings.
Leiper said the practice of making improperly-trained people responsible for overseeing potential security risks "has to stop."
311 calls, bridge repairs
Hughes' also presented resulted from several other audits and made 108 recommendations, all of which the city manager accepted:
- An audit of the city's 311 call line, Hughes found people wait too long for their call to be answered. The city's service standard — that 80 per cent of all calls will be answered within two minutes — was lower than the standard found in other large Canadian cities such as Toronto, Calgary, Vancouver and Edmonton.
- Hughes found it wasn't necessary for the city to spend $1.2 million paving the whole Mackenzie King Bridge. It paved the bridge in 2008 using a new method,without proper design and testing. That resulted in the city filing a lawsuit against construction company R.W. Tomlinson over whether the job was properly done. Problems wth the new surface required the city to spend a further $700,000 the following year.
- An audit of accounts payable found 1 in 5 invoices was paid late, and 5 per cent didn't take advantage of discounts with a value of $600,000.
- A study of species at risk found that on major infrastructure projects, the city did not have a protocol to review if anything has changed between its environmental assessment and the work beginning.
- Hughes looked at snow plowing operations and suggested the city should look at whether it has the right mix of in-house vs. contracted snow plowing. He noted the city hasn't looked at that mix since amalgamation, and has a much higher proportion of city-owned equipment than other Ontario cities.
Hughes found a couple of underlying themes to the audits, including a lack of financial analysis when staff are making decisions.
"We do this in our own personal lives: Before you make a decision you make sure there's a valid reason for why you are taking a particular course of action," said Hughes. "You have to identify what the various courses of actions are and what we're suggesting, being accountants, is you might want to cost out those alternatives."