The URL can be used to link to this page

Home My WebLink About2223-12 Follow-up Cybersecurity Assessment (Final 5-23-23)Follow-up Initial Cybersecurity Assessment #2223-12 May 2023 FOLLOW-UP REPORT Initial Cybersecurity Assessment (Internal audit report #2122-6 issued July 2022) To request this information in an alternate format, please call (541) 330-4674 or send email to internal.audit@deschutescounty.gov Deschutes County, Oregon Internal Audit David Givans, CPA, CIA – County Internal Auditor Aaron Kay – Performance Auditor internal.audit@deschutescounty.gov Audit committee members: Daryl Parrish, Chair - Public Member Jodi Burch - Public Member Joe Healy – Public Member Scott Reich - Public Member Summer Sears - Public Member Stan Turel - Public Member Patti Adair, County Commissioner Charles Fadeley, Justice of the Peace Lee Randall, Facilities Director Follow-up Initial Cybersecurity Assessment #2223-12 May 2023 Table of Contents 1. INTRODUCTION ...................................................................................................................................... 1 1.1. OBJECTIVES AND SCOPE .............................................................................................................................. 1 1.2. METHODOLOGY ......................................................................................................................................... 1 2. FOLLOW-UP RESULTS ............................................................................................................................. 2 3. APPENDIX - UPDATED WORKPLAN (STATUS AS OF MAY 2023) .......................................................... 3 Follow-up Initial Cybersecurity Assessment #2223-12 May 2023 Page 1 1. Introduction Audit Authority: The Deschutes County Audit Committee has suggested that follow-ups occur within nine months of the report. The Audit Committee would like to make sure departments satisfactorily address recommendations. 1.1. OBJECTIVES and SCOPE “Audit objectives” define the goals of the audit. Objectives: The objective was to follow-up on recommendations from the original audit. Scope: The follow-up included three recommendations from the internal audit report for Initial Cybersecurity Assessment (#2122-6), issued in July 2022. The original internal audit report should be referenced for the full text of the recommendations and associated discussion. The follow-up reflects the status as of May 2023. 1.2. METHODOLOGY The follow-up report was developed from information provided by Tania Mahood, IT Director, and Nick Lelack, County Administrator. Follow-ups are, by nature, subjective. In determining the status of recommendations that were followed up, we relied on assertions provided by those involved and did not attempt to independently verify those assertions. The updates received are included in the Appendix. Since no substantive audit work was performed, Government Auditing Standards issued by the Comptroller General of the United States were not followed. Follow-up Initial Cybersecurity Assessment #2223-12 May 2023 Page 2 2. Follow-up Results Figure I - How were recommendations implemented? The follow-up included three outstanding recommendations agreed to by the County Administration and Information Technology department. Figure I provides an overview of the implementation status of the recommendations. With this follow-up, one recommendation towards annual program reporting to the Board of County Commissioners is expected to begin the summer of 2023. Progress on the other two recommendations was indicated as underway through use of a managed cybersecurity service company and funding for a cybersecurity program included in the Fiscal Year 2024 proposed budget. All outstanding recommendations are anticipated to be completed by Fiscal Year 2025. Follow-up Initial Cybersecurity Assessment #2223-12 May 2023 Page 3 The details of the follow-up are included at the end of the report in the Appendix. In interpreting the status, Internal Audit may sometimes raise or lower the status provided by the department based on the communication(s) received from the department. 3. APPENDIX - Updated workplan (status as of May 2023) Items that are not completed are greyed out. Rec # Recommendations Status Estimated or Actual Date of Completion Updated Follow-up comments 1 It is recommended for the County to implement a cybersecurity program that includes establishing a framework and continuous cycle of activity for assessing risk, developing and implementing effective security controls and procedures, and monitoring the effectiveness of those procedures as noted above. Underway July-24 IT: A fresh approach to the cybersecurity program will be put in place under the guidance of new leadership in the IT department. In the meantime, we are striving to fulfill the CIS controls' IG2 requirements to reduce risks. To aid in this effort, a managed cybersecurity service company was brought on board in January 2023. In partnership with the vendor, an Incident Response Plan will be started in Q2. IT staff from multiple units are working in collaboration with cybersecurity vendors on a weekly basis to accurately identifying and responding to vulnerabilities. These meetings' participants have informally been referred to as the advisory committee. Quarterly vulnerability scanning is being conducted by the vendors in collaboration with the advisory committee. The hope is to have a framework in place that meets the business needs, provides metrics, process, and procedures in place by FY25. Administration: We will support the IT department’s continued work to establish a cybersecurity program. Continued funding for this program was included in the FY24 budget . IT will continue to track this work through its performance measures, which should provide consistent progress updates both to the Board and to residents. Follow-up Initial Cybersecurity Assessment #2223-12 May 2023 Page 4 Rec # Recommendations Status Estimated or Actual Date of Completion Updated Follow-up comments 2 It is recommended, at least annually, the Board of County Commissioners review and approve the County’s cybersecurity program. Planned July-24 IT: IT will provide current state of the County's cybersecurity posture by summer 2023. A full cybersecurity program report will be provided by FY25. Administration: We agree with this recommendation and will support IT in facilitating this annual check in with the Board. 3 It is recommended for the County, led by the IT Department, continue improvements in addressing cyber defenses. Underway July-24 IT: During the budget planning for FY24, the new IT leadership did not request a full-time employee (FTE). Instead of hiring a dedicated FTE for security, the plan is to use the allocated funding for a managed cybersecurity services company. Although outsourcing has identified many gaps, it alone is not enough. By adding a dedicated resource, we can significantly improve our cybersecurity defenses both proactively and reactively. Administration: Administration looks forward to future discussions with the IT Department about potential new FTE that may be needed to meet organizational needs. {End of Report}