[read complete report - pdf]

Audit Objective

Determine whether City officials properly implemented information technology (IT) security controls to safeguard water system operations against unauthorized access or disruption.

Key Findings

• Network and local user accounts were not properly managed.
• Officials did not establish a process for staying current on water system cybersecurity threats.
• The City did not have service level agreements (SLAs) with its IT vendors.

In addition, sensitive IT control weaknesses were communicated confidentially to City officials.

Key Recommendations

• Properly manage network and local user accounts, including disabling unneeded accounts in a timely manner.
• Establish a process for staying current on water system cybersecurity threats.
• Ensure that all IT services are provided based on a formal service level agreement.

City officials generally agreed with our recommendations and indicated they plan to initiate corrective action.