Item - 2019.AU4.1

During the review of the Order Paper on October 29, 2019, City Council adopted a procedural motion to remove this Item from the jurisdiction of the Audit Committee and bring it forward for consideration by City Council.

City Council recessed its public session and met as Committee of the Whole in closed session on October 30, 2019 to consider confidential information on this Item as it pertains the safety and security of property belonging to the City or one of its agencies and corporations.

The Audit Committee recommends that:  

1.  City Council direct the City Manager to request the agencies and corporations to provide a cyber security enterprise risk assessment, approved through their organizational governance, to the City of Toronto Chief Technology Officer by Q3 2020, for validation and compliance to be included in the City's cyber-security baseline analysis. Each agency and corporation to subsequently submit a plan to the City of Toronto Chief Technology Officer on implementation plans to mitigate risks by Q4 2020.

2.  City Council direct the Chief Technology Officer to take on an expanded city-wide scope and mandate providing support, oversight and direction on standards, practices and policies to all City divisions, and to those agencies and corporations listed in Appendix A (attached to the motion by Councillor Holyday) with immediate effect with respect to all technology assets, goods, and services and direct, or request, those City divisions, agencies and corporations accordingly.

3. City Council direct the Chief Technology Officer to work with the City divisions, and those agencies and corporations set out in Appendix A (attached to the motion by Councillor Holyday), to assess regulatory and compliance matters and their impact on moving to centralized information technology services.  

4.  City Council direct the Chief Technology Officer to report on an implementation plan for a centralized model to the appropriate committee, and such report to address the feasibility and mechanisms for the Chief Technology Officer to provide oversight and approval for all technology assets, goods, and services purchased by City divisions, and the agencies and corporations set out in Appendix A (attached to the motion by Councillor Holyday).

5.  City Council adopt the confidential recommendations contained in Confidential Attachment 1 to the report (October 8, 2019) from the Auditor General.

6.  City Council direct that all information contained in Confidential Attachment 1 to the report (October 8, 2019) from the Auditor General be released publicly at the discretion of the Auditor General after discussing with the appropriate City Official.

The Audit Committee:

1. Requested the Auditor General, in consultation with the City Manager, to provide quarterly status updates to the Audit Committee starting in Q1 2020, on the recommendations from information technology security audits done since 2016 and on the state of the City's preparedness, until all recommendations are fully implemented.

 ________

The following City staff gave a presentation to the Audit Committee on this Item:

- Beverly Romeo-Beehler, Auditor General

- Lawrence Eta, Chief Technology Officer

The Audit Committee recessed its public session and met in closed session to consider confidential information on this Item as it relates to the safety and security of property belonging to the City or one of its agencies and corporations.

Over the past decade, the City of Toronto, like other large organizations, is increasingly conducting business and key operations online and in a networked environment. This makes operations more efficient and citizens are served better. 

The City stores a vast amount of confidential and sensitive data, such as information about employees and citizens' personal records. It also maintains a large number of systems that are critical to the City's functioning, such as water, fire services, transportation, and emergency response systems.

The Canadian Centre for Cyber Security, which is Canada's single unified source of expert advice, guidance and support on cyber security for government, critical infrastructure owners and operations, notes that:

            "a safe and secure cyber space is important for … security, stability, and prosperity"

It also assessed that:

"Public institutions are also attractive to cyber threat actors ..."[1]

In recent years, many municipalities in Canada and the U.S. have been affected by cyberattacks. Recent attacks on the City of Saskatoon, the City of Ottawa and the City of Burlington are evidence that Canadian cities are targeted.

To improve security considerably, the City must change in three key areas:    

-     Human behaviour as it relates with cybersecurity threats
-     Technical fixes
-     Culture shift.
 

If the City's cybersecurity program is built on these three pillars, cybersecurity will be strengthened considerably.

Auditor General raised concerns in this area before

In previous assessments on information technology security, the Auditor General's reports highlighted to City management that insufficient preparation to manage cyber threats is widely considered to be one of the most critical operational risks facing the organization. The reports are available in Confidential Attachment 1, Appendix 2.

During the Auditor General's most recent follow-up process, management reported that two of the 10 recommendations from information technology security audits done in 2016 were fully implemented. The Auditor General's validation of the implementation of these recommendations found that they were not fully implemented.

These recommendations were considered as not fully implemented because the steps undertaken, or the extent of the improvement did not fully address the issue or the intent of the recommendation. Since 2016 none of the recommendations have been fully implemented, which is concerning to the Auditor General.

The purpose of this audit was to assess the City's ability to manage external and internal cybersecurity threats, and to follow-up on previous audit recommendations.  We provided the I&T Division with a detailed technical report to help them understand and address these issues.

This public report contains two administrative recommendations. The confidential audit findings and recommendations to improve cybersecurity controls are presented separately to this report in Confidential Attachment 1. The confidential report will be made public at the discretion of the Auditor General after discussing with appropriate City Official.