Item - 2021.AU8.9

The Audit Committee recommends that: 

1.  City Council request the Auditor General to provide presentations to City organizations, including major agencies and corporations, on the City cybersecurity reports and lessons learned.

2.  City Council adopt the confidential instructions to staff in Confidential Attachment 1 to the report (February 4, 2021) from the Auditor General.

3.  City Council request the City Manager to forward Confidential Attachment 1 to the report (February 4, 2021) from the Auditor General to City Division Heads and Chief Executive Officers of major City agencies and corporations and request them to review and implement the confidential instructions that may be relevant to their respective operations.

4.  City Council direct that Confidential Attachment 1 to the report (February 4, 2021) from the Auditor General be released publicly at the discretion of the Auditor General, after discussions with the appropriate City Officials, as it contains information involving the security of property belonging to the City or one of its agencies and corporations and information explicitly supplied in confidence to the City of Toronto which, if disclosed, could reasonably be expected to impact the safety and security of the City and its services.

Over the past decade, the City of Toronto, like other large organizations, is increasingly conducting business and key operations online in a networked environment. This makes operations more efficient and citizens are served better. 

The purpose of this report is to communicate security incidents that occurred at a City division and a City organization and to highlight the importance and urgency for the City to have a standard incident management process developed and implemented across City divisions and its agencies and corporations.

A standard incident management process will enable the Chief Information Security Officer (CISO) to analyze these attacks and develop a coordinated response on any potential cyberattacks. This will enhance City-wide cybersecurity.

In a 2019 Report for Action, the Auditor General highlighted the importance and urgency for the City to develop a standard incident management process and implement it across City divisions, agencies and corporations.

We have made additional recommendations in one other report entitled "Information Technology Projects Implementation: Information Privacy and Cybersecurity Review of Human Resource System" that is also being tabled at the February 16, 2021 Audit Committee.

The confidential report attached provide more details of the nature of incident and management actions. The work performed in relation to this report does not constitute an audit conducted in accordance with Generally Accepted Government Auditing Standards (GAGAS). However, we believe we have performed sufficient work and gathered sufficient appropriate evidence to provide for a reasonable basis to support our observations and recommendations.

This public report contains two administrative recommendations. The confidential information and recommendations are presented separately to this report in Confidential Attachment 1. The confidential report will be made public at the discretion of the Auditor General after discussing with appropriate City Official.