Ottawa’s Auditor General recommends improved IT mitigation strategies

Ottawa’s Auditor General has recommended that the city’s chief information officer (CIO) and city-wide managers “continue to improve the identification and assessment of IT and related mitigation strategies.”

In his annual report tabled on Thursday, Auditor General Ken Hughes suggested that “improved identification, assessment and mitigation initiatives will protect the City against potential system failures or security breaches, including cyberattacks, which could interfere with business activities to the extent they could impact the life safety and daily lives of residents.” Hughes went on to say in the report that “the costs of repairing/restoring these activities could also be catastrophic. It could also undermine the public’s confidence in the management of the City.”

Hughes argued that “there is a low maturity level of most City departments for IT risk management. This is primarily due to the governance and leadership issues.”

While the Auditor General noted that the City of Ottawa has a strong committee structure for addressing IT risk management, the city has yet to develop a comprehensive governance component of an Information Technology Risk Management (ITRM) Framework, including clear and consistent responsibilities and accountabilities for city executives and management.

As well, the lack of authority of the CIO impedes his ability to, among other things, promote a culture that supports information technology risk management objectives and tackle the highest priority City-wide IT risks on a timely and strategic basis. “The reporting structure to and from the CIO is not consistent with best practices,” the report said.

“Without a complete and comprehensive IT risk universe, there cannot be a common view of IT risks and the City cannot make risk-aware decisions,” Hughes concluded. “That is, City staff, especially [Internet Technology Services], do not know what risks they are not aware of, and cannot anticipate what corrective measures are required. Without the recommended development of an ITRM Framework, including the roles, responsibilities and accountabilities, funding model and policy suite, the potential vulnerability of the IT risks could have significant impacts on the City’s business lines.”

The City of Ottawa said in a statement that “management agrees with all eight of the Auditor General’s recommendations” related to IT and implementation of all eight is underway.

“Managing information technology risks is an issue that the City of Ottawa takes extremely seriously,” the statement said. “Ottawa residents expect and depend upon the City to provide secure and uninterrupted access to City information and services. The Auditor’s recommendations will result in stronger and more resilient IT infrastructure.”

Including IT risks, the Auditor General’s report included 116 recommendations related to the city’s 3-1-1 Contact Centre, accountable payable, Infrastructure Services Department, species and risk, winter operations and the Mackenzie King Bridge rehabilitation.