Montana City, County to Adjust Priorities After IT Assessment

A recent report found that the city of Helena and Lewis and Clark County were lacking in their cybersecurity program and policies.

by Michael Woodel, Independent Record / October 22, 2018

(TNS) — Local public officials and employees have much to consider from a recent report on the information technology systems and practices of the city of Helena and Lewis and Clark County.

San Jose-based technology advisory firm Civic Foundry finalized its joint information technology assessment for the city and county Sept. 26 and the report was brought up at an administrative county commission meeting earlier this month. The 67-page report included 62 recommendations for existing city and county information technology, ranging from a gradual transition to cloud computing to revamped security measures.

In the report, Civic Foundry advised that a third-party security assessment of city and county information technology be performed as soon as possible. The results of external penetration testing were redacted.

“The organization lacks a comprehensive security program and policy to ensure both legal and ethical protection of public and employee personal data,” the report said of the Information Technology and Services Department shared by employees of the city of Helena and Lewis and Clark County.

Despite this, Art Pembroke, director of the department, said there shouldn’t be too much concern for those who have provided financial information to city or county departments in the past.

Pembroke said contracted merchants provide credit card readers, through which a card is read and its number run through the department's secure connection back to the merchant. Thus, Pembroke said, the city and county receive only a transaction number and confirmation of payment.

“We, as an organization, do not house credit card information” or the personal information of individuals conducting financial transactions with the city or county, Pembroke said. “We are a transport mechanism, and that’s where we focus our security and our efforts: making sure that that information going out of the credit card reader up to the card processor or merchant is protected.”

Nevertheless, Lewis and Clark County Commissioner Roger Baltz said cybersecurity will be a top priority going forward, noting that in the report’s list of prioritized recommendations, the first four are related to cybersecurity policy and training. Each is recommended to be acted upon within 12 months.

“That’s an issue for any organization nowadays around the country,” Baltz said of cybersecurity threats.

Civic Foundry’s process included the review of at least 40 internal documents, more than 50 in-person interviews of city and county employees and the results of 201 responses to a multiple-choice survey. The report highlighted the benefits of a dedicated Helpdesk for tech support but also warned of an “ongoing risk of data breach” and other security threats “due to the lack of an information security program and internal security skills.”

“By continuing to perpetuate an antiquated on-premise technical architecture,” the report read, “the organization is missing opportunities to improve customer service, streamline operations by transferring responsibility for the infrastructure to a cloud vendor, and refocus technical resources to the delivery of solutions.”

The report noted that more than 25 percent of survey respondents “believed that they did not have the tools necessary to perform their jobs.”

The survey also asked city and county employees to rank their most important technology concerns for their job performance. Faster and more widespread wireless internet coverage represented the top two.

“Why do we just have WiFi in conference rooms?” said a city employee quoted in the report. “This is a wireless world. Buck up and put it everywhere already.”

However, the report revered the department’s dedicated Helpdesk, noting that three out of four survey respondents believed the department “was able to provide support for their primary tools when they called for assistance, with 80 percent reporting that they received timely updates to the status of requests.”

Baltz said employees will be working with the steering committee of the IT&S Department to implement a budget-friendly action plan using the findings of the report. There is no current timeline for the action plan, he said.

“As far as concerns that the county has, we want to use this assessment in a lot of ways,” Baltz said. “We always want to be a learning organization and we always want to get better whenever we have opportunities to do that, so having assessments like this done helps us to do that.”

Pembroke did not necessarily find the report a cause for concern, saying he appreciated prioritization of security findings but did not find anything his department was unaware of. He said he is particularly looking forward to an enterprise-wide security program, as recommended in the report.

“We do a great job of training employees about the do’s and don’ts,” Pembroke said. “We’ve got the pieces and parts. What we need is just [a] formalized program.”

Baltz added that following recommendations to better serve internal users of the IT system is as much a priority as following them to better serve the public.

“Serving them as well as we can allows us to serve the public as well as we can,” Baltz said.

©2018 the Independent Record (Helena, Mont.). Distributed by Tribune Content Agency, LLC.

Platforms & Programs