Determine whether City officials properly implemented information technology (IT) security controls to safeguard water system operations against unauthorized access or disruption.
- Network and local user accounts were not properly managed.
- Officials did not establish a process for staying current on water system cybersecurity threats.
- The City did not have service level agreements (SLAs) with its IT vendors.
In addition, sensitive IT control weaknesses were communicated confidentially to City officials.
- Properly manage network and local user accounts, including disabling unneeded accounts in a timely manner.
- Establish a process for staying current on water system cybersecurity threats.
- Ensure that all IT services are provided based on a formal service level agreement.
City officials generally agreed with our recommendations and indicated they plan to initiate corrective action.