Secure information such as social security numbers might have been visible to unauthorized City employee users of the Denver 311 constituent relationship management (CRM) system. A Denver auditor discovered the cyber- security flaw while investigating another audit. Denver Auditor Timothy M. OBrien, CPA, launched a full audit of personally identifiable information (PII) in the Salesforce 311 system.
PII is information that, joined together, could distinguish an individual. If that information is exposed, it could put the user at risk of identity theft. In some transactions, the Department of Human Services and the Payroll Division collect sensitive information, which was inadvertently shared with city employees with access to 311.
The Citys Technology Services department quickly changed 311 user permissions in the system to protect all PII information. This is the second audit in a year where investigators found PII data maintained by the City was unprotected. Auditor OBrien is pushing for a more long-term solution to protecting constituent data.
Because the consequences of improper use of PII data i.e., identity theft are costly and time-consuming to fix, Im committed to reviewing our cyber-security framework on a regular basis, Auditor OBrien said. The audit shows the need for continual vigilance in securing this information.
Technology Services plans to work with Salesforce to verify critical security practices. It will also update the language on the Denver 311 webpage to discourage the submission of sensitive personal data.
Although Tech Services mitigated the risk in the short term, we recommend continual monitoring of vendor performance and reporting to make sure that contract terms are met, explained Auditor O’Brien. Tech Services has further agreed to create a report in Salesforce to provide agencies with user profile permissions and settings for periodic review.
Although TS personnel reviewed and approved the security policies and practices of Salesforce during the RFP process that led to the selection of Salesforce, they have not verified that Salesforce is meeting critical security practices, Auditor O’Brien added. We’ve asked the department to review vulnerability scans and penetration testing to ensure that Salesforce provides secure services as required by its contract.
TS has agreed to implement all of the Auditor’s recommendations to increase the security of Denver’s 311 system by March 31, 2018.
from North Denver News http://northdenvernews.com/personal-data-at-risk-in-denvers-311-system/