Missouri Auditor Nicole Galloway releases audit of City of St. Louis Information Technology Services Agency

Recommendations focus on improving data security and protecting against cyber threats

JEFFERSON CITY, MO (STL.News) – Missouri State Auditor Nicole Galloway yesterday released a report of the City of St. Louis Information Technology Services Agency (ITSA).  The audit made recommendations to improve cyber security policies and ensure vendor software safeguards data appropriately.

“It’s important to take a close look at cyber security practices in local government, especially when you consider the amount of personal and sensitive information the city is responsible for safeguarding,” Auditor Galloway said. “By following the recommendations in the report, leaders in St. Louis can prioritize data security and take preventative measures before a breach occurs.”

The ITSA is responsible for technology and information services within city government.  This includes hardware, software, networking and web support. The current director, who also serves as the city’s Chief Information Officer, was appointed in December 2017.  Prior to the appointment, the director position was vacant for nine years.  The report noted that the city’s organizational structure makes it challenging for the ITSA to efficiently collaborate with other departments.

The audit found the city did not have a fully established or documented policy to manage access to physical information technology resources.  A review of users found access was limited to ITSA personnel, but that several employees had access even though it was not necessary for their job duties and that several former employees were still listed as having access.  The audit also identified the need for better policies to inventory and reconcile ITSA assets.

In addition, the audit found the ITSA has not consistently ensured contracts for software products provided by outside vendors contained security requirements.  The report recommended the ITSA better define security requirements in contracts and review vendor security practices to ensure they meet current and future data security needs.

The complete audit can be found HERE.