Cybersecurity: Application Security Follow-Up

Face sculpture at Webb Building

Overview

In July 2022, third-party firm CP Cyber LLC and our audit staff completed a cybersecurity assessment related to application security. The original report gave a general overview of application security.

After following up, we found some areas of strength and some areas that still need improvement. Because of the information security sensitivities involved with this cybersecurity assessment, we communicated these issues directly with the relevant city agencies for remediation. 

Background

For each service the City and County of Denver provides its residents, the city usually has a supporting website or application it must develop, support, and host.

Many of these applications need to be publicly accessible so that individuals can log in, submit files, or fill out forms. The data the city collects through these means is potentially sensitive or personal information that must be protected to ensure both confidentiality and data integrity.

Each application the City and County of Denver uses increases the risk to the city, because each one can potentially provide a way for a digital attacker to probe the city’s systems, try to gain a foothold into the city’s network, or compromise a user’s or employee’s account.

Because of that risk, software applications must be configured with security controls to protect them against such malicious attacks. Applications are widely available, so even the tools that protect us — such as those that alert us to vulnerabilities — can be a source of significant risk.

Information security professionals understand that attempted attacks happen constantly. These attacks try to take advantage of common vulnerabilities, default configurations in systems, and weak passwords. This makes security assessments — which verify whether issues exist — increasingly important.

The city uses controls such as multifactor authentication to protect accounts from unauthorized access, but the city also needs to consider other scenarios to ensure the overall security of the applications it uses so it can best protect the data being stored.

Auditor's Letter

July 6, 2023

In keeping with generally accepted government auditing standards and Auditor’s Office policy, as authorized by city ordinance, we have a responsibility to monitor and follow up on audit recommendations to ensure city agencies address audit findings through appropriate corrective action and to aid us in planning future audits.

After following up on the “Cybersecurity: Application Security” assessment report completed with CP Cyber and issued in July 2022, we found some areas of strength and some areas that still need improvement. Because of the information security sensitivities involved with this cybersecurity assessment, we communicated these issues directly with the relevant city agencies for remediation.

We appreciate the city leaders and team members who shared their time and knowledge with us and CP Cyber throughout the assessment and the follow-up process. Please contact me at 720-913-5000 with any questions.

Denver Auditor

Auditor's Signature
Timothy O'Brien, CPA

Timothy O'Brien Official Headshot

AUDITOR TIMOTHY O'BRIEN, CPA
Denver Auditor

Denver Auditor´s Office

201 W. Colfax Ave. #705 Denver, CO 80202
Emailauditor@denvergov.org
Call: 720-913-5000
Follow us on Facebook     Connect with us on Twitter
Read our social media policy

Auditors Office Logos for Footer

Back to top