"Critical" Security Risks Identified In County, City Systems
June 7, 2016
A new audit has identified several critical security risks in the technology systems that maintain all of Grand Traverse County and Traverse City’s criminal and court files, government documents, financial data and community records.
County commissioners will review the results of an audit from IT consulting firm Trivalent Group at a 6pm study session Wednesday. The firm was hired this spring to conduct a comprehensive review of the county’s IT and technology services. Traverse City contracts with Grand Traverse County for IT support, yoking the two municipalities to the same systems.
Trivalent Group’s report identifies 31 issues it deems “critical” to address, 12 of which are security-related. Multiple governmental departments are using outdated software, network devices that are “end of life,” infrastructure that’s no longer supported by vendors, and vulnerable versions of operating systems, the report found. Employees were also found to have weak passwords susceptible to hacking, lacked critical patches on their computers, and were not running adequate firewall, anti-virus or anti-spyware software.
Some of the identified issues pose “a significant security risk as well as business continuity risks,” according to the report. Trivalent Group also noted the county has not conducted a security scan for network vulnerabilities for an extended length of time, and recommended scheduling such a scan “immediately.”
“It is of grave concern to us,” County Administrator Tom Menzel says of the firm’s findings. “That’s why I did the audit. We should be concerned as an organization with confidentiality and security. The question becomes, how do we address those issues as efficiently and effectively as we can?”
Beyond security issues, a lack of “strategic IT oversight has emerged as one of the highest needs of Grand Traverse County,” the report found. Serving the hundreds of employees in county and city departments ranging from Central Dispatch to the City Clerk’s Office to the Health Department to the District Court, IT staff are primarily stuck in “the day-to-day reactive work” of responding to complaints, without any long-term direction or a clear overarching strategy for addressing the government’s technology needs.
The lack of a cohesive organizational plan has resulted in each department buying its own software and devices – often without regard to integration with other departments, or a background or expertise in technology. Employees in varying departments cited frustrations with frequent database and phone system crashes that shut down productivity, as well as an overreliance on paper records requiring multiple departments to do data entry on the same documents.
“You’ll have departments print something, hand it to another department, and then that department enters it in the system again,” explains Deputy County Administrator Jennifer DeHaan. She calls the audit a “real turning point for the county in terms of IT and looking at how we provide services.”
Menzel agrees. “We badly need to have an IT strategy for the long term, which we do not have,” he says. “We need to get that strategic plan done immediately, because that will be the driving force for prioritizing capital expenditures and personnel.”
Menzel notes the audit identifies multiple changes that can be implemented immediately at little to no cost. His priority in the short term will be to implement those recommendations, he says, and to work with the IT department head to create a long-term strategic technology plan for Grand Traverse County. The county will likely need to invest financially in upgrades to fully address the concerns identified in the audit – costs that could potentially be shared by the city through its contract for services – but Menzel says he wants to make sure a plan is in place first before spending dollars.
“IT can be very costly, and you can put a lot of money into it if you don’t know what you’re doing,” he says. “There are certainly needs for initial investments. But with our financial constraints, it wouldn’t be wise to do that until we prioritize projects. We need to make sure whatever we do, we get the best return on our investment.”
Comment