Denver lacks a comprehensive program to assess potentially disastrous cybersecurity risks, City Auditor Tim O’Brien said in a new report.
The city’s current approach can best be described as “informal,” O’Brien said, particularly when it comes to oversight of independent city agencies or cultural facilities — like the Denver Art Museum and Denver Zoo — that operate on subnetworks tied into the city’s broader system.
O’Brien cataloged his office’s findings in an audit report released Thursday.
The report is the product of a review of city data, processes and planning efforts over two years — from Jan. 1, 2022, through Dec. 31, 2023.
The audit team found that city staff did not consistently complete quarterly mandatory cybersecurity training. The city also lacks a specific training regime for employees responsible for citywide information technology risk management.
O’Brien is urging Denver Technology Services — the city department tasked with overseeing and managing all physical and virtual technology that touches the city’s network — to overhaul its approach and create clear guidelines for how every wing of city government handles data and…
