Jul 20, 2017
While investigating another audit, a Denver auditor came across personally identifiable information visible in the City’s constituent relationship management system to unauthorized users. Because of the sensitive nature of the data, Auditor Timothy M. O’Brien, CPA, quickly notified Mayor Hancock and the City’s Technology Services department so they could take steps to protect the information.
Personally identifiable information (PII) is data that distinguishes an individual, such as a social security number. One piece of PII data is not useful unless it is linked to other such data, like a name, birth date, or address. Data like social security numbers are not routinely given in contacts with 311, Denver’s constituent relationship management (CRM) system. But in certain kinds of interactions, specifically with the Department of Human Services and the Payroll Division, such information was collected. The fact that it could be viewed by other City employees who have access to the 311 database gave rise to this audit. This is the second audit where auditors found that PII data maintained by the City was unprotected.
In 2014, Denver selected Salesforce as the vendor to receive, manage, and store constituent inquiries and complaints in its 311 system. 311 was designed as a one-stop, all-purpose help center. The Salesforce implementation process was performed by an external vendor with Technology Services (TS) oversight. User profiles within Salesforce, a cloud-based application, allowed broad access to records in 311. This was out of compliance with the security and privacy requirements for Salesforce submitted by the Department of Human Services and the Payroll Division. Once alerted by Auditor O’Brien, TS took rapid action to secure the sensitive data.
“Although Tech Services mitigated the risk in the short term, we recommend continual monitoring of vendor performance and reporting to make sure that contract terms are met,” explained Auditor O’Brien. “Tech Services has further agreed to create a report in Salesforce to provide agencies with user profile permissions and settings for periodic review.”
“Although TS personnel reviewed and approved the security policies and practices of Salesforce during the RFP process that led to the selection of Salesforce, they have not verified that Salesforce is meeting critical security practices,” Auditor O’Brien added. “We’ve asked the department to review vulnerability scans and penetration testing to ensure that Salesforce provides secure services as required by its contract. “
TS has agreed to implement all of the Auditor’s recommendations to increase the security of Denver’s 311 system by March 31, 2018.