The City of St. Albert is planning an audit of its cybersecurity processes, policies, and programs this spring.
“This is to really minimize the risk,” Coun. Sheena Hughes said. “Should things go not the way you're hoping in the risk department for cybersecurity, it can be very expensive.”
Hughes also said she thinks the audit will make the city government more effective, and cybersecurity is something all governments need to be on top of.
“The project objective is to evaluate the effectiveness of the city's cybersecurity practices and controls to identify key risks and vulnerabilities, develop a plan to mitigate risks, and ensure the confidentiality, integrity, and availability of sensitive data and critical systems is protected against potential cyber threats and attacks,” reads an audit outline presented to St. Albert's internal audit steering committee last month.
The committee is made up of two residents, and in 2024 will include Hughes, Coun. Wes Brodhead, and Coun. Ken MacKay.
The outline says the city will hire a consultant to use frameworks like the V8 Controls developed by the Centre for Internet Security or the United States government's National Institute of Standards and Technology's Cyber Security Framework to “identify, score, and assess risk level and maturity for each domain and related processes within the [frameworks] and provide [a] detailed report that outlines observations and recommendations for enhancements ... to address identified gaps in controls or improvements of cybersecurity processes.”
Some aspects of the city's processes that will be covered under the audit, according to the outline, include data recovery, malware defences, network monitoring and defence, penetration testing, incident-response management, security awareness and skills training, and more.
“You can prevent a lot of unnecessary costs by making sure that your risks are covered or minimized," Hughes said. "So, this will allow that ability to recognize the fact that because everything is basically online now, we need to have the proper checks and balances in place to make sure that our data and all the other data for residents is properly protected.”
The outline says the city hopes the audit will begin in March, with a final report presented to the city in August.
“The final report is to include a recommended multi-year road map, and where possible, effort, budget, and resources required to execute on the road map,” the outline reads.
Edmonton's city auditor completed a cybersecurity audit in 2023, and a final report was presented to city council in May; however, the report and its nine recommendations were kept confidential.
“The objective of this audit was to determine whether the [city's Corporate Information Security Office] is managing its cybersecurity program to protect the city from security threats,” reads a public report presented to Edmonton city council in May.
“We found that 14 of the 23 [audit categories] met most or all of the expectations, six categories met some of the expectations, and three categories met few. However, we identified controls that could be improved and made nine recommendations around data, user access, networks, change management, security assessment, vendor management, and staff training.”
A similar audit was done last year by Halifax Regional Municipality (HRM) auditor general Evangeline Colman-Sadd.
Colman-Sadd found HRM's I.T. management staff was “not providing appropriate oversight to manage cybersecurity, risks, and that there are limited policies and processes to manage those risks,” according to the audit's final report that, unlike Edmonton's, was made public.
Similarly to St. Albert's upcoming audit, Colman-Sadd's report states that HRM's I.T. management had started a road map to address cybersecurity issues, but that road map “has no detailed plans or timelines.”
“Management told us they are unsure what resources they will need to implement the road map.”
Some of the more glaring issues Colman-Sadd cited in the report were that the municipality couldn't account for more than 400 laptop computers, and nearly a third of the municipality's staff didn't complete a city-wide cybersecurity training. More than half of HRM's 17 elected officials also had yet to complete the training, Colman-Sadd found.
Halifax escaped 2023 without a cybersecurity breach, although nearly 900 residents who were issued parking tickets by the municipality were affected by a breach of the Nova Scotia provincial government's network in August.
A recent cybersecurity incident at the municipal level occurred in the city of North Bay, Ont. in September.
CTV News Northern Ontario reported the incident involved the names and outstanding balances of nearly 300 North Bay residents being accessed by an unauthorized party in a successful phishing attempt.
