Data security at Atlanta’s airport remains in question: City audit
By David Pendered
Atlanta’s airport has not kept pace with concerns raised about cyber security, according to a new city audit.
The laundry list of unresolved issues includes former airport contractors having access to computer systems regarding the airport; and network issues at the airport so critical that the report said specifically that it did not name them for fear the issues would be made public.
Nothing in the report suggests that passenger safety is at risk. The report does anticipate that Samir Saini, the city’s information technology director since August, will address the issues.
Atlanta city Auditor Leslie Ward presented the report to the Atlanta City Council on Monday. The document is slated for further review in council committees and possible deliberation by the council in 2015.
The new report follows up on a number of formal audits involving the city’s IT department, including one dated November 2011 that had this perspective as the No. 1 mission: “Are controls in place to maintain data security for critical aviation systems?”
The answer from the airport, in some cases, is, “No,” according to the audit.
This is the item that refers to information controls at the Department of Aviation. The audit says the controls were expected to be implemented in January 2012:
- “We recommended four specific changes to network configuration settings to better secure critical resources. We omit details in this report that could compromise system security pursuant to the Georgia Open Records Act.”
The Aviation Department opted to complete one of the four changes, though it had agreed to implement all four upgrades, according to the audit:
- “Our review of documentation related to one of four recommended changes in network configuration found that only one of the changes was implemented. The department acknowledged that it has not changed the other three configuration settings as we had recommended.”
This audit joins a growing list of issues related to the city’s ability to manage its digital affairs. Atlanta purchased a computer system that has not fulfilled expectations and requires ongoing funding to perform.
The purpose of the new audit was to address a number of IT issues, or information technology issues, that it had raised over the previous 84 months. The city auditor is supposed to provide reports that look back to determine if recommendations have been followed.
The new audit shows the IT department implemented 10 recommendations; partially implemented five recommendations; and did not recommend nine recommendations.
Here are a few of the issues and the city’s responses:
- Recommendation: Implement a process to promptly remove contractor access to systems when the contract term expires and/or contractor is no longer working on behalf of the city.
- Auditor analysis: The [aviation] department has not provided documentation that this recommendation was implemented.
- Recommendation: Finalize C4 hot site operations and then develop and test a full disaster recovery plan.
- Auditor analysis: The [aviation] department stated that the C4 hot site is operational; however, the department did not provide documentation of the development and testing of a full disaster recovery plan.”