720-913-5000 auditor@denvergov.org

Audit Report

Cybersecurity Operations – Denver International Airport

The objective of our audit of cybersecurity operations at Denver International Airport was to determine the effectiveness of the airport’s cybersecurity processes, policies, and governance. We assessed how well the airport’s Business Technologies department and cybersecurity operations team were prepared to identify, protect, detect, respond, and recover from cybersecurity incidents.

Watch the Audit Committee presentation here soon.

The airport’s Business Technologies department is responsible for managing and safeguarding the airport’s network and technology equipment, including data and infrastructure. This department also provides cybersecurity services to protect the airport from threats and vulnerabilities.

In our audit of cybersecurity operations at Denver International Airport, we determined that the Security Operations Center needs to improve communication and collaboration within its cybersecurity operations.

The Airport’s Security Operations Center Needs To Improve Communication and Collaboration with Internal and External Stakeholders

  • There is limited collaboration between the airport’s Security Operations Center and its key stakeholders.
    • Meetings between Security Operations Center staff and other information technology officials at the airport focus largely on business goals, rather than processes and tool- sharing for cybersecurity purposes.
    • The Security Operations Center does not communicate with airport personnel who manage vendors.
    • Security Operations Center personnel do not formally communicate with other airport divisions on actions such as network scans, which has caused system disruptions at times.
  • The Security Operations Center uses unapproved and ineffective policies and procedures.
    • There is no evidence of a signed nondisclosure agreement for one IT security contractor.
    • The Security Operations Center uses policies and procedures that have not been signed by executive management.
    • The Security Operations Center should improve its lessons- learned process following a security incident.

1.1 Share Information – The airport’s Chief Information Officer should share information, such as successful processes, identified risks, cybersecurity tools, and other data that could be integrated with the City’s or Business Technologies’ cybersecurity operations on a semiannual basis with the City’s information security team.

Agency Response: Agree, Implementation Date – November 2019

1.2 Improve Communication with Airport Vendor Managers – The airport’s Chief Information Officer should formalize and document Information Security Team involvement and processes for communicating with airport managers who monitor third-party contracts. This involvement could include:

  • Monitoring vendors’ access to the airport’s systems
  • Facilitating communication between vendor managers and airport information security teams
  • Communication of identified risks and risk remediation activities from vendor managers to airport security teams.

Agency Response: Agree, Implementation Date – November 2019

1.3 Formalize Communication with Business Technologies Teams – The airport’s Chief Information Officer should formalize cybersecurity operations communication on a weekly basis between managers of the airport’s Business Technologies teams.

Agency Response: Agree, Implementation Date – October 2019

1.4 Sign Nondisclosure Agreements – The airport’s Chief Information Officer should establish a process to ensure Security Operations Center contractors with access to sensitive data sign a nondisclosure agreement upon hire.

Agency Response: Agree, Implementation Date – September 2019

1.5 Establish Process to Approve Documents – The airport’s Chief Information Officer should establish a process to ensure all Security Operations Center policies and procedures are approved and updated annually.

Agency Response: Agree, Implementation Date – December 2019

1.6 Formalize Lessons Learned – The airport’s Chief Information Officer should improve the lessons-learned step in the Security Operations Center incident response process that formally documents how an incident occurred, where it originated from, whether the incident has spread to other devices in the network, and how it could be avoided in the future.

Agency Response: Agree, Implementation Date – October 2019

The objective of our audit of cybersecurity operations at Denver International Airport was to determine the effectiveness of the airport’s cybersecurity processes, policies, and governance. We assessed how well the airport’s Business Technologies department and cybersecurity operations team were prepared to identify, protect, detect, respond, and recover from cybersecurity incidents. Our review period covered calendar year 2018 through July 31, 2019. I am pleased to present the results of this audit.

The audit revealed the airport’s Business Technologies department needs to better integrate its cybersecurity operations team with the rest of the airport and City to effectively protect airport assets, data, and systems. The lack of communication with other airport operations and with other City agencies weakens the effectiveness of the Security Operations Center and results in missed opportunities to improve the IT security of the airport. We also identified security-related findings, which have been communicated separately to the airport’s Business Technology management for remediation.

Through implementing recommendations for stronger integration and communication with other airport and City stakeholders, Business Technologies will be better equipped to protect airport assets, data, and systems.

This performance audit is authorized pursuant to the City and County of Denver Charter, Article V, Part 2, Section 1, “General Powers and Duties of Auditor,” and was conducted in accordance with generally accepted government auditing standards. Those standards require we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

We extend our appreciation to the airport’s Business Technologies personnel who assisted and cooperated with us during the audit. For any questions, please feel free to contact me at 720-913-5000.

Follow-up report

A follow-up report is forthcoming. 

Audit Team: Kevin Sear, Jared Miller, Nicholas Jimroglou, Brian Cheli