720-913-5000 auditor@denvergov.org

Audit Report

Denver County Courts: IT General Controls

The objective of the audit was to evaluate the operating effectiveness of the internal controls for Denver County Court’s information technology.

Watch the Audit Committee presentation here when available.

We identified opportunities to improve the information technology general controls in place at Denver County Court. Our audit included a review of the controls over user access, backup and recovery, change management, and those at the data center. We noted opportunities for improvement in three areas: One, the existing policies and procedures can be strengthened by updating them to reflect current practices and to more clearly identify the existing control framework. Two, the data center environmental controls are lacking, putting vital Court data at risk for destruction in the event of water or fire damage. Finally, the backup processes were not based on best practices, putting critical Court data at risk for loss or theft.

1.1 Update Existing Policies and Procedures Using the NIST Framework – The Denver County Court’s IT department should update its IT policies and procedures for user access and change management based on the National Institute of Standards and Technology’s 800-53 standard and the system backup policies and procedures based on the National Institute of Standards and Technology’s 800-34 standards as soon as possible. These updated policies and procedures should address the following areas:

  1. Reflect the current operational practices
  2. Clearly identify each control in place
  3. Specify who performs each control
  4. Describe how the performance of each control should be documented
  5. Establish the retention period for control documentation

Auditee Response: Agree, Implementation Date – June 1, 2019

1.2 Relocate Data Center – Denver County Court’s IT department should work with Technology Services to move the Court’s computer servers to the City’s existing data center colocation facilities as soon as possible.

Auditee Response: Disagree
Auditee Narrative: The Court will not relocate our data center. The Court will continue to make improvements the data center.
The improvements include but are not limited to: the physical security, notification alerts for temperature, humidity monitoring, access controls, logging and fire/water prevention.

1.3 Update Backup Process – Denver County Court’s IT department should use online backup solution or set up a physical backup solution on a nightly basis using the best practice Grandfather/Father/Child backup rotations as soon as possible.

Auditee Response: Agree, Implementation Date – June 1, 2019

Follow-up report

A follow-up report is forthcoming.

Other related reports

None at this time.

Audit Team: Kevin Sear, Nicholas Jimroglou, Karin Doughty, Brian Cheli

Subscribe To Our Newsletter

Stay updated once a month with news from our office and Auditor O'Brien

Thanks for your interest in the auditor's office!