Audit Report On The Management Of The City Geographic Information System And The Monitoring Of Its Citywide Projects By The Department Of Information Technology And Telecommunications

This audit examined the management of the City Geographic Information System and its Citywide projects by the Department of Information Technology and Telecommunications (DoITT). DoITT oversees the use of existing and emerging technologies in City government operations and delivery of services to the public. DoITT’s Information Utility Division (Division) deploys, operates, and maintains the technical infrastructure to support critical agency functions, including the 311 Citizen Service Center, the NYC.gov portal, the City Geographic Information System (GIS), the MetroTech data center, and the CityNet and I-NET networks. GIS is an integrated system of computer hardware and software capable of capturing, assembling, storing, manipulating, retrieving, and displaying geographically-referenced information. A goal of GIS application deployment is to eliminate redundant data collection and use. The principle is that data should be collected once and then accessed by all who need it.

Audit Findings and Conclusions

DoITT is adequately monitoring and managing Citywide GIS projects. However, a Citywide standard does not exist concerning geospatial data. Consequently, DoITT has been adhering to federal industry-wide “best practices” guidelines as criteria when monitoring the project. In addition, DoITT has adequate security controls in place to ensure that its GIS data is protected from unauthorized access. Further, the GIS environment has developed adequate provisions for regular backup of information, a disaster recovery procedure, and contingency plans.

Although DoITT has adequate security controls, we found one control weakness regarding 177 individuals (including 20 DoITT employees) who have access to the City’s GIS resources. These individuals do not have current authorization to use the system, and their access rights have not been reassessed. DoITT should reassess the status and access rights of these individuals, since some may no longer be employed by the City or may not be justified in continuing to have access to the system.

Audit Recommendations

To address these issues, we recommend that DoITT:

• Work with the New York City Department of Investigation’s (DOI) Citywide Information Security, Architecture, Formulation, and Enforcement Unit (CISAFE) to develop a set of formal Citywide GIS standards for all users to follow.

• Verify the status of each user on its GIS User list and deactivate those who are no longer authorized to access this information.