Denver lacks a comprehensive program to assess potentially disastrous cybersecurity risks, City Auditor Tim O’Brien said in a new report.

The city’s current approach can best be described as “informal,” O’Brien said, particularly when it comes to oversight of independent city agencies or cultural facilities — like the Denver Art Museum and Denver Zoo — that operate on subnetworks tied into the city’s broader system.

O’Brien cataloged his office’s findings in an audit report released Thursday.

The report is the product of a review of city data, processes and planning efforts over two years — from Jan. 1, 2022, through Dec. 31, 2023.

The audit team found that city staff did not consistently complete quarterly mandatory cybersecurity training. The city also lacks a specific training regime for employees responsible for citywide information technology risk management.

O’Brien is urging Denver Technology Services — the city department tasked with overseeing and managing all physical and virtual technology that touches the city’s network — to overhaul its approach and create clear guidelines for how every wing of city government handles data and technology risks.

“Through awareness of cybersecurity risks and clear expectation-setting for appropriate use of technology, the city can trust its employees to do their part in protecting data and information,” O’Brien said in a statement.

The auditor’s office recommended seven steps that Technology Services should take to remedy Denver’s shortcomings.

Those include:

• Developing a citywide risk assessment process
• Developing risk management training
• Creating information-exchange agreements that would require independent agencies and facilities to share information about high-level technology risks with the department

Sumana Nallapati, Denver’s chief information officer, accepted all seven recommendations in a response letter sent to the auditor’s office on June 7. Mayor Mike Johnston hired her in September.

Many facets of what O’Brien recommends are already underway, Nallapati wrote in her response letter.

“(Technology Services) intends to create a robust and holistic organizational risk management structure identifying roles, responsibilities, documentation, risk assumption, identification of training for necessary roles and escalation processes associated to technical risk,” Nallapati wrote in part.

Her letter acknowledged the administration’s limited power to influence independent city agencies. While Technology Services accepted the recommendation to pursue information exchange agreements, Nallapati wrote that her department plans to reach out to independent agencies to see whether they would be willing to sign memorandums of understanding — or MOUs — focused on risk assessment.

“(Technology Services) cannot commit to a completion date for any such efforts, or that a successful MOU will ever be reached,” she wrote.

The audit report cites officials with Denver County Court as specifically asserting that they have the legal authority to operate independently as the judicial branch of city government. Court officials argue that they should not be required to formally communicate potential cyber security risks to Technology Services, the report says.

“But this assertion of independence with limited collaboration undermines the greater good of protecting the city from costly and damaging cyberattacks…” the audit team wrote.

Denver’s approach leaves the city more vulnerable to equipment failures, service disruptions and cyberattacks, the auditor’s office found. Those risk factors could cost Denver millions of dollars per day if any of them were ever to lead to full city network failure, according to the report.

In a statement to The Denver Post, Nallapati said her department is “committed to working across the city enterprise on continuous improvement of technology risk management strategies.”

Colorado has seen its share of high-profile cyberattacks in recent years.

In 2018, a ransomware attack temporarily knocked the Colorado Department of Transportation’s back-end operations offline. It cost the state between $1 million and $1.5 million just to bring the agency’s functionality back to 80% of normal in the months that followed.

Earlier this year, a cyberattack hobbled the Office of the Colorado State Public Defender and delayed hundreds of court hearings. The agency acknowledged that personal data including clients’ Social Security numbers may have been compromised during that episode.

Stay up-to-date with Colorado Politics by signing up for our weekly newsletter, The Spot.

The guys are back to preview the upcoming NBA Draft and free agency and what moves they think the Denver Nuggets will make. First, Zach Mikash and Gordon Gross talk about their favorite targets for the Nuggets at pick #28. Next they talk about how the talent pool in the draft changes the strategy and that Denver can and should try to find an immediate contributor in the right role and situation. For the second half of the show the guys look at the upcoming free agency period. They talk about Vlatko Cancar’s option being declined by the Nuggets and what they think will happen with the looming free agency of Kentavious Caldwell-Pope. Finally they finish up the show talking about some taxpayer mid-level exception targets the Nuggets could have if KCP does indeed end up not coming back.

The NBA Draft is right around the corner

• Favorite prospects for the Denver Nuggets
• Should Denver just go best player available and forget position
• Do you anticipate any trades

A week from the open of free agency

• Surprised the Nuggets declined Vlatko Cancar’s option?
• What happens with Kentavious Caldwell-Pope and Reggie Jackson’s player options?
• Who is a taxpayer MLE target?

Posted: Jun 23, 2024 / 03:49 PM MDT

Updated: Jun 23, 2024 / 03:49 PM MDT

DENVER (KDVR) — The Denver Police Department will offer free bike registration at several locations in the city for Bike to Work Day on Wednesday, June 26.

The city partners with 529 Garage for its bike registration system, which it said enhances bicycle theft prevention, lost or stolen bike recovery and stolen bike investigations, among other things.

Registrations document things like the bike’s serial number and make, model and color for easier identification and return if lost or stolen.

Volunteers will be at five locations throughout the city on Wednesday to encourage people to register and help people register:

• Denver Zoo from 6:30 a.m. to 9 a.m.
• REI at 1416 Platte St. from 6 a.m. to 10 a.m.
• Cherry Creek Trail at South University Boulevard and Cherry Creek North Drive from 6:45 a.m. to 9:30 a.m.
• East 29th Avenue Town Center at East 29th Avenue and North Roslyn Street from 6:30 a.m. to 9:30 a.m.
• Skyline Park at 16th Street and Arapahoe Street from 6 a.m. to 9 a.m.

According to police, more than 400 bikes that were recovered in 2022 were never claimed or returned to their owners due to lack of registration.

People who register at the locations will receive a 529 Shield decal, which police said could let thieves know that the bike is registered, as well as help police in stolen bike recovery.

People can also register their bikes online for free either through the DPD website or the 529 Garage app.