In 2023, a cybersecurity resiliency audit of the Governor’s Office of Information Technology (OIT) was conducted for the fiscal year that ended June 30, 2022. The audit evaluated OIT’s compliance with the following five core functions:
- Identify – The organization's ability to identify and manage cybersecurity risks and vulnerabilities.
- Protect – The organization's ways to protect against cyber threats.
- Detect – The organization's capability to detect and respond to cybersecurity incidents promptly.
- Respond – The organization's ability to respond to cybersecurity incidents to minimize the event's impact.
- Recover – The organization's ability to restore normal business operations after a cybersecurity incident has occurred.
The findings from that audit are OIT’s number one priority. The work focuses on all discoveries from the audit in 12 different areas, ensuring that the people, methods, and technology involved stay at the forefront of our work to secure the state’s systems and data.
Out of the 12 discoveries, 10 are confidential. The remaining two pertain to security governance and oversight, and information security training and awareness.
Where are we now? Tracking Our Progress.
We've started remediating findings and are working hard to determine why these issues happened in the first place so we can prevent them from happening again.
Governance and Oversight Remediation Progress: Several steps are being taken to improve governance and oversight including refining the definition of security roles and responsibilities to align with the guidelines specified in the Colorado Revised Statutes, prioritizing security for information systems crucial to the state’s mission and objectives, and conducting more frequent review of technical standards.
Information Security Training and Awareness: OIT is developing specialized cybersecurity training tailored to the unique roles within OIT and the state agencies we support. All state employees must take these trainings as assigned because every one of us has a role protecting State services, systems and data.