The Office of Inspector General (OIG) conducted an audit of the Office of Emergency Management and Communications’s (OEMC) management of approximately 2,700 cameras (“public safety cameras”) originally purchased by OEMC, the Chicago Police Department (CPD), and the Chicago Fire Department (CFD). The objective of the audit was to determine if OEMC has effectively managed these cameras. OIG assessed the effectiveness of OEMC’s management by testing whether the public safety cameras worked properly, whether the cameras received necessary repairs in a timely manner, whether the cameras retained footage for the required number of days, and whether access to the cameras was limited to appropriately authorized personnel.
OIG found that, in managing the public safety cameras, OEMC did not comply with, and did not require other departments to comply with, Citywide policies regulating access to information systems. As a result, OEMC could not, in most instances, determine which individuals accessed the camera system or how those individuals used the cameras. We also found that OEMC did not establish and enforce operational objectives for the public safety cameras, and therefore could not determine whether operational levels were optimal. OIG further found that although OEMC’s project manager—the Public Building Commission (PBC)—received and reviewed deliverables as required, minor deficiencies in PBC’s vendor monitoring prevented it from fully executing its responsibilities as a project manager.
We recommend that OEMC implement policies and practices regulating access to the public safety cameras that comply with the Department of Innovation and Technology’s (DOIT) Information Security and Technology Policies (ISTP), and require other entities that use the cameras to do the same. In addition, OEMC should develop and enforce reasonable standards for system performance. Finally, OIG concludes that PBC could increase the effectiveness of its vendor monitoring by implementing minor improvements. We recommend that OEMC review PBC’s vendor oversight practices to identify any additional opportunities for improvement beyond those identified in this audit.
In response to our audit findings and recommendations, OEMC agreed with the findings and committed to take corrective actions, some of which have already been initiated. Specifically, based on the preliminary findings of this audit, OEMC, in late 2015, began replacing group logins with unique usernames and passwords for all Security Center users except CPD personnel in the district stations. To further strengthen its user access protocols, OEMC plans to eventually require all camera users to log in with their unique e-mail credentials, require users to abide by the City’s ISTP, and develop and document policies to determine who should be granted access to the network.
In addition to access security, OEMC stated that it will develop performance measures, that will allow the Department to assess the major components of the camera system. Finally, OEMC is exploring future program management alternatives but until then, will work with PBC to improve contractor oversight. PBC agreed to document service level agreements in each task order, collaborate with OEMC to ensure vendor deliverables are documented, and provide OEMC with monthly reports on repair data and issues related to vendor reporting.