Office of Emergency Management and Communications Public Safety Cameras Audit Follow-Up

The City of Chicago Office of Inspector General (OIG) has completed a follow-up to its December 2016 audit of the Office of Emergency Management and Communications’ (OEMC) management of public safety cameras. Based on the Department’s responses, OIG concludes that OEMC has implemented two corrective actions related to the audit findings and has begun to implement three others.

The 2016 audit assessed the effectiveness of OEMC’s management of public safety cameras by testing whether the cameras worked properly, whether the cameras received necessary repairs in a timely manner, whether the cameras retained footage for the required number of days, and whether access to the cameras was limited to appropriately authorized personnel.

OIG found that, in managing public safety cameras, OEMC did not comply with, and did not require other departments to comply with, citywide policies regulating access to information systems. As a result, OEMC could not, in most instances, determine which individuals accessed the camera system or how those individuals used the cameras. We also found that OEMC did not establish and enforce operational objectives for public safety cameras, and therefore could not determine whether operational levels were optimal. OIG further found that although OEMC’s project manager—the Public Building Commission (PBC)—received and reviewed deliverables as required, minor deficiencies in PBC’s vendor monitoring prevented it from fully executing its responsibilities as a project manager.

Based upon the results of the audit, OIG recommended that OEMC implement policies and practices regulating access to public safety cameras, develop and enforce reasonable standards for system performance, and review and identify opportunities to improve PBC’s oversight of its vendor for camera repair and maintenance, Motorola. In its response to the audit, OEMC described a number of corrective actions it would take.

In December 2017, OIG inquired about corrective actions taken by OEMC in response to the audit. Based on OEMC’s follow-up response, OIG concludes that OEMC has implemented two corrective actions and has three corrective actions pending implementation. Specifically, OEMC assumed direct management of the Motorola contract, implementing corrective actions related to the establishment of performance measures and increased contract oversight. OEMC is in the process of implementing corrective actions to address compliance with the City’s Information Security and Technology Policies. Once fully implemented, OIG believes the corrective actions reported by OEMC may reasonably be expected to resolve the core findings noted in the audit. Below, we summarize the audit findings and recommendations, as well as the Department’s response to our follow-up inquiry.