Orange County is a regional service provider and planning agency whose core businesses include public safety, public health, environmental protection, regional planning, public assistance, social services, and aviation. With a population of nearly 3 million, it is the sixth most populous county in the United States. The county is comprised of 31 departments and six special districts with a total operating budget of over $6 billion annually. It has a current workforce of over 17,000 authorized positions.
Orange County had contracted with several IT managed service providers for significant portions of its IT operations. In addition, the county had recently upgraded its accounting and human resources system (CAPS+). While these changes were occurring, Orange County management in the Auditor Controller’s office and CEO’s office recognized the need for a comprehensive enterprise system risk assessment to ensure that adequate controls were in place to protect sensitive data as required. With more and more residents increasingly turning to the web for information and increasing use of employee self-service, the need for IT security and risk reviews of Orange County’s online systems were paramount. The county’s transition to managed services required a mechanism to control the impact of these transitions against the access and security of sensitive data.
Orange County valued our experience with other county and local government entities, as well as its cybersecurity experience as a whole. We provided a strong and flexible technology team that contributed a significant on-site presence, knowledge, and continuity amid the county’s changes in managed service vendors – all while completing the project on time and meeting project goals.
During the engagement, stakeholders were informed of the key project issues as they revolved around identifying areas of risk, remediation, response, and recovery. The areas of risk and recommendations identified provided a forum for open dialog across the entity spanning numerous departments within the county. The security audit provided a road map of improvements that has since been placed into an implementation plan. Based on the findings, the county is now working to develop more comprehensive documentation, policies, and procedures on obtaining access to the applications and environments. Once the audit recommendations have been implemented, the county will be better situated for any changes in the environment or staff reallocation.
Additionally, our team imparted tools and knowledge, beyond the assessment, which allowed the county to understand the risk assessment process and apply it to future areas and future projects.