The Los Angeles County Fire Department has no process to ensure that cell phones and other mobile devices are returned when employees terminate or transfer, and does not thoroughly remove data from mobile devices before disposing them, County Auditor-Controller John Naimo reported March 13.
“The Fire Department needs to establish a process to ensure mobile devices are returned when employees terminate or transfer as required by Board of Supervisors Information Technology and Security Policy 6.100 and County Fiscal Manual Section 8.7.6,” the auditor stated. “Fire management indicated there is no process to ensure every device is returned when employees terminate or transfer, and while these employees should return their mobile devices, they cannot ensure this is happening.”
This increases the risk of loss or theft of the devices going undetected, increases the risk of additional charges to the county, and “increases risk for the unauthorized use or exposure of county data,” the auditor noted.
“Fire needs to improve its processes and documentation to support that data on all mobile devices is removed (i.e., sanitized) prior to disposition or transfer as required by Board Policy 6.100,” the auditor added. “While Fire maintains a list of the salvaged devices to be disposed of, they could not support these devices were successfully sanitized prior to disposition or transfer. We also noted Fire does not sanitize devices before donation when they cannot be turned on, and only partially removes data on devices when they cannot perform a factory reset or remote wipe.”
The Fire Department generally agreed with the auditor’s findings and recommendations.