Audit of Broome County discusses need for control of USB devices
The Office of the NYS Comptroller has released its audit of Broome County‘s information technology for the period January 1, 2012 — August 20, 2013. From their summary:
Local governments use and maintain data that contains PPSI. PPSI is any information where unauthorized access, disclosure, modification, destruction or disruption of access or use could severely impact the County’s critical functions, employees, customers or third parties or the citizens of New York. For example, private information could include the following: Social Security number; driver’s license number or non-driver ID; account number, credit card or debit card number and security code, access code or password that permits access to an individual’s financial account. With the advancement of modern technology, the safeguarding of PPSI has become increasingly critical. Policies regarding the protection of PPSI should be developed and enforced by IT officials, including but not limited to the use of removable USB storage devices. If IT controls are unable to prevent the use of unauthorized or unencrypted storage devices, the risk to data security is significant.
We found that while the County does have a policy regarding USB removable media, they are not monitoring or enforcing the policy. County IT officials told us that each department has the ability to order office supplies, including USB removable media on account. The IT Department does not have the capability to monitor or prevent unauthorized use of USB removable devices while still being able to allow authorized devices to operate. County IT officials also stated they did not aggressively monitor the use of USB media because it was determined that they are integral for some departments’ operations.
You can access the audit report here (pdf).