NYS Comptroller finds IT security deficits in towns of Babylon and Salina

Every so often I post audit reports from the NYS Comptroller’s Office.   Last week, the office posted two completed audits worth noting here:

The Town of Babylon was audited for the period January 1, 2011 — July 31, 2012. In addition to significant concerns about the town’s financial health conditions and other matters, one of the audit’s findings was that:

Finally, the Board has not adopted a comprehensive computer use policy, breach notification policy, or formal disaster recovery plan. In addition, users of the financial software have access rights to sections of the software that are not necessary for their job duties. As a result, the Town’s IT system and electronic data are susceptible to an increased risk of loss, misuse, and manipulation.

The Comptroller offered four recommendations for Babylon:

  • Town officials should adopt a comprehensive computer policy addressing key security issues such as data and virus protection, password security, disposal and sanitizing of equipment, and remote access.
  • Town officials should adopt an information breach notification policy.
  • Town officials should establish a formal disaster recovery plan that provides guidance to maintain Town operations or restore data as quickly as possible in the event of a disaster.
  • Town officials should monitor users’ access to the Town’s financial software and restrict access to what the users need to perform their job responsibilities.

You can access the full audit report here (pdf).

The Comptroller also audited the Town of Salina for the period January 1, 2011 — March 31, 2013 on Information Technology. From the report:

The Board has not established policies and procedures related to PPSI and sanitizing computer equipment onsite before disposal. In addition, the Board has not instituted policies and procedures to protect data resources. Town officials do not maintain a complete and accurate computer inventory and have not developed an IT disaster recovery plan. Because of these weaknesses, IT assets are at risk for unauthorized, inappropriate or wasteful use. Additionally, in the event of an IT disaster or breach, there is no formal plan of what action Town officials should take to restore service or notify those whose personal information has been compromised.

[…]

The Board has not adopted written policies related to the retention and safeguarding of PPSI [Personal, Private and Sensitive Information] and does not have a written data classification scheme. There is no policy to address the necessary procedures for the removal of sensitive data from computers and other electronic equipment scheduled for disposal. When Town officials determine that computer and other electronic equipment are no longer needed, they usually move the equipment to a storage room in the Town municipal building. When the room fills up, a maintenance department worker takes the equipment to a third-party vendor hired to recycle the equipment (recycler) for disposal. Town officials do not sanitize the computer hard drives prior to disposal; instead, they rely on the recycler to do the sanitizing. The recycler resells disposed devices and sends unsalvageable devices to the scrap yard. The Town does not have an agreement with the recycler that defines the level of service the recycler will provide and addresses the data protection expectations of the Town. A representative of the recycler told us that Town officials must request sanitization of the computer hard drives at the time they are dropped off or they are sold “as is.”

We found an external hard drive that was awaiting disposal in the equipment storage room and determined that it included PPSI and records related to Town employees, such as social security numbers, dates of birth, license numbers, addresses and personnel matters related to suspensions and termination of employment. Town officials cannot be sure that the hard drive would have been wiped clean at the Town’s next disposal process, as the Town does not sanitize IT equipment prior to turning it over to the recycler, and the recycler does not sanitize external hard drives unless requested.

In addition, there is no reconciliation between what is removed from inventory and what is actually disposed of through the recycler. The maintenance department worker prepares a disposal list when he takes the items to the recycler; however, the Deputy Comptroller said that she just takes the disposal list and puts it in a folder after the equipment is taken to the recycler. Also, the disposal records do not contain enough information to properly identify the exact computers that are being disposed and some items were listed in the disposal records more than once. Because of these weaknesses, there is an increased risk that the equipment can be disposed of in an improper

There’s more, but it’s painful to even keep reading it, so you can access the full audit report here (pdf).

About the author: Dissent