Town of Saugerties: Information Technology Audit by NYS Comptroller’s Office Reveals Serious Problems
From the audit report, some background first:
The Town contracts for IT services with an independent contractor. The contractor’s duties include performing all significant maintenance and hardware installations, and providing technical support and expert advice on the upgrade of the entire IT environment. The Town uses computerized applications to perform essential tasks including processing financial information, Police and Town Clerk services, and Building Department transactions. The Town has approximately 77 computers, 24 laptops and two main servers.
The objective of our audit was to determine whether the Town’s IT assets were adequately safeguarded. Our audit addressed the following related question:
• Are internal controls over IT appropriately designed and operating effectively?
From the findings, some of which were too sensitive to spell out in a public report:
There are 94 user accounts on the Town’s server and 96 user accounts on the Police Department’s server. We found 51 inactive user accounts (25 on the Town’s server and 26 on the Police Department’s server); nine of these inactive users are no longer employed by the Town and should be disabled. Of the remaining 42 inactive accounts, 20 are generic user names, meaning the account is not associated with a unique individual (based on the common name defined on the account). The use of generic accounts can prevent the Town from tracing a suspicious activity to a specific individual, thus presenting difficulties in holding the responsible user accountable for any inappropriate actions. The remaining 22 accounts have not had any activity from December 2008 through February 2015 (60 days from April 1, 2015, the most recent date reviewed).
The Board does not review user access on an ongoing basis and needs to restrict administrative rights to those who need them to perform their jobs. It is anticipated that when the Town purchases a new server, a new domain will be constructed. At that time, Town officials plan to review all current users and access will be granted based on current job responsibilities.[…]
Although the Town has established an acceptable use policy, Town officials were not able to demonstrate that users were aware of the policy. The acceptable use policy has an acknowledgment page that employees must sign to indicate they understand and will comply with the policy. We reviewed the computer activity for nine users. Town officials could not provide us with a signed acknowledgement of the acceptable use policy for any of these users. Town officials did not realize that this acknowledgement was not on file in the Town office. Without the users’ awareness of such a policy, there is no requirement in place to ensure that computers are used in an appropriate and secure manner, which could potentially expose the Town to malicious attacks or compromise systems and data.
Further, of the nine users reviewed, we found evidence of personal use on two computers, and three computers had personal websites book marked in their favorites. The users visited sites that had no Town business purpose, including sites for social networking, personal email, motorsports, shopping and entertainment.[…]
The Board has not developed a written computer security plan. The lack of a formal security policy leaves the Town vulnerable to the risks associated with individual use, including viruses, spyware and other forms of malicious software that could potentially be introduced through non-work-related websites or programs. The Town’s IT assets are more susceptible to loss or misuse when users are not aware of security risks and practices necessary to reduce those risks.