town of saugerties

Division of LocaL Government & schooL accountabiLity

o f f i c e o f t h e n e w y o r k s t a t e c o m p t r o L L e r

report of ExaminationPeriod Covered:

January 1, 2014 — February 28, 2015

2015M-117

Town of SaugertiesInformation Technology

thomas p. Dinapoli

Page

AUTHORITY LETTER 1

INTRODUCTION 2 Background 2 Objective 2 Scope and Methodology 2 CommentsofLocalOfficialsandCorrectiveAction 2

INFORMATION TECHNOLOGY 4 UserAccess 4 Policies and Procedures 5 Inventory 8 Recommendations 9

APPENDIX A ResponseFromLocalOfficials 11 APPENDIX B AuditMethodologyandStandards 15APPENDIX C HowtoObtainAdditionalCopiesoftheReport 16APPENDIX D LocalRegionalOfficeListing 17

Table of Contents

11Division of LocaL Government anD schooL accountabiLity

State of New YorkOffice of the State Comptroller

Division of Local Governmentand School Accountability August2015

DearTownOfficials:

A toppriorityof theOfficeof theStateComptroller is tohelp localgovernmentofficialsmanagegovernment resources efficiently and effectively and, by so doing, provide accountability for taxdollarsspenttosupportgovernmentoperations.TheComptrolleroverseesthefiscalaffairsoflocalgovernmentsstatewide,aswellascompliancewithrelevantstatutesandobservanceofgoodbusinesspractices.Thisfiscaloversightisaccomplished,inpart,throughouraudits,whichidentifyopportunitiesforimprovingoperationsandTownBoardgovernance.Auditsalsocanidentifystrategiestoreducecosts and to strengthen controls intended to safeguard local government assets.

FollowingisareportofourauditoftheTownofSaugerties,entitledInformationTechnology.ThisauditwasconductedpursuanttoArticleV,Section1oftheStateConstitutionandtheStateComptroller’sauthorityassetforthinArticle3oftheNewYorkStateGeneralMunicipalLaw.

This audit’s results and recommendations are resources for local government officials to use ineffectivelymanagingoperationsand inmeeting theexpectationsof their constituents. Ifyouhavequestionsaboutthisreport,pleasefeelfreetocontactthelocalregionalofficeforyourcounty,aslistedat the end of this report.

Respectfullysubmitted,

Office of the State ComptrollerDivision of Local Governmentand School Accountability

State of New YorkOffice of the State Comptroller

2 Office Of the New YOrk State cOmptrOller2

Background

Introduction

Objective

Scope andMethodology

Comments ofLocal Officials andCorrective Action

The Town of Saugerties (Town) is located in Ulster County and has a populationofapproximately20,000residents.TheTownSupervisor(Supervisor)servesastheTown’schiefexecutiveofficer.TheTownBoard (Board) comprises the Supervisor and four Board members. The Board is the legislative body responsible for managing Town operations including security over the information technology (IT) environment. The Town’s 2015 general fund budget wasapproximately$8.23million,fundedprimarilybyrealpropertytaxes.

The Town contracts for IT services with an independent contractor. Thecontractor’sdutiesincludeperformingallsignificantmaintenanceand hardware installations, and providing technical support andexpertadviceontheupgradeoftheentireITenvironment.TheTownuses computerized applications to perform essential tasks including processing financial information, Police and Town Clerk services,andBuildingDepartmenttransactions.TheTownhasapproximately77computers,24laptopsandtwomainservers.

The objective of our audit was to determine whether the Town’sIT assets were adequately safeguarded. Our audit addressed the followingrelatedquestion:

• Are internal controls over IT appropriately designed andoperating effectively?

Weexamined theTown’s internal controlsover IT systems for theperiodJanuary1,2014throughFebruary28,2015.Weextendedourreviewofdataextracted from theTown’scomputersandnetworksthroughMay6,2015.Ourauditdisclosedareasinneedofimprovementconcerning the oversight of IT operations. Because of the sensitivity ofsomeofthisinformation,certainvulnerabilitiesarenotdiscussedin this report but have been communicated confidentially toTownofficialssotheycantakecorrectiveaction.

We conducted our audit in accordance with generally accepted governmentauditingstandards(GAGAS).Moreinformationonsuchstandards and the methodology used in performing this audit are includedinAppendixBofthisreport. The results of our audit and recommendations have been discussed withTownofficialsandtheircomments,whichappearinAppendixA, have been considered in preparing this report. Town officialsgenerally agreed with our recommendations and indicated that they plannedtotake,orhavealreadytaken,correctiveaction.


The Board has the responsibility to initiate corrective action. Awrittencorrectiveactionplan(CAP)thataddressesthefindingsandrecommendations in this report should be prepared and forwarded toourofficewithin90days,pursuanttoSection35oftheGeneralMunicipalLaw.FormoreinformationonpreparingandfilingyourCAP, please refer to our brochure, Responding to an OSC Audit Report,whichyoureceivedwiththedraftauditreport.Weencouragethe Board to make this plan available for public review in the Town Clerk’soffice.


Information Technology

The use of information technology (IT) affects the fundamental manner in which transactions are initiated, recorded, processedand reported.The extent towhich computer processing is used insignificantaccountingapplications,aswellasthecomplexityofthatprocessing,determinesthespecificrisksthatITposestotheTown’sinternalcontrols.TheTown’swidespreaduseofITpresentsanumberofinternalcontrolrisksthatmustbeaddressed.Thoserisksinclude,but are not limited to, unauthorized access to data, unauthorizedchanges to data in master files and potential loss of data. Townofficialsmustdesigninternalcontrolstosafeguardcomputerizeddatafrom loss or misuse.

The Board needs to improve internal controls to effectively protect theTown’scomputersystemanddata.Specifically,theBoardneedsto review user access and restrict administrative rights to those who need such rights to perform their jobs. The Board also has not provided Town personnel with a copy of the acceptable computer use policy. Furthermore, the Board has not developed computer security anddisasterrecoveryplans,andhasnotestablishedabreachnotificationpolicy or a comprehensive inventory policy for all hardware and software.Asaresultoftheseweaknesses,thereisanincreasedriskof loss of critical data and interruptions to Town operations.

Animportantcomponentofinternalcontrolsovercomputersystemsand data includes policies and procedures for granting, revokingandmodifying individual access rights.Access controls should bebasedontheprincipleofleastprivilege,whichmaintainsthatusersshould have the most limited access rights possible to complete theirauthorizedduties.Administratorrightsareconsideredelevatedprivilegesbecausetheyallowuserstocreate,deleteandmodifyfiles,foldersorsettings.Generally,anadministrator isdesignatedas theperson who has oversight and control of a system or application with theabilitytoaddnewusersandchangeusers’passwordsandaccessrights.Alluseraccountsshouldbeassignedtospecificusers,andanyinactive accounts should be deleted or disabled from the system.

Users with administrative rights have complete control over their local workstation. Users could perform actions that would significantlyimpactthesafetyandsecurityofthecomputeranddataincluding installing unauthorized software and gaining unauthorized accesstoallfilesharesordataresources.AccordingtotheTown’sITconsultant,allusershaveadministratorrightstotheircomputers.We

User Access


verified thisonnineof thecomputers1 thatwemanuallyexaminedduring our onsite testing.

Thereare94useraccountsontheTown’sserverand96useraccountsonthePoliceDepartment’sserver.Wefound51inactiveuseraccounts(25ontheTown’sserverand26onthePoliceDepartment’sserver);nine2 of these inactive users are no longer employed by the Town andshouldbedisabled.Of the remaining42 inactiveaccounts,20aregenericusernames,meaningtheaccountisnotassociatedwitha unique individual (based on the common name defined on theaccount). The use of generic accounts can prevent the Town from tracingasuspiciousactivitytoaspecificindividual,thuspresentingdifficulties in holding the responsible user accountable for anyinappropriate actions. The remaining 22 accounts have not had any activityfromDecember2008throughFebruary2015(60daysfromApril1,2015,themostrecentdatereviewed).

The Board does not review user access on an ongoing basis and needs to restrict administrative rights to those who need them to perform their jobs. It is anticipated that when the Town purchases a new server,anewdomainwillbeconstructed.Atthattime,Townofficialsplan to review all current users and access will be granted based on current job responsibilities.

When access to computers and applications is not controlled,accountabilityiscompromised.Furthermore,withoutreviewingandupdatingauthorizedusers,theriskofthesystembeingcompromisedbyunauthorizedparties,withoutdetection,increases.

Policies and procedures over IT are part of the internal control system and provide criteria and guidance for computer-related operations. Effective protections of computing resources and data include the adoption of an acceptable use policy that informs users aboutappropriateandsafeuseofTowncomputers,asecurityplanwhich identifies potential risks and how to reduce system threats,a disaster recovery plan with guidance for minimizing loss and restoring operations in the event of a disaster and establishing a breach notification policy to ensure that employees are adequatelyprepared to notify affected individuals if their private information is compromised. The Board should periodically review and update these policiesasnecessarytoreflectchangesintechnologyandtheTown’scomputing environment. Computer users also need to be aware of

Policies and Procedures

1 We chose one computer from every department with the exception of theHighwayDepartment.TheHighwayDepartment’scomputerswereupgradedonApril1,2015.

2 Eight were former employees and one is the former IT consultant.


security risks and be properly trained in practices that reduce the internalandexternalthreatstothenetwork.

Acceptable Use – An acceptable use policy defines the Board’sintended use of equipment and computing software and the security measures that are designed to protect the Town’s systemand confidential information. The policy should address, but notnecessarilybelimitedto,theacceptableuseoftheInternetandemail,passwordsecurity,accesstoanduseofconfidentialinformation,andthe installation and maintenance of software on Town desktops and laptop computers.

AlthoughtheTownhasestablishedanacceptableusepolicy,Townofficialswerenotable todemonstrate thatuserswereawareof thepolicy. The acceptable use policy has an acknowledgment page that employees must sign to indicate they understand and will comply with the policy. We reviewed the computer activity for nine users. Townofficialscouldnotprovideuswithasignedacknowledgementof the acceptable usepolicy for anyof theseusers.Townofficialsdid not realize that this acknowledgement was not on file in theTown office.Without the users’ awareness of such a policy, thereis no requirement in place to ensure that computers are used in an appropriateandsecuremanner,whichcouldpotentiallyexpose theTown to malicious attacks or compromise systems and data.

Further,ofthenineusersreviewed,wefoundevidenceofpersonaluseontwocomputers,andthreecomputershadpersonalwebsitesbookmarked in their favorites. The users visited sites that had no Town business purpose, including sites for social networking, personalemail,motorsports,shoppingandentertainment.

Computer Security – Computer users need to be aware of security risks and be properly trained in practices that reduce the internal and external threats to the system. It is essential forTown officials todevelop a written security plan to document the process for evaluating and assessing security risks, identify and prioritize potentiallydangerous issues, and document the process for discussing anddetermining solutions.An effective IT security plan also includesprovisionsforthemonitoringofcomputerusetoensurecompliance,as well as provisions for policy enforcement. Additionally, thesecurity plan should require that only Town-owned devices remain on the network to ensure adequate control of theTown’s networksecurity. The implementation of effective IT policies and procedures facilitates the protection of computerized data resources from internal andexternalthreats.


The Board has not developed a written computer security plan. The lack of a formal security policy leaves the Town vulnerable to the risksassociatedwithindividualuse,includingviruses,spywareandother forms of malicious software that could potentially be introduced throughnon-work-relatedwebsitesorprograms.TheTown’sITassetsare more susceptible to loss or misuse when users are not aware of security risks and practices necessary to reduce those risks.

Disaster Recovery–AdisasterrecoveryplanisintendedtoidentifyanddescribehowTownofficialswill dealwithpotential disasters.Such disasters may include any sudden, unplanned catastrophicevent (e.g., fire, computer virus or inadvertent employee action)that compromises the availability or integrity of the IT system and data. Contingency planning is used to avert or minimize the damage and impact that disasters would cause to operations. Such planning consists of the precautions to be taken to minimize the effects of a disastersoofficialsandresponsiblestaffwillbeabletomaintainorquicklyresumeday-to-dayoperations.Typically,adisasterrecoveryplaninvolvesananalysisofbusinessprocessesandcontinuityneeds,includingasignificantfocusondisasterprevention.Theplanshouldalso address the roles of key individuals and be distributed to all responsibleparties,periodicallytestedandupdatedasneeded.

The Board has not adopted a comprehensive disaster recovery plan to addresspotentialdisasters.TownofficialstoldusthattheytrusttheITcontractorandhisinformalplanfordisasterrecovery.Consequently,intheeventofadisaster,Townpersonnelhavenoguidelinesorplanto follow to help minimize or prevent the loss of equipment and data or to appropriately recover data. Without a comprehensive disaster recoveryplan,theTowncouldloseimportantfinancialdataandsuffera serious interruption in Town operations.

BreachNotification Policy −An individual’s private and financialinformation,alongwithconfidentialbusinessinformation,couldbeseverelyimpactediftheTown’scomputersecurityisbreachedordatais improperlydisclosed.NewYorkStateTechnologyLaw requirestheTowntoestablishaninformationbreachnotificationpolicy.Sucha policy should detail how the Town would notify individuals whose private information was, or is reasonably believed to have been,acquired by a person without a valid authorization. It is important forthedisclosuretobemadeinthemostexpedienttimepossibleandwithoutunreasonabledelay,consistentwiththelegitimateneedsoflaw enforcement or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

TownofficialsinformedusthattheBoardhadnotadoptedabreachnotification policy. We discussed this weakness with the former


Supervisorinapriorauditreportissuedin2012.3Townofficialsdidnot implement any of the recommendations in that report and did not prepare and submit a corrective action plan as required.

SecurityAwarenessTraining−An importantway to communicateIT security expectations to network users is by providing ITsecurity awareness training. IT awareness training is intended to assist individuals with recognizing IT security concerns and then responding appropriately. Creating security awareness through training also helps to ensure that everyone understands his or her individual responsibilities.

Town employees were not provided with training to ensure they understood security measures designed to protect the Town’snetwork. Employees’ lack of trainingmakes the Town’s IT assetsmore vulnerable to loss and misuse.

Agoodsystemofinternalcontrolsincludespoliciesandproceduresthat are designed to ensure that employees record and maintain an inventory of computer and technology equipment and software.Adetailedinventoryrecordshouldincludeadescriptionofeachitem,includingmake,modelandserialnumber;thenameoftheemployeetowhomtheequipmentisassigned,ifapplicable;thephysicallocationof the asset and relevant purchase information including acquisition date. It is important that inventory records be periodically checked and kept up to-date with new acquisitions, disposals and currentcondition of these assets. Policies and procedures help to reduce the riskof loss, theft,misuseandobsolescence.Maintaining inventoryrecords helps safeguard assets and provides a means of planning for futurereplacementandareferencefortheasset’slocation.

The Town does not maintain a complete inventory of computer and technologyequipment;theinventoryrecordsthattheTownmaintainslack key identifying information. The IT consultant provided us with alistingofTownHallcomputersthatincludedlocation,theassigneduserandtheoperatingsystem.However,thislistinglackedthemake,model,serialnumberandacquisitioncostanddate.Wealsoobtainedvarious IT inventory lists fromdepartmentheads for theBuilding,Parks and Police Departments; these inventory lists also lackedidentifying information.

Inaddition,theTowndoesnothaveasoftwareinventoryotherthaneach computer’s operating system. Town officials do not conductaudits or formal reviews of software installed. Of the nine computers

Inventory

3 Town of Saugerties, Internal Controls Over Selected Financial Activities,2011M-283,May2012


reviewed,wefoundtwosuspicioussoftwareprogramsinstalled.Theseprograms are adware and were probably inadvertently downloaded whiledownloadingotherfreesoftware.Furthermore,wefoundthatthesupportfortheTown’stwomainserverswillendinJuly2015.TheTownisreplacingtheTownHallserverpriortothat;however,thePoliceDepartmentserverisnotinthisyear’sbudgetandwillnotbereplaceduntilnextyear.TheITconsultantstatedtheTownwillcontract with the vendor for the additional support until the Police Department’sserverisreplaced.

The Town has had recent administration changes and the new administration has made upgrading the Town’s IT environment apriority,includingcompilinginventorylistsfortheTown’scomputerassets. Without an accurate inventory of computer and technology equipment, Town officials cannot be assured that these assets areadequatelyaccountedforandprotectedfromloss,theft,misuseandobsolescence.Further,intheeventofadisaster,theTownwouldbeunable to provide the insurance company with an accurate list of assets,andTownofficialswouldbeunawareofwhattheyneededtoreplace.

TheBoardshould:

1. Limit the administrative access rights to those individuals that have oversight and control of a system or application, andreview those rights on an ongoing basis.All user accountsshouldbeassignedtospecificusersandanyinactiveaccountsshould be deleted or disabled from the system.

2. Provide Town personnel who use computers a copy of the acceptable use policy and retain a signed copy of the acknowledgement page to ensure the users’ understandingand their responsibilities to the Town policy.

3. AdoptITpoliciesandproceduresrelatedto:

a. Computer security.

b. Disaster recovery.

c. Breachnotification.

4. Ensure all network users receive IT security training.

5. Establish a comprehensive inventory policy that definesprocedures for maintaining a complete, comprehensive

Recommendations


inventory listing for all hardware and software; updatinginventory records for all new purchases as they occur and relocating assets (if necessary). The Board also should formalizeapolicytoperformreviewsoftheTown’scomputersandcompareresultstotheTown’sinventorylist.


APPENDIX A

RESPONSE FROM LOCAL OFFICIALS

Townofficials’responsetothisauditcanbefoundonthefollowingpages.Townofficialsincludedcommentsregardingfindingswehadcommunicatedconfidentiallytothem.Becauseofthesensitivityofthisinformation,wedidnotincludeitinthereport.Townofficialsalsoattachedupdatedpoliciesandserverreplacementinformationwiththeirresponse.However,theirresponsecontainedsufficientinformationtoindicatetheirintentions.Therefore,wedidnotincludetheseattachmentsinthefinalreport.


APPENDIX B

AUDIT METHODOLOGY AND STANDARDS

TheobjectiveofourauditwastoexaminetheITcontrolsovertheTown'selectronicdataandcomputerresources.To achieve our audit objective and obtain valid evidence,we performed the followingprocedures:

• WeinterviewedTownofficialsandthecontractedITconsultanttoobtainanunderstandingoftheTown’sIToperations.

• Weinquiredastopoliciesandproceduresrelatedtoacceptableuse,useraccounts,securityanddisasterrecoveryplans,breachnotificationandsecurityawarenesstraining.

• WeexaminedninecomputersbyrunningauditsoftwareandexaminedspecificactivitiessuchasInternetuse,cookiesandInternethistory.

• Foroursampleofcomputerschosen,wechoseonecomputerfromeverydepartmentwiththeexceptionoftheHighwayDepartment.TheHighwayDepartment’scomputerswereupgradedonApril1,2015.

• WeinquiredtodetermineifTownofficialsmaintainedlistsofcomputers,ITassets,applications,system users or access abilities.

We conducted this performance audit in accordance with generally accepted government auditing standards(GAGAS).Thosestandardsrequirethatweplanandperformtheaudittoobtainsufficient,appropriateevidencetoprovideareasonablebasisforourfindingsandconclusionsbasedonourauditobjective.Webelieve that the evidence obtained provides a reasonable basis for our findings andconclusions based on our audit objective.


APPENDIX C

HOW TO OBTAIN ADDITIONAL COPIES OF THE REPORT

OfficeoftheStateComptrollerPublicInformationOffice110StateStreet,15thFloorAlbany,NewYork12236(518)474-4015http://www.osc.state.ny.us/localgov/

Toobtaincopiesofthisreport,writeorvisitourwebpage:


APPENDIX DOFFICE OF THE STATE COMPTROLLER

DIVISION OF LOCAL GOVERNMENTAND SCHOOL ACCOUNTABILITYAndrewA.SanFilippo,ExecutiveDeputyComptroller

GabrielF.Deyo,DeputyComptrollerNathaalieN.Carey,AssistantComptroller

LOCAL REGIONAL OFFICE LISTING

BINGHAMTON REGIONAL OFFICEH.ToddEames,ChiefExaminerOfficeoftheStateComptrollerStateOfficeBuilding,Suite170244 Hawley StreetBinghamton,NewYork13901-4417(607)721-8306Fax(607)721-8313Email:[email protected]

Serving:Broome,Chenango,Cortland,Delaware,Otsego,Schoharie,Sullivan,Tioga,TompkinsCounties

BUFFALO REGIONAL OFFICEJeffreyD.Mazula,ChiefExaminerOfficeoftheStateComptroller295MainStreet,Suite1032Buffalo,NewYork14203-2510(716)847-3647Fax(716)847-3643Email:[email protected]

Serving:Allegany,Cattaraugus,Chautauqua,Erie,Genesee,Niagara,Orleans,WyomingCounties

GLENS FALLS REGIONAL OFFICEJeffreyP.Leonard,ChiefExaminerOfficeoftheStateComptrollerOne Broad Street PlazaGlensFalls,NewYork12801-4396(518)793-0057Fax(518)793-5797Email:[email protected]

Serving:Albany,Clinton,Essex,Franklin,Fulton,Hamilton,Montgomery,Rensselaer,Saratoga,Schenectady,Warren,WashingtonCounties

HAUPPAUGE REGIONAL OFFICEIraMcCracken,ChiefExaminerOfficeoftheStateComptrollerNYSOfficeBuilding,Room3A10250VeteransMemorialHighwayHauppauge,NewYork11788-5533(631)952-6534Fax(631)952-6530Email:[email protected]

Serving:NassauandSuffolkCounties

NEWBURGH REGIONAL OFFICETennehBlamah,ChiefExaminerOfficeoftheStateComptroller33AirportCenterDrive,Suite103NewWindsor,NewYork12553-4725(845)567-0858Fax(845)567-0080Email:[email protected]

Serving:Columbia,Dutchess,Greene,Orange,Putnam,Rockland,Ulster,WestchesterCounties

ROCHESTER REGIONAL OFFICEEdwardV.Grant,Jr.,ChiefExaminerOfficeoftheStateComptrollerThe Powers Building16WestMainStreet,Suite522Rochester,NewYork14614-1608(585)454-2460Fax(585)454-3545Email:[email protected]

Serving:Cayuga,Chemung,Livingston,Monroe,Ontario,Schuyler,Seneca,Steuben,Wayne,YatesCounties

SYRACUSE REGIONAL OFFICERebeccaWilcox,ChiefExaminerOfficeoftheStateComptrollerStateOfficeBuilding,Room409333E.WashingtonStreetSyracuse,NewYork13202-1428(315)428-4192Fax(315)426-2119Email:[email protected]

Serving:Herkimer,Jefferson,Lewis,Madison,Oneida,Onondaga,Oswego,St.LawrenceCounties

STATEWIDE AUDITSAnnC.Singer,ChiefExaminerStateOfficeBuilding,Suite170244 Hawley Street Binghamton,NewYork13901-4417(607)721-8306Fax(607)721-8313

town of saugerties

Documents