Audit Objective
Did Town of Bethlehem (Town) officials adequately secure and protect information technology (IT) systems against unauthorized use, access and loss?
Audit Period
January 1, 2023 – November 30, 2024
Understanding the Program
Town employees and officials use the IT systems for Internet access, email, receiving online payments and to maintain various records, such as financial and personnel records and evidence files for the Police Department. The Town’s Management of Information Services (MIS) Department consists of the MIS Director and two employees: the Information Service Specialist and Help Desk Technician. In addition, the Police Department has a Senior Network and Systems Technician, who is responsible for setting up the police systems. The MIS Department is responsible for managing the network and computers for the entire Town, including the Police Department. Additionally, the MIS Department is responsible for the Town’s servers, firewall and all IT equipment, and also manages all user accounts and permissions.
Audit Summary
The Town Board (Board) and officials did not develop and adopt an IT contingency plan or breach notification policy, periodically test data backups or provide employees with security awareness training. Sensitive IT control weaknesses were communicated confidentially to officials. As a result, the Town’s IT systems and its personal, private and sensitive information (PPSI)1 may be accessible to unauthorized use, access and loss. Officials also have minimal assurance that in the event of a disruption or disaster (e.g., a ransomware attack), employees and other responsible parties would be able to react quickly and effectively to help resume, restore or repair critical IT systems or data in a timely manner.
Officials also did not monitor employee Internet use. Although the Town’s Computer and Internet Use Policy in the employee manual prohibits employees from using Town-owned computers for personal use, officials and employees were not in compliance with the policy. We reviewed Internet histories on eight Town employee computers, and all eight employees used the computers to access websites for personal use, such as news and advertising, personal online banking and finances, entertainment and travel, shopping, social media and streaming platforms.
Weaknesses in policies, oversight and other internal controls increase the risk that hardware or software systems may be lost, damaged or compromised by unauthorized or inappropriate access and use.
The report includes six recommendations that, if implemented, will help improve the Town’s IT security and protect the systems against unauthorized use, access and loss. Town officials generally agreed with our findings and indicated they have initiated or plan to initiate corrective action. Appendix C includes our comment on an issue raised in the Town’s response.
We conducted this audit pursuant to Article V, Section 1 of the State Constitution and the State Comptroller’s authority as set forth in Article 3 of the New York State General Municipal Law. Our methodology and standards are included in Appendix D.
The Board has the responsibility to initiate corrective action. A written corrective action plan (CAP) that addresses the findings and recommendations in this report should be prepared and provided to our office within 90 days, pursuant to Section 35 of the New York State General Municipal Law. For more information on preparing and filing your CAP, please refer to our brochure, Responding to an OSC Audit Report, which you received with the draft audit report. We encourage the Board to make the CAP available for public review in the Clerk’s office.
1 PPSI is any information to which unauthorized access, disclosure, modification, destruction or use – or disruption of access or use – could have or cause a severe impact on critical functions, employees, customers, third-parties or other individuals or entities.