Audit Objective
Did Town of Guilderland (Town) officials adequately secure and protect information technology (IT) assets against unauthorized use, access and loss?
Audit Period
January 1, 2024 – January 10, 2025
Understanding the Audit Area
Town officials and employees use Town-owned IT assets (e.g., computers, and laptops) to perform day-to-day operations and access and store information collected by the Town. The Town relies on its IT systems (including its IT assets and network) for Internet access and email, and to maintain various records, such as financial and personnel records, and evidence files for the police department, that may contain personal, private, or sensitive information (PPSI).1 If an IT system is compromised, the results could range from inconvenient to catastrophic and may require extensive effort and resources to evaluate, repair and rebuild.
The Town has 228 enabled user accounts, 188 network computer accounts, 162 desktops and laptops and 31 servers.
Audit Summary
The Town Board (Board) and officials did not monitor employee Internet use or establish adequate controls to safeguard IT systems. In addition, the Board did not adopt an IT contingency plan to help minimize the risk of data loss or suffering a serious interruption of services, periodically test backups, or provide IT security awareness training. As a result, Town officials cannot be assured that Town IT assets are secured and protected against unauthorized use, access and loss, and there is an increased risk that officials could lose important data and suffer a serious interruption in operations.
The Town’s technology use policy (IT Policy) prohibits employees from using Town-owned computers for personal use. However, within our sample of 14 Town computers, six users accessed websites for personal use, such as entertainment, news media, personal finance, email, shopping, travel, personal health and other miscellaneous personal use. In addition, one user conducted personal business activities using a Town computer.
The multiple security weaknesses identified in the Town’s IT systems, including inadequate access controls, compound the risk of a cyber disruption, including but not limited to, unauthorized use, access or loss of information maintained within the Town’s IT assets.
Sensitive IT control weaknesses were communicated confidentially to officials.
The report includes seven recommendations that, if implemented, will improve the Town’s IT practices to protect against unauthorized use, access and loss. Town officials generally agreed with our recommendations and have initiated or indicated they planned to initiate corrective action. Appendix C includes our comment on an issue raised in the Town’s response letter.
We conducted this audit pursuant to Article V, Section 1 of the State Constitution and New York Office of the State Comptroller’s (OSC) authority as set forth in Article 3 of the New York State General Municipal Law (GML). Our methodology and standards are included in Appendix D.
The Board has the responsibility to initiate corrective action. A written corrective action plan (CAP) that addresses the findings and recommendations in this report should be prepared and provided to our office within 90 days, pursuant to GML Section 35. For more information on preparing and filing your CAP, please refer to our brochure, Responding to an OSC Audit Report, which you received with the draft audit report. We encourage the Board to make the CAP available for public review in the Clerk’s office.
1 PPSI is any information to which unauthorized access, disclosure, modification, destruction or use – or disruption of access or use – could have or cause a severe impact on critical functions, employees, customers, third-parties or other individuals or entities.