Audit Objective
Did Town of Horseheads (Town) officials adequately manage network and local user accounts, develop an information technology (IT) contingency plan, and provide adequate IT security awareness training to staff?
Audit Period
January 1, 2024 – January 21, 2025
We extended our audit period through March 26, 2025, to review documentation supporting whether data backups were occurring.
Understanding the Audit Area
Town officials must manage network and local user accounts, create IT contingency plans and provide IT security awareness training. Security awareness training helps to protect personal, private and sensitive staff information (PPSI),1 by training personnel on cybersecurity best practices and to recognize the signs of a security incident, which can significantly reduce the likelihood of a cyberattack succeeding, such as a phishing attempt. Unmanaged user accounts are potential entry points for attackers and other unauthorized individuals, and if compromised, the lack of a contingency plan can paralyze a town’s operations. In the event of a successful attack, security awareness training is also a compensatory control that can help reduce the risks of the attack, such as data breaches, financial loss or other issues, by preparing personnel to respond in a practiced and cohesive way. These measures are essential components of a robust cybersecurity control environment, which is vital for effective and responsible governance, and helps safeguard against financial loss and ensure critical functions continue.
In calendar year 2024, the Town paid an outside IT vendor $14,790 to provide IT services, including IT support, network setup and maintenance, end point protection, managing user accounts and permissions and other IT-related services. The Town had 28 enabled network user accounts and five enabled local user accounts on the four computers reviewed.
Audit Summary
Town officials did not adequately manage network and local user accounts, develop and adopt a written IT contingency plan, or provide IT security awareness training to staff. Although the Town Board (Board) paid $14,790 to an IT vendor for IT-related services, it cannot be assured that the Town’s IT systems are secured from unauthorized use and access, or that critical data would be preserved if an interruption in operations occurred, since Town officials lack the necessary guidance to minimize potential damage and restore operations. The Board and Town officials did not:
- Adequately manage all network and local user accounts,
- Enter a written contract or service level agreement (SLA) with the IT vendor,
- Develop and adopt a written IT contingency plan, or
- Provide adequate IT security awareness training to staff.
The report includes five recommendations that, if implemented, will improve Town officials’ oversight of IT processes. Sensitive IT control weaknesses were communicated confidentially to Town officials. Town officials generally agreed with our recommendations and their response is included in Appendix B.
We conducted this audit pursuant to Article V, Section 1 of the State Constitution and the State Comptroller’s authority as set forth in Article 3 of the New York State General Municipal Law (GML). Our methodology and standards are included in Appendix C.
The Board has the responsibility to initiate corrective action. A written corrective action plan (CAP) that addresses the findings and recommendations in this report should be prepared and provided to our office within 90 days, pursuant to Section 35 of GML. For more information on preparing and filing your CAP, please refer to our brochure, Responding to an OSC Audit Report, which you received with the draft audit report. We encourage the Board to make the CAP available for public review in the Town Clerk’s office.
1 PPSI is any information to which unauthorized access, disclosure, modification, destruction or use – or disruption of access or use – could have or cause a severe impact on critical functions, employees, customers, third parties or other individuals or entities.