Audit Objective
Did the Town of Plattekill (Town) Town Board (Board) and Town Supervisor (Supervisor) adequately manage the Town’s network user accounts and develop adequate controls to safeguard information technology (IT) resources?
Audit Period
January 1, 2023 – August 12, 2024
We extended our audit period through October 8, 2024, for observations of certain IT controls communicated confidentially to Town officials.
Understanding the Audit Area
Town officials must manage network user accounts and develop adequate controls to minimize the risk of unauthorized use, access and loss. Network user accounts are potential entry points for attackers because, if compromised, they could be used to inappropriately access and view personal, private, sensitive information (PPSI)1 on the network, make unauthorized changes to official town records or deny legitimate access to network resources. Adequate controls, like security awareness training, can help reduce the risks of attack by preparing personnel to respond in a practiced and cohesive way. These measures are essential components of a robust cybersecurity control environment, which is vital for effective and responsible governance, and helps safeguard resources against financial loss and ensure critical functions continue.
The Town paid a third-party IT service provider $5,928 during the audit period for IT services upon request, including IT support, network setup and maintenance, and other IT-related services, for the Town’s 28 enabled network user accounts.
Audit Summary
The Board and Supervisor did not adequately manage network user accounts or develop adequate controls to safeguard IT resources. As a result, the Board and Supervisor cannot be assured that Town IT systems are secured and protected against unauthorized use, access and loss, and there is an increased risk that officials could lose important data and suffer a serious interruption in operations. Weaknesses in policies, oversight and other internal controls increase the risk that network user accounts and hardware or software systems may be lost, damaged or compromised.
We determined the Board and Supervisor did not:
- Disable 14 unneeded network user accounts that were assigned to former Town employees with separation dates between November 17, 2016, and December 31, 2023.
- Develop and adopt a breach notification policy as required by New York State Technology Law (Technology Law) Section 208.
- Develop and adopt an IT contingency plan for unexpected IT disruptions or disasters.
- Require all employees to take IT security awareness training.
- Enter into a written contract or service level agreement (SLA) with the Town’s IT service provider.
Sensitive IT control weaknesses were communicated confidentially to officials.
The report includes six recommendations that, if implemented, will improve the Town’s IT practices over network user accounts and safeguarding IT resources. Town officials generally agreed with our recommendations, and their response is included in Appendix B.
We conducted this audit pursuant to Article V, Section 1 of the State Constitution and the Office of the New York State Comptroller’s (OSC) authority as set forth in Article 3 of the New York State General Municipal Law (GML). Our methodology and standards are included in Appendix C.
The Board has the responsibility to initiate corrective action. A written corrective action plan (CAP) that addresses the findings and recommendations in this report should be prepared and provided to our office within 90 days, pursuant to Section 35 of GML. For more information on preparing and filing your CAP, please refer to our brochure, Responding to an OSC Audit Report, which you received with the draft audit report. We encourage the Board to make the CAP available for public review in the Clerk’s office.
1 PPSI is any information to which unauthorized access, disclosure, modification, destruction or use – or disruption of access or use – could have or cause a severe impact on critical functions, employees, customers, third parties or other individuals or entities.