Objective

To determine whether Hudson River Valley Greenway’s (HRVG) access controls and vulnerability management over critical systems are sufficient to minimize the various risks associated with unauthorized access to systems and data. The audit covered the period from January 2025 to July 2025.

About the Program

HRVG’s mission is to continue and advance the State’s commitment to the preservation, enhancement and development of the world-renowned scenic, natural, historic, cultural and recreational resources of the Hudson River Valley while continuing to emphasize economic development activities and remaining consistent with the tradition of municipal home rule.

The Hudson River Valley Greenway Act, signed into law on December 31, 1991, aimed to protect and enhance the unique scenic, natural, and cultural resources of the Hudson River Valley while promoting economic development. It established a cooperative planning approach involving various stakeholders to ensure sustainable development and conservation. The Hudson River Valley Greenway Act created a process for voluntary regional cooperation among 324 communities within 14 counties that border the Hudson River.

HRVG is an agency hosted by the Office of Information Technology Services (ITS). As a hosted agency, HRVG has its own computer systems while ITS handles all internet needs. HRVG is responsible for managing grants with a particular emphasis on those related to planning and compaction, along with initiatives for trails, water trails, and heritage development. HRVG uses an online grant platform that streamlines the entire grant process of applying for, deciding on, awarding, and managing grants. HRVG must adhere to New York State ITS standards, policies, and guidelines, including the IT standards on vulnerability management, account management, and authentication.

Key Findings

We identified areas where HRVG could improve certain security controls to minimize the various risks associated with unauthorized access to its systems and data. Due to the confidential nature of our audit findings, we communicated the details of these findings with three recommendations in a separate, confidential report to the HRVG officials for their review and comment. HRVG officials generally agreed with our findings and indicated actions to implement our recommendations.

Key Recommendation

Implement the three recommendations included in our confidential preliminary report.