Objective

To determine whether the Natural Heritage Trust's access controls and vulnerability management over critical systems are sufficient to minimize the various risks associated with unauthorized access to systems and data.

About the Program

The Natural Heritage Trust (NHT) is a non-profit public benefit corporation of New York State, established in 1968. NHT’s mission is to receive and administer gifts, grants, devises, and bequests of real and personal property to further conservation, outdoor recreation, historic preservation, and waterfront and community revitalization. NHT accomplishes its mission by facilitating private investment and ensures safekeeping, prudent investment, and appropriate expenditure of funds on cooperative programs and projects with its agency partners: the Office of Parks, Recreation and Historic Preservation; Department of Environmental Conservation; and Department of State. NHT also partners with other public and private entities, not-for-profits, and groups that share mission-compatible goals and purposes. NHT is governed by a four-member Board of Directors dedicated to supporting projects and programs that improve State park facilities, enhance access to outdoor recreation and environmental education, preserve historic and cultural assets, and protect natural resources.

On October 2, 2025, the Trust had 52 employees on its payroll, including seven administrative staff responsible for core operations, which encompass fundraising and donor relations, banking, accounting, investment management, compliance, payroll, and benefits; and 45 program staff from partner agencies.

NHT issued its own stand-alone, vendor-hosted website in June 2021 to enhance the user and administrator experience and utilizes a fundraising database to track donor and donation information. Additionally, NHT uses customized donation forms on its website.

Key Findings

We identified areas including governance over Payment Card Industry Data Security Standard requirements, and security controls NHT could improve to minimize the risks associated with unauthorized access to its systems and data. Due to the confidential nature of our audit findings, we communicated the details of these findings with four recommendations in a separate, confidential report to NHT officials for their review and comment.

Key Recommendation

Implement the four recommendations included in our confidential draft report.