Objective

To determine whether CDTA’s access controls and vulnerability management over critical systems are sufficient to minimize the various risks associated with unauthorized access to systems and data. The audit covered the period from January 2024 through November 2025.

About the Program

CDTA was created by the New York State Legislature in 1970 to provide transportation services to the Capital Region and is the primary transportation provider in the area, providing multiple bus services, shuttle systems, and paratransit services (for riders with disabilities) across Albany, Montgomery, Rensselaer, Saratoga, Schenectady, and Warren counties. Additionally, CDTA subsidiaries own and operate the Rensselaer Rail and Saratoga Springs train stations and the Northway Xpress (NX) commuter service between Saratoga County and downtown Albany. CDTA also operates the regional bike-share program, CDPHP Cycle, and a car share program, DRIVE. CDTA had an approximate workforce of 806 employees in 2025.

CDTA’s mission is to provide mobility solutions that connect the region’s communities by increasing transit ridership and revenue, improving the transportation network, retaining a high-quality workforce, and identifying appropriate funding sources. CDTA is governed by a board of directors. The Chief Operating Officer (COO) oversees technical services and information systems, including activities to protect CDTA’s electronic information assets, information systems, and services. To safeguard against unauthorized access, CDTA adheres to key requirements and guidelines, including Payment Card Industry Data Security Standards (PCI-DSS), National Institute of Standards and Technology (NIST) standards, and its internal policies and standards.

Key Findings

We identified areas where CDTA could improve certain security controls to minimize the various risks associated with unauthorized access to its systems and data. Due to the confidential nature of our audit findings, we communicated the details of these findings in a separate, confidential report to CDTA officials. CDTA officials agreed with our findings and indicated actions to implement our recommendation.

Key Recommendations

Implement the recommendation included in our confidential preliminary report.