Objective
To determine whether The Egg complies with the Payment Card Industry Data Security Standard and whether its access controls and vulnerability management over critical systems are sufficient to minimize the various risks associated with unauthorized access to systems and data. The audit covered the period from January 2025 through March 2026.
About the Program
The Nelson A. Rockefeller Empire State Plaza Performing Arts Center Corporation was created by the New York State Legislature in 1979 to operate the performing arts center housed within The Egg, which is part of the Nelson A. Rockefeller Empire State Plaza complex in Albany. For the purposes of this report, the audited entity will be referred to as “The Egg.” The Egg’s mission is to “present quality performances, accessible to all citizens of New York State, highlighting the unique and extraordinary artists from New York State, across the country and around the globe.”
The Egg is governed by a board of directors composed of eight members and a chairperson, who is designated by the Executive. Currently, The Egg has approximately 10 full-time and 15 part‑time employees.
To fulfill its mission, The Egg utilizes 11 systems (one of which is no longer in use) to support its network and operations. To ensure the security of its systems, The Egg has developed an “IT Policies and Procedures 2025” document, which covers user access, vulnerability management, network security, critical systems, and incident response. Additionally, The Egg is subject to New York State Office of Information Technology Services (ITS) policies and standards under Executive Order 117. Further, to process credit cards, The Egg must follow the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS is a set of technical and operational rules created to protect credit and debit card data from breaches and fraud. It applies to all organizations that store, process, or transmit cardholder data.
Key Findings
We identified areas where The Egg could improve certain security controls to minimize the various risks associated with unauthorized access to its systems and data. Due to the confidential nature of our findings, we communicated the details of these findings, along with the recommendations, in a separate, confidential preliminary report to The Egg’s officials for their review and comment. The Egg officials agreed with our findings and indicated actions they will take to implement our recommendations.
Key Recommendations
Implement the three recommendations included in our confidential preliminary report.
Nadine Morrell
State Government Accountability Contact Information:
Audit Director: Nadine Morrell
Phone: (518) 474-3271; Email: [email protected]
Address: Office of the State Comptroller; Division of State Government Accountability; 110 State Street, 11th Floor; Albany, NY 12236