DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

NYS Comptroller finds IT security deficits in towns of Babylon and Salina

Posted on December 2, 2013 by Dissent

Every so often I post audit reports from the NYS Comptroller’s Office.   Last week, the office posted two completed audits worth noting here:

The Town of Babylon was audited for the period January 1, 2011 — July 31, 2012. In addition to significant concerns about the town’s financial health conditions and other matters, one of the audit’s findings was that:

Finally, the Board has not adopted a comprehensive computer use policy, breach notification policy, or formal disaster recovery plan. In addition, users of the financial software have access rights to sections of the software that are not necessary for their job duties. As a result, the Town’s IT system and electronic data are susceptible to an increased risk of loss, misuse, and manipulation.

The Comptroller offered four recommendations for Babylon:

  • Town officials should adopt a comprehensive computer policy addressing key security issues such as data and virus protection, password security, disposal and sanitizing of equipment, and remote access.
  • Town officials should adopt an information breach notification policy.
  • Town officials should establish a formal disaster recovery plan that provides guidance to maintain Town operations or restore data as quickly as possible in the event of a disaster.
  • Town officials should monitor users’ access to the Town’s financial software and restrict access to what the users need to perform their job responsibilities.

You can access the full audit report here (pdf).

The Comptroller also audited the Town of Salina for the period January 1, 2011 — March 31, 2013 on Information Technology. From the report:

The Board has not established policies and procedures related to PPSI and sanitizing computer equipment onsite before disposal. In addition, the Board has not instituted policies and procedures to protect data resources. Town officials do not maintain a complete and accurate computer inventory and have not developed an IT disaster recovery plan. Because of these weaknesses, IT assets are at risk for unauthorized, inappropriate or wasteful use. Additionally, in the event of an IT disaster or breach, there is no formal plan of what action Town officials should take to restore service or notify those whose personal information has been compromised.

[…]

The Board has not adopted written policies related to the retention and safeguarding of PPSI [Personal, Private and Sensitive Information] and does not have a written data classification scheme. There is no policy to address the necessary procedures for the removal of sensitive data from computers and other electronic equipment scheduled for disposal. When Town officials determine that computer and other electronic equipment are no longer needed, they usually move the equipment to a storage room in the Town municipal building. When the room fills up, a maintenance department worker takes the equipment to a third-party vendor hired to recycle the equipment (recycler) for disposal. Town officials do not sanitize the computer hard drives prior to disposal; instead, they rely on the recycler to do the sanitizing. The recycler resells disposed devices and sends unsalvageable devices to the scrap yard. The Town does not have an agreement with the recycler that defines the level of service the recycler will provide and addresses the data protection expectations of the Town. A representative of the recycler told us that Town officials must request sanitization of the computer hard drives at the time they are dropped off or they are sold “as is.”

We found an external hard drive that was awaiting disposal in the equipment storage room and determined that it included PPSI and records related to Town employees, such as social security numbers, dates of birth, license numbers, addresses and personnel matters related to suspensions and termination of employment. Town officials cannot be sure that the hard drive would have been wiped clean at the Town’s next disposal process, as the Town does not sanitize IT equipment prior to turning it over to the recycler, and the recycler does not sanitize external hard drives unless requested.

In addition, there is no reconciliation between what is removed from inventory and what is actually disposed of through the recycler. The maintenance department worker prepares a disposal list when he takes the items to the recycler; however, the Deputy Comptroller said that she just takes the disposal list and puts it in a folder after the equipment is taken to the recycler. Also, the disposal records do not contain enough information to properly identify the exact computers that are being disposed and some items were listed in the disposal records more than once. Because of these weaknesses, there is an increased risk that the equipment can be disposed of in an improper

There’s more, but it’s painful to even keep reading it, so you can access the full audit report here (pdf).

Category: Commentaries and AnalysesGovernment Sector

Post navigation

← FTC to Host Spring Seminars on Emerging Consumer Privacy Issues
Wisconsin man sentenced in Kansas for participating in Anonymous DDoS attack on Koch Industries →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Nigerian National Sentenced To More Than Five Years For Hacking, Fraud, And Identity Theft Scheme
  • Data breach of patient info ends in firing of Miami hospital employee
  • Texas DOT investigates breach of crash report records, sends notification letters
  • PowerSchool hacker pleads guilty, released on personal recognizance bond
  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • California county accused of using drones to spy on residents
  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.