The NYS Controller’s Office has released another audit that looks at information technology security – this time it’s the Village of Westbury on Long Island. The audit covered the period June 1, 2011 — November 30, 2012. Here are some snippets from their report:
We examined controls over the Village’s computerized financial operations and found that Village officials have not developed comprehensive policies and procedures to protect critical financial data. The Village has a Computer Network and Internet Usage policy that addresses unacceptable uses of the Village’s computer system, but it does not adequately address all major areas of IT operations. Village officials have not established sufficient internal controls over key components of the Village’s IT system, including the safeguarding of computerized financial data against unauthorized access or potential loss in the event of a disaster, the monitoring of remote access users and the security of the server room.
To ensure proper segregation of duties and internal controls, the computer system should allow users access to certain functions based on their job descriptions and responsibilities. To control electronic access, a computer system or application needs a process to identify the user and establish relationships between the user and a network, computer or application. Access controls can prevent users from being involved in multiple aspects of financial transactions and can help ensure that users are restricted from unauthorized areas where they can intentionally or unintentionally destroy or change critical financial data.
[…]
The Village has not established policies and procedures that address how remote access is granted and who should have remote-access privileges. The Village provides remote access to a software vendor upon request; however, the Village’s accountant and IT consultant, both independent contractors, have open access allowing them to access the Village’s network and financial software at any time without restriction. There are currently no controls in place such as user authorization or monitoring.
Even though remote activities are automatically logged, they are reviewed by the IT consultant, who is one of the remote-access users, rather than a Village employee or official. In addition, there are no written agreements between the Village and the remote-access users outlining policies and remote-access rules.
Read the full audit report here (pdf). The Village did not agree with all of the state’s recommendations and their responses are included in an appendix to the report.