DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Town of Saugerties: Information Technology Audit by NYS Comptroller’s Office Reveals Serious Problems

Posted on August 18, 2015 by Dissent

From the audit report, some background first:

The Town contracts for IT services with an independent contractor. The contractor’s duties include performing all significant maintenance and hardware installations, and providing technical support and expert advice on the upgrade of the entire IT environment. The Town uses computerized applications to perform essential tasks including processing financial information, Police and Town Clerk services, and Building Department transactions. The Town has approximately 77 computers, 24 laptops and two main servers.

The objective of our audit was to determine whether the Town’s IT assets were adequately safeguarded. Our audit addressed the following related question:

• Are internal controls over IT appropriately designed and operating effectively?

From the findings, some of which were too sensitive to spell out in a public report:

There are 94 user accounts on the Town’s server and 96 user accounts on the Police Department’s server. We found 51 inactive user accounts (25 on the Town’s server and 26 on the Police Department’s server); nine of these inactive users are no longer employed by the Town and should be disabled. Of the remaining 42 inactive accounts, 20 are generic user names, meaning the account is not associated with a unique individual (based on the common name defined on the account). The use of generic accounts can prevent the Town from tracing a suspicious activity to a specific individual, thus presenting difficulties in holding the responsible user accountable for any inappropriate actions. The remaining 22 accounts have not had any activity from December 2008 through February 2015 (60 days from April 1, 2015, the most recent date reviewed).

The Board does not review user access on an ongoing basis and needs to restrict administrative rights to those who need them to perform their jobs. It is anticipated that when the Town purchases a new server, a new domain will be constructed. At that time, Town officials plan to review all current users and access will be granted based on current job responsibilities.

[…]

Although the Town has established an acceptable use policy, Town officials were not able to demonstrate that users were aware of the policy. The acceptable use policy has an acknowledgment page that employees must sign to indicate they understand and will comply with the policy. We reviewed the computer activity for nine users. Town officials could not provide us with a signed acknowledgement of the acceptable use policy for any of these users. Town officials did not realize that this acknowledgement was not on file in the Town office. Without the users’ awareness of such a policy, there is no requirement in place to ensure that computers are used in an appropriate and secure manner, which could potentially expose the Town to malicious attacks or compromise systems and data.

Further, of the nine users reviewed, we found evidence of personal use on two computers, and three computers had personal websites book marked in their favorites. The users visited sites that had no Town business purpose, including sites for social networking, personal email, motorsports, shopping and entertainment.

[…]

The Board has not developed a written computer security plan. The lack of a formal security policy leaves the Town vulnerable to the risks associated with individual use, including viruses, spyware and other forms of malicious software that could potentially be introduced through non-work-related websites or programs. The Town’s IT assets are more susceptible to loss or misuse when users are not aware of security risks and practices necessary to reduce those risks.

And there’s more that will have you either muttering to yourself or banging your head on the nearest desk.

Access the full audit report here (pdf).

Category: Commentaries and AnalysesGovernment Sector

Post navigation

← British Show Jumping Association signs undertaking after email gaffe exposes 14,152 members’ information
FL: Brothers Sentenced to Four Years in Prison for Identity Theft Tax Fraud Scheme Involving Students’ and Other Individuals’ Information →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • B.C. health authority faces class-action lawsuit over 2009 data breach (1)
  • Private Industry Notification: Silent Ransom Group Targeting Law Firms
  • Data Breach Lawsuits Against Chord Specialty Dental Partners Consolidated
  • PA: York County alerts residents of potential data breach
  • FTC Finalizes Order with GoDaddy over Data Security Failures
  • Hacker steals $223 million in Cetus Protocol cryptocurrency heist
  • Operation ENDGAME strikes again: the ransomware kill chain broken at its source
  • Mysterious Database of 184 Million Records Exposes Vast Array of Login Credentials
  • Mysterious hacking group Careto was run by the Spanish government, sources say
  • 16 Defendants Federally Charged in Connection with DanaBot Malware Scheme That Infected Computers Worldwide

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • D.C. Federal Court Rules Termination of Democrat PCLOB Members Is Unlawful
  • Meta may continue to train AI with user data, German court says
  • Widow of slain Saudi journalist can’t pursue surveillance claims against Israeli spyware firm
  • Researchers Scrape 2 Billion Discord Messages and Publish Them Online
  • GDPR is cracking: Brussels rewrites its prized privacy law
  • Telegram Gave Authorities Data on More than 20,000 Users
  • Police secretly monitored New Orleans with facial recognition cameras

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.