Purpose of Audit

The purpose of our audit was to examine IT controls over the Village’s electronic data and computer resources and the Water Department’s system for the period January 1 through October 31, 2014.

Background

The Village of Ilion is located in the Towns of German Flatts and Frankfort, Herkimer County, and has a population of approximately 8,000. The Village is governed by an elected five-member Board of Trustees. Budgeted appropriations for the 2014-15 fiscal year total approximately $13.6 million.

Key Findings

• The Village experienced two information technology (IT) incidents in 2014 initiated by falsified email messages with a malware attachment that, when opened by employees, converted stored Village data into an encrypted, unreadable format.
• The Village’s disaster recovery plan did not provide for sufficiently frequent backup of critical data and did not include steps to take upon occurrence of IT incidents.
• The Village did not have a breach notification policy or local law requiring notification of affected parties when there is a security breach relating to private information.
• The Village has not established a process for staying current on water system cybersecurity threats.

Key Recommendations

• Provide IT security awareness training to all Village employees, including how to recognize and respond to falsified email messages and the risks of inappropriate Internet use.
• Update and periodically test the disaster recovery plan.
• Adopt a breach notification policy or local law consistent with the requirements of State Technology Law.
• Implement processes for the Water Department to receive and assess security alerts from professional organizations.