Audit Objective
Did Village of Hudson Falls (Village) officials adequately secure and protect information technology (IT) systems against unauthorized use, access and loss?
Audit Period
June 1, 2023 – September 30, 2024
We extended our audit period through October 8, 2024 to observe physical security over IT assets at the Village.
Understanding the Program
Village officials and employees use Village-owned IT assets (e.g., computers, laptops and tablets) to perform day-to-day operations and access and store information collected by the Village. The Village relies on its IT systems (including its IT assets and network) for Internet access and email, and to maintain various records, such as financial and personnel records and evidence files for the police department, that may contain personal, private or sensitive information (PPSI).1 If an IT system is compromised, the results could range from inconvenient to catastrophic and may require extensive effort and resources to evaluate, repair and rebuild.
The Village pays two outside IT vendors to provide IT services for the Village, including managing IT support, monitoring virus protection, network management and other IT-related services.
Audit Summary
The Village Board (Board) and officials did not establish adequate controls to safeguard IT systems or develop adequate IT policies or procedures. In addition, the Board did not develop and adopt an IT contingency plan to help minimize the risk of data loss or suffering a serious interruption of services, periodically test backups or provide IT security awareness training. As a result, Village officials cannot be assured that Village IT systems are secured and protected against unauthorized use, access and loss, and there is an increased risk that officials could lose important data and suffer a serious interruption in operations.
For example, officials did not monitor employee Internet use. Although a June 2001 memo prohibited employees from using Village-owned computers for personal use, officials and employees were not aware of this memo. As a result, the seven employees’ Internet histories we reviewed identified that all seven employees used Village computers to access websites for personal use, such as shopping, social media, streaming platforms, entertainment, personal email and finances, food, and personal health and fitness.
In addition, the Board paid two IT vendors for IT services totaling $31,333 during our audit period but did not enter into a written contract or service level agreement (SLA) with the IT vendors that described specific IT services to be provided. Officials did not monitor the services provided by one IT vendor to ensure all the services outlined in the annual invoice were provided.
While the Village’s IT assets we examined were physically secured, the server and physical backups were not properly protected from water damage that occurred due to roof construction at the Village Hall. Weaknesses in policies, oversight and other internal controls increase the risk that hardware or software systems may be lost, damaged or compromised by unauthorized or inappropriate access and use.
Sensitive IT control weaknesses were communicated confidentially to officials.
The report includes nine recommendations that, if implemented, will improve the Village’s IT practices to protect against unauthorized use, access and loss. Village officials generally agreed with our findings and indicated they plan to initiate corrective action.
We conducted this audit pursuant to Article V, Section 1 of the State Constitution and the State Comptroller’s authority as set forth in Article 3 of the New York State General Municipal Law. Our methodology and standards are included in Appendix C.
The Board has the responsibility to initiate corrective action. A written corrective action plan (CAP) that addresses the findings and recommendations in this report should be prepared and provided to our office within 90 days, pursuant to Section 35 of the New York State General Municipal Law. For more information on preparing and filing your CAP, please refer to our brochure, Responding to an OSC Audit Report, which you received with the draft audit report. We encourage the Board to make the CAP available for public review in the Clerk’s office.
1 PPSI is any information to which unauthorized access, disclosure, modification, destruction or use – or disruption of access or use – could have or cause a severe impact on critical functions, employees, customers, third-parties or other individuals or entities.