Objective
To determine whether the Rochester-Genesee Regional Transportation Authority (RGRTA) was complying with requirements to maintain its systems at vendor-supported levels. The audit covered the period January 1, 2019 through April 3, 2019.
About the Program
RGRTA is a regional transportation authority established by New York State to provide safe, reliable, and convenient public transportation to customers in eight counties (Monroe, Genesee, Livingston, Ontario, Orleans, Seneca, Wayne, and Wyoming). RGRTA has more than 900 employees, including an information technology (IT) department that operates out of its main office. RGRTA owns IT resources including desktops/workstations, servers, and databases used to help carry out its mission.
As a public benefit corporation, RGRTA must adhere to the State Information Security Policy (Policy) established by the State Office of Information Technology Services (NYS ITS). The Policy defines the minimum information security requirements that all State entities (including all public benefit corporations) must follow to secure and protect the confidentiality, integrity, and availability of information. This includes requirements for ensuring systems are maintained at vendor-supported levels (i.e., systems continue to be updated and patched by the system’s vendor).
Key Findings
- We determined that, generally, RGRTA maintained its systems at vendor-supported levels. However, we did identify unsupported systems used by RGRTA on 14 devices.
- The unsupported systems on 6 of the 14 devices (43 percent) were the responsibility of third-party vendors. In these cases, we determined that RGRTA was not providing sufficient oversight of those vendors to ensure they were meeting their obligations to keep systems up to date. Generally, RGRTA officials agreed with our recommendations and indicated they will take actions to implement them.
Key Recommendations
- Take steps to ensure that systems are maintained at vendor-supported levels including:
- Developing policies and procedures related to software updates and vulnerability analysis.
- Monitoring vendors to ensure they are keeping the systems they are responsible for up to date.
- Implement the remaining recommendation detailed in the preliminary report.
Brian Reilly
State Government Accountability Contact Information:
Audit Director: Brian Reilly
Phone: (518) 474-3271; Email: [email protected]
Address: Office of the State Comptroller; Division of State Government Accountability; 110 State Street, 11th Floor; Albany, NY 12236