Objective

To assess the extent of implementation of the one recommendation included in our initial audit report, Security Over Critical Systems (Report 2023-S-24).

About the Program

The Hudson River–Black River Regulating District (HRBRRD) is a New York State public benefit corporation whose mission is to construct, maintain, and operate reservoirs in the upper Hudson River and Black River watershed, including the Sacandaga, Indian, Black, Moose, and Beaver Rivers, for the purpose of regulating the flow of streams or rivers when required by public welfare, including public health and safety.

HRBRRD must adhere to the Office of Information Technology Services’ (ITS) policies, including ITS’ Information Security Policy and Acceptable Use Policy, for its IT assets. Additionally, HRBRRD is responsible for adhering to provisions in the Department of Environmental Conservation or Federal Energy Regulatory Commission regulations. HRBRRD must also abide by Payment Card Industry Data Security Standards (PCI DSS) and must complete a self-assessment of its compliance with these standards because it accepts credit card payments for access permits to use the land surrounding the Great Sacandaga Lake.

The objective of our initial audit, issued January 3, 2024, was to determine whether security over HRBRRD’s critical systems was sufficient to minimize the various risks associated with unauthorized access to systems and data. Our audit covered the period from June 2023 through October 2023. Overall, we found HRBRRD demonstrated effort and timeliness in addressing security issues as they arose. Further, HRBRRD had generally taken appropriate steps to secure processes and systems used to accept credit card payments. However, we identified areas in which HRBRRD could improve to better meet PCI DSS requirements, including documenting certain policies and procedures.

Key Finding

HRBRRD officials made significant progress in addressing the problem we identified in the initial audit report, having implemented the one recommendation from the initial report.