Town of Ithaca. Information Technology. Report of Examination. Thomas P. DiNapoli. Period Covered: January 1, 2015 December 22, M-52

Similar documents
Tompkins County Soil and Water Conservation District

County of Orleans Industrial Development Agency

Federal Stimulus Program Procurement for Local Highway Projects in the Capital Region

Benefit Chart of Medicare Supplement Plans Sold for Effective Dates on or After June 1, 2010

M/WBE Compliance. Tools for Non-For-Profit Grantees

Uniform Assessment System for New York

COUNTIES PROMOTING PUBLIC HEALTH A SPECIAL REPORT

How do I join MLTC? A step-by-step guide

Office of Community Renewal

Archival Needs Assessment Application Form SAMPLE. Director: Julie Cortland. Organization Name: Willingboro Historical Society

Citizen Budget Commission Special Event New York State Health Home Program. May

INSTRUCTIONS for Completing the Health Care Plan for the Administration of Medication for Legally-Exempt Provider

Application for Approval of Individual Evaluators, Service Providers and Service Coordinators

LIFEPlan CCO NY, LLC Participation Agreement. Provider:

$100 Hospital Ambulatory Surgical Center (ASC) Specialist: $30/visit Chiropractic (Medicare-covered) Podiatry (Medicare-covered)

The UAS-NY: Abound in Questions, Challenges and Change

Emergency Management Performance Grant

ADMINISTRATIVE DIRECTIVE TRANSMITTAL: 12 OHIP/ADM-5. TO: Commissioners of DIVISION: Office of Health

Vital Signs. Health Care Employment Gains Across New York State

EXCELLENCE IN IMMUNIZATION

DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY REPORT OF EXAMINATION 2018M-134. Town of Stafford. Procurement SEPTEMBER 2018

Agenda. Call To Order Pledge of Allegiance Timeline Discussion. February 5, 2018

Schedule 1E. Schedule 1 General Information. Contents: Directions and Information for all Adult Care Facility Applicants

DIRECTIONS for completing Applicator/Technician Pesticide Annual Report, DEC Form (10/01)

Eileen Franko Division of Safety and Health, Director

Elmira City School District. Take on Life and Live Well with MVP Health Care s PPO Gold AnyWhere 2017

Request for Qualifications for Highway, Bridge, and Related Municipal Engineering Services Designations - Municipalities in NYSDOT Regions 1 through 9

Important Numbers. If you have a problem with your health plan, call:

HEAL NY Medicaid Redesign Grant

PROGRAMS FOR MINORITY- AND WOMEN-OWNED SMALL BUSINESSES AND SERVICE-DISABLED VETERANS

Medicaid Long-Term Care in New York: Variation by Region and County

ANNUAL OSHA/ PESH TRAINING th

The Evolution of Patient-Centered Medical Homes in New York State: Current Status and Trends as of September 2012

WHEN A VETERAN PASSES AWAY: A Planning Guide for the Surviving Family

The Health Care Workforce in New York, 2005 Trends in the Supply and Demand for Health Workers

LOCAL HEALTH DEPARTMENT PERFORMANCE INCENTIVE INITIATIVE YEAR New York State Department of Health. Office of Public Health Practice

Transition of Nursing Home Populations and Benefits to Medicaid Managed Care. March 20, 2014

PUBLIC ACCESS DEFIBRILLATION INFORMATION SHEET

Home and Community-Based Services Medicaid Waiver

Strategic Assessment of New York State s Regional Population Health Investments

Satellite Downlink Coordinator Packet and Materials

Changes to Medicaid Long Term Care. FIDA and mandatory MLTC for nursing home residents

New York State Medicaid Guide 2018

1/8/18 Capital Region RPC Board

Dear Executive Jimino, Members of the County Legislature and Sheriff Mahar:

STATE UNIVERSITY OF NEW YORK PROCUREMENT OF ELECTRICITY. Report 2007-S-22 OFFICE OF THE NEW YORK STATE COMPTROLLER

Summary of Benefits Fidelis Dual Advantage (HMO SNP) and Dual Advantage Flex Plan (HMO SNP) January 1, 2018 December 31, 2018 CMS Contract #H3328

The American Legion Department of New York

Annual Notice of Changes for 2018

TOWN OF NIAGARA TOWN BOARD MEETING Tuesday, July 18, :30 PM Town of Niagara Town Hall 7105 Lockport Rd. Niagara Falls, NY 14305

The Changing LTC Delivery and Payment Landscape: Managed Care. Jay Gormley Chief Strategy & Planning Officer

Facility Oversight and Timeliness of Response to Complaints and Inmate Grievances State Commission of Correction

The Health Care Workforce in New York. Trends in the Supply of and Demand for Health Workers

Inappropriate Payments Related to Procedure Modifiers. Medicaid Program Department of Health


Improper Payments for Recipients No Longer Enrolled in Managed Long Term Care Partial Capitation Plans. Medicaid Program Department of Health

Request for Proposals: Innovations in Children s Health and Wellbeing in Western & Central New York

REDCs and You. Khris Dodson. Associate Director

Overcoming Barriers to Successful Implementa6on of Pediatric Pallia6ve Care. Objec6ves. Objec6ve 1 11/14/14

Overpayments of Hospitals Claims for Lengthy Acute Care Admissions. Medicaid Program Department of Health

Participant Manual. Critical Decision-Making. Participant Manual

Department of Health

Review of Critical Managed Care Contracting, Transition, and Operating Issues

Oversight of Nurse Licensing. State Education Department

Overpayments for Services Also Covered by Medicare Part B. Medicaid Program Department of Health

SUNY Adirondack Jason Enser (COUNCIL VICE PRESIDENT) Dean for Student Affairs 640 Bay Road Queensbury, NY

Nursing Schools of New York State

Ambulatory Patient Groups Payments for Duplicate Claims and Services in Excess of Medicaid Service Limits. Medicaid Program Department of Health

Questionable Payments for Practitioner Services and Pharmacy Claims Pertaining to a Selected Physician. Medicaid Program Department of Health

Payments for Death-Related One-Day Inpatient Admissions. M e dicaid Progra m Department of Health

Oversight of Resident Care-Related Medical Equipment in Nursing Homes Department of Health

Meeting the Needs of Justice Involved Veterans in VISN 2

Google Earth High Resolution Imagery Coverage (USA) As of August 9, 2005

Selected Aspects of the Motor Carrier Safety Assistance Program. Department of Transportation

Management and Control of Overtime Costs. New York City Health and Hospitals Corporation

NYSPANA Administrative Guidelines

Empty Promises: The Failure of the New York State Health Department to Monitor Medical Errors. New York State s Failure to Adequately Protect Patients

Earth Day Grant Application

The American Legion Department of New York

2018 Summary of Benefits

NYS Soil & Water Conservation Committee 10B Airline Drive, Albany, NY Telephone (518)

Request for Proposal for Services Health Workforce Retraining Program/Initiative

Table of Contents. Health Workforce Planning Data Guide i

Regional Caregiver Forums Caregiving and Respite Across the Lifespan: Linkages and Partnerships April 23, 2018

State University of New York

LA14-11 STATE OF NEVADA. Performance Audit. Department of Public Safety Division of Emergency Management Legislative Auditor Carson City, Nevada

HEALTH HOME CARE MANAGEMENT SERVICES ELIGIBILITY HOW TO MAKE A REFERRALTO HHUNY

STATE OF NEW YORK ACTION PLAN FOR COMMUNITY DEVELOPMENT BLOCK GRANT PROGRAM DISASTER RECOVERY

Security Risk Analysis

Redesign Team. Building a more affordable, cost effective Medicaid program. January 13, 2011

What s the State of Primary Care in New York?

Vision for Medicaid. Strategies: After the Managed Care Contract is Signed AGENDA. Managed Care - MLTC 5/5/2015

Reporting a Privacy Breach to the Commissioner

Scholarship Opportunities For Academic Year Fall 2017 Spring 2018

A successful telecommuting arrangement must work for both the department and the employee.

Chapter 9 Legal Aspects of Health Information Management

DEPARTMENT OF HEALTH HELEN HAYES HOSPITAL SELECTED FINANCIAL MANAGEMENT PRACTICES. Report 2006-S-49 OFFICE OF THE NEW YORK STATE COMPTROLLER

IILCHE Middle States Commission on Higher Education

Associate Degree Programs Find it faster online at

Homeland Security Update: New York Communities Still Not Receiving Critical Federal Homeland Security Funds

Transcription:

O FFICE OF THE NEW YORK STATE COMPTROLLER DIVISION OF LOCAL GOVERNMENT & SCHOOL ACCOUNTABILITY Town of Ithaca Information Technology Report of Examination Period Covered: January 1, 2015 December 22, 2016 2017M-52 Thomas P. DiNapoli

Table of Contents AUTHORITY LETTER 1 Page INTRODUCTION 2 Background 2 Objective 2 Scope and Methodology 2 Comments of Local Officials and Corrective Action 3 INFORMATION TECHNOLOGY 4 IT Policy 4 Security Awareness Training 5 Computer Hardware Inventory 5 Contingency Planning 6 Recommendations 7 APPENDIX A Response From Local Officials 8 APPENDIX B Audit Methodology and Standards 10 APPENDIX C How to Obtain Additional Copies of the Report 11 APPENDIX D Local Regional Office Listing 12

State of New York Division of Local Government and School Accountability June 2017 Dear Town Officials: A top priority of the is to help local government officials manage government resources efficiently and effectively and, by so doing, provide accountability for tax dollars spent to support government operations. The Comptroller oversees the fiscal affairs of local governments statewide, as well as compliance with relevant statutes and observance of good business practices. This fiscal oversight is accomplished, in part, through our audits, which identify opportunities for improving operations and Town Board governance. Audits also can identify strategies to reduce costs and to strengthen controls intended to safeguard local government assets. Following is a report of our audit of the Town of Ithaca, entitled Information Technology. This audit was conducted pursuant to Article V, Section 1 of the State Constitution and the State Comptroller s authority as set forth in Article 3 of the New York State General Municipal Law. This audit s results and recommendations are resources for local government officials to use in effectively managing operations and in meeting the expectations of their constituents. If you have questions about this report, please feel free to contact the local regional office for your county, as listed at the end of this report. Respectfully submitted, Offi ce of the State Comptroller Division of Local Government and School Accountability DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY 11

Introduction Background The Town of Ithaca (Town) is located in Tompkins County and has approximately 20,000 residents. The elected, seven-member Town Board (Board) is the legislative body responsible for managing Town operations. The Town Supervisor (Supervisor) is a member of the Board and serves as the Town s chief executive officer and chief fiscal officer. The Supervisor is generally responsible for the administration and supervision of the Town s day-to-day fiscal operations. The Town uses network and Internet resources to support certain business operations, such as communicating, maintaining Town records, performing online banking transactions and maintaining financial records, including personal, private and sensitive information (PPSI). The network/record specialist (specialist) is responsible for managing network security and data. Town officials are responsible for creating and implementing information technology (IT) policies to help ensure security is maintained over the network and data. The Town provides various services to its residents, including street maintenance and improvements, snow removal, parks and recreation and general government support. The Town s 2017 budgeted appropriations totaled approximately $25 million, funded primarily with real property taxes, water and sewer fees and sales tax. Objective The objective of our audit was to assess the Town s IT policies and procedures. Our audit addressed the following related question: Have Town officials taken action to identify and correct IT deficiencies? Scope and Methodology We examined the Board s oversight of IT assets and computerized data for the period January 1, 2015 through December 22, 2016. Our audit also examined the adequacy of certain IT controls. Because of the sensitivity of some of this information, we did not discuss the results in this report, but instead communicated them confidentially to Town officials. We conducted our audit in accordance with generally accepted government auditing standards (GAGAS). More information on such standards and the methodology used in performing this audit are included in Appendix B of this report. Unless otherwise indicated in this report, samples for testing were selected based on professional judgment, as it was not the intent to project the results onto the entire population. Where applicable, information is presented concerning 2 OFFICE OF THE NEW YORK STATE COMPTROLLER

the value and/or size of the relevant population and the sample selected for examination. Comments of Local Officials and Corrective Action The results of our audit and recommendations have been discussed with Town officials, and their comments, which appear in Appendix A, have been considered in preparing this report. Town officials generally agreed with our recommendations. The Board has the responsibility to initiate corrective action. A written corrective action plan (CAP) that addresses the findings and recommendations in this report should be prepared and forwarded to our office within 90 days, pursuant to Section 35 of General Municipal Law. For more information on preparing and filing your CAP, please refer to our brochure, Responding to an OSC Audit Report, which you received with the draft audit report. We encourage the Board to make this plan available for public review in the Town Clerk s office. DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY 33

Information Technology The Town s IT system is a valuable and essential part of operations, used for accessing the Internet, communicating by email, processing and storing data and maintaining financial records and reports. IT controls are a critical mechanism for ensuring that the IT system is properly safeguarded. The Board is responsible for ensuring that the right IT controls are in place and are performing as intended. Since computing environments change over the course of time, the Board should periodically review and update IT controls. Town officials have not identified and corrected all IT deficiencies. Town officials have sufficiently addressed some areas such as IT service contracts, anti-virus protection, patch management, online banking, wireless networks and physical controls. However, we found improvement opportunities in areas such as IT policies, security awareness training, computer hardware inventories and contingency planning. Implementing these improvements will reduce the risk that data, hardware and software systems may be lost or damaged or that Town operations will be interrupted. IT Policy Computer policies define appropriate user behavior and describe the tools and procedures to protect data and information systems, taking into account people, processes and technology throughout the organization. Town officials should develop policies to cover the complexities of their IT environment including breach notification; Internet, email and personal computer use; use of and access to PPSI, password security, wireless security, mobile computing and storage devices and online banking. As social media becomes a more prominent communication resource, it is important for Town officials to develop a policy to address the use of social media on the Town s network. Additionally, the IT policy should be periodically reviewed and updated as necessary. The Town s IT policy addresses breach notification; Internet, email and personal computer use; use of and access to PPSI and social media use. However, it does not address password security, wireless security, mobile computing and storage devices or online banking. Although Town officials told us that the IT policy does not address password security because it is common knowledge among staff, they had no explanation for the other areas not included in the policy. While computer policies will not guarantee the safety of a computer system, a lack of appropriate policies significantly increases the risk that data, and hardware and software systems may be lost or damaged by inappropriate access and use. 4 OFFICE OF THE NEW YORK STATE COMPTROLLER

Security Awareness Training A well-informed work force is the strongest link in the chain to secure electronic data and computer systems. Entities cannot protect the confidentiality, integrity and availability of their data and systems without ensuring that users understand organizational IT security policies and their roles and responsibilities related to IT. While IT policies tell staff what to do, annual IT security awareness training provides them with the skills to do it. Town employees, including the specialist, have not received sufficient IT security and awareness training during our audit scope. The specialist has not attended cybersecurity training since September 2014. The specialist told us employees have not received formal IT training because it has never been required. However, her job description requires she provide IT training to staff, and she has provided informal training through emails and posters. Although informal training is provided, there is no guarantee staff are reviewing emails and posters. We reviewed the web history of three employees. We did not identify any PPSI exposed; however, we identified questionable Internet usage, such as employees visiting social networking, email and entertainment sites, potentially for non-business purposes, and performing other Internet research and browsing of a personal nature using the Town's IT assets. While their policy allows limited personal use, without training and awareness, such use opens the door to potential unauthorized access and/or misuse and abuse, such as employees accessing adult entertainment or gaming websites, which are known to have malicious content and could potentially cause service interruptions. Without formal IT security training and awareness, the risk still exists that users will not understand their responsibilities, which puts the data and computer resources with which they have been entrusted at greater risk for unauthorized access, misuse or abuse. Protecting IT assets is especially important as the number of instances of people with malicious intent trying to harm computer networks or gain unauthorized access to information through viruses, malware and other types of attacks continues to rise. Computer Hardware Inventory Organizations should maintain detailed, up-to-date inventory records for all computer hardware. The information for each piece of computer equipment should include a description of the item including the make, model and serial number; the name of the employee to whom the equipment is assigned, if applicable; the physical location of the asset and relevant purchase or lease information including the acquisition date. DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY 55

While the Town has a hardware inventory, it is not a detailed and upto-date record for all computer hardware. We examined the computer hardware inventory which included 116 1 items, and found that 37 items, or 32 percent, were missing at least one of the following: the make, model, serial/service tag number or name of the employee they were assigned to, and the physical location was not documented for any of the 116 items. The specialist told us the hardware inventory is incomplete because she assigned this work to an intern, and it was never finalized. While the inventory was, for the most part, complete, the failure to maintain detailed and up-to-date hardware inventory records exposes valuable assets to an increased risk of loss, theft or misuse. Contingency Planning A contingency plan describes how to deal with potential disasters. Such disasters may include any sudden, unplanned catastrophic event (e.g., fire, computer virus or inadvertent employee action) that compromises the availability or integrity of the IT system and data. Contingency planning consists of the precautions to be taken, such as backup procedures, to avert or minimize the effects of a disaster and maintain day-to-day operations. Typically, a contingency plan involves an analysis of IT business processes and continuity needs, including a significant focus on service interruption. The plan should also address the roles of key individuals and be distributed to responsible parties, tested periodically and updated. Town officials have established a written IT contingency plan, but it is not sufficient. Although Town officials have procedures to sufficiently backup data and an emergency preparedness plan, they have not established written data backup policies and the emergency plan does not specifically include IT procedures to maintain day-today operations such as the preservation of records and data during a disaster and alternate work locations. Based on discussions with the specialist, even the plan that is in place, while inadequate, has not been tested and has not been reviewed or revised since 2012. The specialist indicated they were not aware that the plan was not sufficient and that it had not been reviewed or revised. As a result, in the event of disaster, Town personnel have no guidelines or plan to minimize or prevent the loss of equipment and data. Therefore, the Town could lose important financial data and suffer a serious interruption in Town operations. 1 The list contained 53 computers, 38 monitors and 25 printer/copier/scanners. 6 OFFICE OF THE NEW YORK STATE COMPTROLLER

Recommendations The Board, with the assistance of the specialist, should: 1. Update the IT policy to address password security, wireless security, mobile computing and storage devices and online banking. Additionally, the policy should be periodically reviewed and updated as necessary. 2. Require all staff receive formal IT security and awareness training at least annually. 3. Ensure hardware inventory listings included the make, model and serial number, the name of the employee they are assigned to and the physical location. 4. Prepare an IT contingency plan that specifically addresses backup policies and procedures to maintain day-to-day operations such as the records and data to preserve during a disaster and alternate work locations. This plan should be tested, reviewed and updated as necessary to ensure it meets organizational needs. DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY 77

APPENDIX A RESPONSE FROM LOCAL OFFICIALS The local officials response to this audit can be found on the following page. 8 OFFICE OF THE NEW YORK STATE COMPTROLLER

DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY 99

APPENDIX B AUDIT METHODOLOGY AND STANDARDS To achieve our audit objective and obtain valid evidence, we performed the following procedures: We interviewed Town officials and employees to gain an understanding of the IT environment, internal controls and IT security training provided. We reviewed the Town s policies, technology plan and Board minutes for existing IT policies and procedures. We reviewed the Town s IT service contracts to determine whether they contained the proper components and established measurable targets of performance. We interviewed Town officials and observed employees computers to determine whether adequate controls were in place regarding access, online banking, wireless networks and computer resources. We used audit software to analyze information on the Town s server and selected a sample of three computers to determine whether Internet usage was appropriate. We selected the specialist s computer because she has administrative access and total control over all computers. We selected the human resources manager s computer because she has administrative access and maintains PPSI. We selected the bookkeeper s computer because she performs online banking and has access to the financial software. We reviewed the Town s hardware inventory to determine whether it was detailed and up-todate. We reviewed the Town s contingency plan and back-up procedures to determine whether they were sufficient. We conducted this performance audit in accordance with GAGAS. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective. 10 OFFICE OF THE NEW YORK STATE COMPTROLLER

APPENDIX C HOW TO OBTAIN ADDITIONAL COPIES OF THE REPORT To obtain copies of this report, write or visit our web page: Public Information Office 110 State Street, 15th Floor Albany, New York 12236 (518) 474-4015 http://www.osc.state.ny.us/localgov/ DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY 111

APPENDIX D OFFICE OF THE STATE COMPTROLLER DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY Andrew A. SanFilippo, Executive Deputy Comptroller Gabriel F. Deyo, Deputy Comptroller Tracey Hitchen Boyd, Assistant Comptroller LOCAL REGIONAL OFFICE LISTING BINGHAMTON REGIONAL OFFICE H. Todd Eames, Chief Examiner State Office Building, Suite 1702 44 Hawley Street Binghamton, New York 13901-4417 (607) 721-8306 Fax (607) 721-8313 Email: Muni-Binghamton@osc.state.ny.us Serving: Broome, Chenango, Cortland, Delaware, Otsego, Schoharie, Sullivan, Tioga, Tompkins Counties BUFFALO REGIONAL OFFICE Jeffrey D. Mazula, Chief Examiner 295 Main Street, Suite 1032 Buffalo, New York 14203-2510 (716) 847-3647 Fax (716) 847-3643 Email: Muni-Buffalo@osc.state.ny.us Serving: Allegany, Cattaraugus, Chautauqua, Erie, Genesee, Niagara, Orleans, Wyoming Counties NEWBURGH REGIONAL OFFICE Tenneh Blamah, Chief Examiner 33 Airport Center Drive, Suite 103 New Windsor, New York 12553-4725 (845) 567-0858 Fax (845) 567-0080 Email: Muni-Newburgh@osc.state.ny.us Serving: Columbia, Dutchess, Greene, Orange, Putnam, Rockland, Ulster, Westchester Counties ROCHESTER REGIONAL OFFICE Edward V. Grant, Jr., Chief Examiner The Powers Building 16 West Main Street, Suite 522 Rochester, New York 14614-1608 (585) 454-2460 Fax (585) 454-3545 Email: Muni-Rochester@osc.state.ny.us Serving: Cayuga, Chemung, Livingston, Monroe, Ontario, Schuyler, Seneca, Steuben, Wayne, Yates Counties GLENS FALLS REGIONAL OFFICE Jeffrey P. Leonard, Chief Examiner One Broad Street Plaza Glens Falls, New York 12801-4396 (518) 793-0057 Fax (518) 793-5797 Email: Muni-GlensFalls@osc.state.ny.us Serving: Albany, Clinton, Essex, Franklin, Fulton, Hamilton, Montgomery, Rensselaer, Saratoga, Schenectady, Warren, Washington Counties SYRACUSE REGIONAL OFFICE Rebecca Wilcox, Chief Examiner State Office Building, Room 409 333 E. Washington Street Syracuse, New York 13202-1428 (315) 428-4192 Fax (315) 426-2119 Email: Muni-Syracuse@osc.state.ny.us Serving: Herkimer, Jefferson, Lewis, Madison, Oneida, Onondaga, Oswego, St. Lawrence Counties HAUPPAUGE REGIONAL OFFICE Ira McCracken, Chief Examiner NYS Office Building, Room 3A10 250 Veterans Memorial Highway Hauppauge, New York 11788-5533 (631) 952-6534 Fax (631) 952-6530 Email: Muni-Hauppauge@osc.state.ny.us STATEWIDE AUDITS Ann C. Singer, Chief Examiner State Office Building, Suite 1702 44 Hawley Street Binghamton, New York 13901-4417 (607) 721-8306 Fax (607) 721-8313 Serving: Nassau and Suffolk Counties 12 OFFICE OF THE NEW YORK STATE COMPTROLLER

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback