Town of Haverstraw - Information Technology (2019M-125)

Issued Date
December 13, 2019

[read complete report - pdf]

Audit Objective

Determine whether Town officials ensured the Town’s Information Technology (IT) systems were adequately secured and protected against unauthorized use, access and loss.

Key Findings

  • Employees accessed nonbusiness websites although it is prohibited by Town policy.
  • Officials did not adopt a data classification, breach notification or online banking policy or a written disaster recovery plan.
  • Employees were not provided with IT security awareness training.

In addition to this public report, sensitive IT control weaknesses were communicated confidentially to Town officials.

Key Recommendations

  • Design, implement and enforce procedures to monitor the use of the Town’s IT resources, including personal use.
  • Adopt written IT policies and procedures to address data classification, breach notification, online banking and disaster recovery.
  • Provide IT security awareness training to personnel who use IT resources.