[read complete report - pdf]

Audit Objective

Determine whether Town of Pulteney (Town) officials adequately safeguarded Town information technology (IT) assets.

Key Findings

Town officials did not adequately safeguard Town IT assets and failed to implement the recommendations we made in 2013 to adopt comprehensive IT security policies and monitor computer use. As a result, we found officials did not:

• Adopt key IT policies or a comprehensive IT contingency plan to minimize the risk of data loss or suffering a serious interruption of services.
• Monitor the use of IT resources or provide IT security awareness training.
• Disable four unneeded local user accounts.
• Enter into a service level agreement (SLA) with the Town’s IT service providers.

In addition, sensitive IT control weaknesses were communicated confidentially to officials.

Key Recommendations

• Adopt comprehensive IT security policies and a comprehensive IT contingency plan.
• Regularly review user accounts and disable those that are unnecessary.
• Enter into an SLA with the IT service providers for all services to be provided.

Town officials agreed with our recommendations and have initiated or indicated they planned to initiate corrective action.