[read complete report - pdf]

Audit Objective

Determine whether Village of Red Hook (Village) officials ensured information technology (IT) systems were adequately secured and protected against unauthorized use, access and loss.

Key Findings

Officials did not adequately secure and protect the Village’s IT systems against unauthorized use, access and loss.

• The Board did not adopt required or sufficient IT policies, provide users with IT security awareness training, or develop a disaster recovery plan.
• Officials were unaware that employees were accessing websites for nonbusiness purposes because they did not routinely monitor employee Internet use.
• The Village did not define the IT consultant’s responsibilities and did not have a formal contract with the consultant.

In addition, sensitive IT control weaknesses were communicated confidentially to officials.

Key Recommendations

• Develop and adopt comprehensive IT policies and provide employees with IT security awareness training.
• Develop procedures for monitoring Internet usage and negotiate a formal contract with the IT consultant.

Village officials generally agreed with our findings and recommendations and indicated they have initiated corrective action.