Town of Queensbury - Water System Cybersecurity (2018M-268)

Issued Date
March 22, 2019

[read complete report - pdf]

Audit Objective

Determine whether officials adequately safeguard electronic access to the Town’s water system.

Key Findings

  • Water officials have not implemented comprehensive procedures for managing, limiting, securing and monitoring user access.
  • Water plant personnel have not been provided with job-specific cybersecurity awareness training.
  • Water officials did not prevent or monitor public disclosure of information on the Town’s water system.

In addition, sensitive IT control weaknesses were communicated confidentially to Town officials.

Key Recommendations

  • Implement strong access controls.
  • Provide cybersecurity awareness training to Water plant employees.
  • Prohibit the public disclosure of sensitive water system information.

Local officials agreed with our recommendations and indicated they have begun corrective action.