Objective

To determine whether security over the Hudson River–Black River Regulating District’s (District) critical systems is sufficient to minimize the various risks associated with unauthorized access to systems and data. The audit covered the period from June 2023 through October 2023.

About the Program

The District’s mission is to construct, maintain, and operate reservoirs in the upper Hudson River and Black River watershed, including the Sacandaga, Indian, Black, Moose, and Beaver rivers for the purpose of regulating the flow of streams or rivers when required by public welfare, including public health and safety.

The District must adhere to the Office of Information Technology Services’ (ITS) policies, including ITS’ Information Security Policy and Acceptable Use Policy, for its IT assets. Additionally, the District is responsible for adhering to provisions in the Department of Environmental Conservation or Federal Energy Regulatory Commission  regulations. The District must also abide by Payment Card Industry Data Security Standards (PCI DSS) and must complete a self-assessment of its compliance with these standards because it accepts credit card payments for access permits to use of the land surrounding the Great Sacandaga Lake.

Key Findings

Overall, the District has demonstrated effort and timeliness in addressing security issues as they arise. Due to the confidential nature of some of our evaluations, we communicated certain details to District officials and do not address those details in this report. We further found the District generally took appropriate steps to secure processes and systems used to accept credit card payments. However, there were areas in which it could improve to better meet PCI DSS requirements, including documenting certain policies and procedures.

Key Recommendation

• Develop relevant policies and procedures as required for PCI DSS.