Johnstown

Comptroller warns Johnstown of lax cyber security; State audit shows inappropriate computer use

210317Johnstown.jpg
PHOTOGRAPHER:

The New York State Comptroller’s Office has determined City of Johnstown officials have placed the local government in danger of lawsuits, disruption of operations and cyber security breaches due to inadequate Information Technology policies.

The Comptroller released findings from its Jan. 1, 2019 to Jan. 15, 2020 audit of the city’s IT practices on March 26.

The Comptroller found the city of Johnstown paid an IT company $92,309 for services during the audit period, even though the city had no formal written contract with the company and city officials seemingly had little understanding of how the money was being spent.

“City officials have relied on an IT provider for IT services, technical assistance and purchase of IT equipment, as needed, for over 10 years without a written contract or [Service-level-agreement] SLA,” reads the Comptroller’s report. “The Council did not negotiate a written contract with its IT service provider and officials did not enter into an SLA with the provider to identify the specific services to be provided or the provider’s responsibilities.”

The state Comptroller’s Office has determined the City of Johnstown paid a $1,250 monthly service fee for its IT services, but details about how that money was spent were not forthcoming from city officials.

“Except for two four-hour on-site visits each month, officials were unable to identify the services included in the monthly fee,” reads the Comptroller’s report. “As a result of our inquiry, the IT provider gave the Treasurer a written list of services included and not included in this fee.”

The list of services included in the Comptroller’s audit of Johnstown’s IT spending is as follows:

• $37,138 for equipment and supplies

• $18,829 for software renewals and warranty

• $15,000 for monthly services

• $9,717 for technical support

• $5,355 for software services

• $4,018 for hardware installation

• $2,252 for backup services.

“City officials were given an opportunity to respond to our findings and recommendations within 30 days of the exit conference, but they did not respond,” reads the Comptroller’s report.”

Members of the Common Council did not respond to phone calls seeking comment for this story Thursday. Mayor Vern Jackson indicated via text message that he was unable to conduct a telephone interview, but did respond to questions via text.

Jackson said he doesn’t know why the city never had a formal written agreement with its IT provider, a company he said is called “ATEC.” He said he was uncertain whether the company was ATEC Group, an IT firm located in Albany. He said he’s not completely sure where the company is located.

“Can’t be sure,” Jackson wrote. “Never asked. I believe [ATEC is located in] the Capital District. They show up quickly when called” In addition to having little idea of how it was spending money on IT services, the Comptroller’s report showed the city had poor systems in place to manage cyber security.

In addition to having little idea of how it was spending money on IT services, the Comptroller’s report showed the city had poor systems in place to manage cyber security.

“City officials did not adequately manage network user accounts to safeguard data from potential abuse and loss,” reads the report. “We reviewed all 92 enabled network user accounts and found 27 of these accounts were not needed and should have been disabled. In addition, 11 other accounts had unneeded permissions. The Comptroller determined the city had 10 user accounts that had unnecessarily assigned administrative permissions, including the power to create new user accounts and change passwords. Five of the accounts belonged to City officials or employees who did not need administrative permissions to perform their job duties.

The city also had 13 accounts (14 percent of the 92) which belonged to City employees or officials who left City employment between one and six years before the Comptroller’s audit.

“Nine accounts were used to access the network after the employee left City employment,” reads the report. “The Treasurer and the IT provider were unable to provide us with supporting documentation or explanations for this activity.”

The Comptroller warned that the city’s lax oversight of its computer user accounts could allow personal information of city employees to be accessed inappropriately.

“When unneeded network user accounts exist, there is a risk that these accounts could be used as entry points for attackers to access (private and sensitive information) PPSI and compromise IT resources,” reads the report.

The Comptroller also found that city employees had used all 11 of the city’s computers for personal internet use unrelated to city business.

“This included access to entertainment, leisure, personal shopping and social media websites,” reads the report. “Some access to entertainment and leisure websites included access to inappropriate content by one user that violated the City’s policy (outlined in the employee manual) for acceptable Internet use.”

According to the Comptroller’s report the city’s IT provider blocked websites the city’s policies had determined were “obscene or X-rated” but the policy was not broad enough to restrict all of the websites forbidden by the city’s employee rules.

The Comptroller’s audit concluded with 10 points it recommends the city Common Council address. Here are several highlights from the recommendations:

• Develop and update IT policies regarding passwords, private information, mobile devices and online banking, and review those policies annually.

• Enter into a written contract with an IT provider.

• Develop a comprehensive “disaster recovery” plan for instances when the city’s It systems are shut down.

• Maintain an accurate IT hardware inventory, which city has currently failed to do.

• Require all employees to sign a form acknowledging receipt of an updated employee manual, which the city currently requires but the Comptroller only found evidence two employees had complied with.

Jackson said he is uncertain whether the Common Council will address the Comptroller’s recommendations this year, the final year of his administration.

“This will [be] a topic of discussion with the council,” Jackson wrote.

Jackson has announced he will not be seeking another term of office, and 3rd Ward Councilwoman Amy Praught has filed a petition to run as the Republican Party candidate for mayor. Political newcomer Michael D. Rose has filed a petition to run as Democrat, setting up a November election contest.

Categories: Fulton Montgomery Schoharie, News

Leave a Reply