CLIFTON PARK – Town Supervisor Philip Barrett reacted strongly to a state audit report that revealed four problematic findings with regard to Clifton Park’s information technology resources during 2019.
The state pointed out in its report that town employees visited websites the auditor deemed “questionable,” while 14 former workers had access to email accounts long after they had left the town’s employ, the office of State Comptroller Thomas DiNapoli said in a statement Monday.
However, Barrett refuted each of the claims, and countered that the auditor’s scrutiny used “boilerplate language” for “headline purposes.”
DiNapoli’s office said Clifton Park officials hadn’t adequately safeguarded IT resources, and, despite paying an IT service provider more than $98,000 in 2019, officials did not define the provider’s responsibilities.
Also, DiNapoli said Clifton Park officials hadn’t established a comprehensive IT policy, nor monitored employee Internet use, nor did they implement comprehensive procedures for managing and monitoring user access to the town’s network and computers.
DiNapoli said 14 user accounts belonged to former employees of Clifton Park who had left the town from one month to 15 years before the auditor’s review.
Finally, the state comptroller’s office said Clifton Park officials did not have a written contract with the town’s IT provider that described specific services to be provided. Sensitive IT control weaknesses were communicated confidentially to officials, the audit read.
Barrett provided The Daily Gazette with a copy of his written response thanking DiNapoli’s office, yet disputing the audit’s accuracy.
The supervisor said the actual expenditure for IT consulting services to ABS Solutions during the audit period was $48,100 – not $98,000 as the auditor claimed – with the remaining funds spent on hardware, software, cloud–based backup service and installation expenses.
Barrett said the town’s consulting arrangement with ABS Solutions is comprehensive.
Throughout the town‘s six-year relationship with ABS Solutions, the vendor consistently provided prompt, reliable and affordable IT services, and Clifton Park can terminate the agreement with 30 days’ notice if it is dissatisfied with their performance, solutions offered, or response times, Barrett said.
An informal survey of surrounding municipalities showed the town’s spending on IT consulting services compares favorably with its peers, in some cases significantly, he said.
The auditor’s claim that the town did not have a comprehensive internet policy also was inaccurate, according to Barrett.
Clifton Park’s internet policy is included in the employee manual, which was prepared by the town’s human resources consultants, who have “scores” of municipal clients throughout the Capital Region, Barrett said.
“The policy in our manual is standard to the vast majority of our consultant‘s clients and is consistent with those entities,” Barrett said.
The town’s relationship with ABS Solutions during the 2019 audit period was defined by purchase orders for specific projects and a clearly defined hourly rate, according to the town.
Finally, Barrett said a number of the identified “former” employees remain active with the town, and many of those accounts that were deemed unnecessary were disabled.
The email accounts for those individuals were not operable and none of those individuals had remote access to the town‘s system. Any usage affiliated with their account would need to be accomplished through electronic devices that had been secured by the town, the supervisor said.
In 2019, the town began to implement a system that automatically disabled an account that was not used. Barrett said the town will review accounts quarterly to ensure none are unnecessarily active.
The town also implemented “Barracuda Total Email Protection,” which provides the town with Microsoft 365 backup and monitoring. Any email sent through Barracuda has Safelink Technology that “sandboxes” all web links.
Advanced antivirus software with application control is also in place.
Barrett said the majority of the websites the audit report had found “questionable” were determined to be “useful and reasonable” for town employees to use during the course of conducting business.
Purchasing activities, financial tasks, travel and trip destination research and many other normal town functions require the usage of the related websites, he said, while acknowledging the town periodically sends reminders to employees about phishing attacks and other issues involving computer use.
“Do we closely monitor the usage of each employee on a regular basis? No. Do we monitor and survey computer usage when we believe there is a reason to do so? Yes. We record all web traffic,” Barrett reacted.
The town also has a product that blocks all webmail access through town computers, eliminating the opportunity to use the system for personal email, Barrett wrote.
“We understand the use of boilerplate language in the audit reports for headline purposes,” the supervisor said of the audit’s findings. “I am pleased there was nothing identified in the audit that would cause alarm, or place the Town systems in a compromised position, nor has the door been opened to abuse or unwarranted entry.”
Contact reporter Brian Lee at [email protected] or 518-419-9766.