State concerns over Village of Arkport Information Technology

ARKPORT - New York State Auditors found that the (village) board did not adopt information technology (IT) security policies and procedures. In addition, the board did not enter into a written agreement with the IT vendor for services provided to the village. Auditors also found that the village officials did not provide IT security awareness training to employees.
State Comptroller summary:

Audit Objective

Determine whether Village officials adequately safeguarded Village information technology (IT) assets.

Key Findings

The Board did not:

• Develop adequate IT policies and procedures.
• Enter into a written agreement with the IT vendor for services provided to the Village.
• Provide IT security awareness training to employees.

In addition, sensitive IT control weaknesses were communicated confidentially to Village officials.

Key Recommendations

The Board should:

• Adopt comprehensive IT security policies, periodically review and update all IT policies and procedures to reflect changes in technology and the Village’s computing environment, and stipulate who is responsible for monitoring all IT policies.
• Enter into a professional service contract with the IT vendor that sufficiently defines the role and responsibilities of each party, includes all services to be provided, and addresses confidentiality and protection of personal, private and sensitive information (PPSI).
• Provide periodic IT security awareness training to personnel who use IT resources, including the importance of maintaining physical security and protecting PPSI.

District officials generally agreed with our findings and indicated they plan to initiate corrective action. The complete report can be read HERE. This is the village response: