Watertown, New York criticized by comptroller for cybersecurity gaps

In an IT Report of Examination for Watertown issued this month, the New York State comptroller’s office criticized Watertown city officials for not adequately protecting sensitive employee and financial information. The report says Watertown, located in New York State, did not have an adequate information security management structure in place to protect certain system user accounts.

An audit that took place between July 1, 2015 and April 6, 2017 found that city officials and an elected council – composed of four councilors and a mayor – “did not implement effective procedures for granting, revoking, modifying and monitoring individual access rights to the network and the financial system.” The division also communicated sensitive IT control weaknesses privately to city officials.

Authorities did not have policies and procedures in place to:

  • Address disaster recovery, e.g. fire, computer virus, or inadvertent employee action
  • Dispose of electronic devices
  • Back up data and manage password security
  • Conduct information security awareness training

By the numbers: Watertown cybersecurity gaps

Watertown processes personal, private, and sensitive information, including tax assessments, births and deaths, police reports, and payroll. The division discovered that a number of former employees might still have access to the city’s financial data system. It also found that, within the city’s financial system and supporting IT equipment:

  • 31%, or 192 out of 612 user accounts with access to the city network were no longer needed
  • An IT manager was unsure whether or not 9%, or 55 accounts, were necessary
  • 70 out of 247 accounts were never used
  • 47%, or 286 of the 612 user accounts, are generic and/or shared

City officials agree with division recommendations and plan to make changes

Watertown Mayor Joseph M. Butler, Jr. said he knew the city needed to take corrective action and is working on closing cybersecurity gaps. In addition to adopting policies to protect the confidentiality, integrity, and availability of individual rights, city officials agreed with several high-level recommendations made by the division:

  • Periodically assess and update all IT policies to address the city’s IT environment and emerging cybersecurity developments
  • Instill cybersecurity awareness training for city personnel who handle personal data
  • Development and systematic review of user access policies by the council
  • City officials engage in the design of procedures to protect and monitor personal, private, and sensitive information access

The division also recommended changes for IT management, including evaluating current system accounts, purging unnecessary accounts, and creating a regular schedule to review accounts for necessity. The accounts are to be reviewed for appropriateness, e.g. determining if shared accounts are necessary.

The mayor has set a 90-day deadline to put together a plan and respond to the report.

How can organizations minimize gaps in their cybersecurity program?

To help manage cybersecurity, organizations should implement an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all the organizational and technical controls necessary to protect an organization’s information assets.

Implementing an ISMS based on ISO 27001 will involve your whole organization and help reduce gaps you may have in your current cybersecurity program.

If you want to learn more, you should read our free green paper: Implementing an ISMS – The nine-step approach.