After Damning Report, Watertown, N.Y., Moves to Correct Cybersecurity Failings

A report from the state comptroller’s office showed the city was missing critical policies around “granting, revoking, modifying and monitoring” access rights to the city’s information technology network and financial system.

by Craig Fox, Watertown Daily Times / February 5, 2018
Shuttestock

(TNS) — WATERTOWN, N.Y. — City officials have put together a plan in response to a state Comptroller’s Office report that strongly criticized the city for not adequately safeguarding sensitive employee and financial information in its computer system.

In December, City Council members learned that the Comptroller’s Office conducted audits in 2015 and 2017 that determined the city fails to have cybersecurity policies and procedures in place for “granting, revoking, modifying and monitoring” access rights to the city’s information technology network and financial system.

In a memo earlier this week, City Manager Sharon A. Addison informed council members that the city developed a “Corrective Action Plan” to address the audits.

The city has until March 1 to submit its response, but Ms. Addison requested council members to offer “feedback no later than Feb. 9 in order to consolidate and ensure the timeliness of our response.”

According to the Comptroller’s report, the council did not adopt “adequate information technology security policies and city officials do not have formal procedures to address disaster recovery, disposal of electronic devices, data back up and password security management.”

The issues include procedures involving when the system goes down, ensuring sensitive information cannot be accessed when devices are disposed of and employees knowing how to adequately protect their passwords.

Many of the policies and procedures are already in place but are not written down, city officials explained in December.

Completing the action plan won’t cost the city extra money and it won’t be time-consuming for the city’s IT department, Ms. Addison said.

“All of it would be accomplished anyway,” she said.

According to the three-page Corrective Active Plan, the city has proposed a six-point plan that includes drafting policies on password security management, periodically reviewing new technology and written policies, ensuring cybersecurity training for employees and identifying appropriate network and financial system user access required for each city employee.

The plan, to be implemented in phases, should be finished by Dec. 1. The city manager, IT manager David Wurzburg, Human Resources Manager Matthew Roy and the City Council will be involved in developing the plan.

Mr. Wurzburg declined to comment, referring all questions to the city manager.

The Comptroller’s Office also confidentially communicated sensitive IT control weaknesses to the city.

The city was selected randomly for the audit.

©2018 Watertown Daily Times (Watertown, N.Y.) Distributed by Tribune Content Agency, LLC.