WEST CARTHAGE — Municipalities rely heavily on Internet-connected computers to store and process data, and the state wants to ensure that sensitive or private information is adequately safeguarded by examining local governments’ information technology infrastructure.
In a recent report, auditors with the state Comptroller’s Office found that the town of Champion was giving its employees administrative access to town computers — potentially increasing the risk of a data breach or loss.
“An individual’s private and financial information, along with confidential business information, could be severely impacted if the town’s computer security is breached or data is improperly disclosed,” the audit report said.
If malware is installed on a town computer, for instance, it would have greater control over a system running under an account with administrator rights.
“The remediation of this serious internal control weakness should not require an exhaustive effort or additional costs since the town already has the necessary infrastructure in place to make the required changes,” the report said.
Auditors — who examined the town’s records from Jan. 1, 2012, through Dec. 31, 2013 — also told the town to develop a data backup plan and a formal disaster recovery plan “to help minimize or prevent the loss of equipment and data.”
“Good business practices require town officials to run daily backups, keep the backup data as current as possible, and store the data at an environmentally and physically secure off-site location for retrieval in case of an emergency,” they said in the report.
They said data should be backed up to a secure off-site location and procedures should be developed to periodically test and restore data.
Also, in case of a network breach, the town should periodically review an information breach notification policy, auditors said.
“State Technology Law requires the town to establish an information breach notification policy. Such a policy should detail how the Town would notify individuals whose private information was, or is reasonably believed to have been, acquired by a person without a valid authorization,” their report said.
Supervisor Terry L. Buckley said Friday that the Town Council agrees with the audit report’s conclusions and has developed an action plan to remedy the problems.
“There were some things we had to tighten up for security purposes. We agreed with all of their findings and we’re taking steps to implement everything that they required,” he said.