Fallsburg responds to comptroller's audit
Story by Dan Hust
SOUTH FALLSBURG As far as NYS Comptroller’s Office audits go, the Town of Fallsburg emerged virtually unscathed.
“We passed with flying colors” was how Supervisor Steve Vegliante put it yesterday.
No wrongdoing or errors were found in the audit, which covered January 1, 2011 to May 15, 2012 and focused on ensuring that computerized data and assets “were properly safeguarded.”
Still, state auditors had some concerns and suggestions for the township, ones Vegliante confirmed Fallsburg will heed.
“I’m certainly going to listen to their recommendations,” he affirmed, promising to follow up with the state once the town board has agreed on an action plan.
Recommendation #1: Restrict access on a user-by-user basis to the town’s financial accounting system.
“Because employees are not restricted to only those applications necessary for them to perform their job duties,” wrote the auditors, “computerized data including personal, private and sensitive information is at risk of being compromised.”
The problem has now been fixed, said Vegliante, as various users have been given levels of access necessary for their specific jobs. In addition, every transaction has a fingerprint ID associated with it.
Recommendation #2: Move the town’s computer servers out of the Finance Office which is publicly accessible and into a secure area.
“If access to servers is not controlled, the risk increases that unauthorized access to the network could be obtained and the servers could be damaged,” wrote the auditors.
The state did note that most of the time the town’s comptroller is working at his desk next to the servers, but Vegliante said Fallsburg’s town board is working on cost-effective methods to increase security of the machinery which holds all the town’s critical data.
“Let it be noted that the office where the servers are located is locked every night,” Vegliante wrote in response to the audit. “The town is looking into consolidating the server. We may look to build a cage with a lock to encompass the server.”
Recommendation #3: Create a formal disaster recovery plan in case the town’s computer system and financial records are damaged or destroyed.
“The board has not developed a disaster recovery plan,” wrote the auditors. “Consequently, in the event of a disaster, town personnel have no guidelines or plan to follow to help minimize or prevent the loss of equipment and data, or guidance on how to implement data recovery and resume operations as efficiently as possible.”
Vegliante said the servers are plugged into a battery backup in case of power loss, and the data is copied on to a tape which is secured at the end of every business day.
“The disaster recovery plan is something that the town is currently researching and will be coming up with a formalized plan in the event of a disaster,” he wrote.