LITTLE VALLEY – Cattaraugus County’s computer system is at risk because of a lack of security and disaster recovery measures, according to a report from the State Comptroller’s Office.
According to the report, county policies, where they exist, are lacking in security measures when it comes to employee use, remote access and disaster recovery. To fix part of the problem, the auditors suggested the county Information Technology Department create a policy that dictates user rights according to their duties and responsibilities.
Auditors cite the lax control over usage and remote access to be potential threats in that viruses and other harm could be done to county files. They also commented that deficiencies in disaster recovery jeopardize the financial and operational security of the county in a time of emergency.
In a rebuttal to the report, County Administrator John Searles said: “The county has invested in a five-year technology plan which includes upgrading the core systems and rebuilding the entire infrastructure from the ground up.”
Searles said, “In March of this year, Phase I of the network infrastructure rebuild was completed, which involved cleaning up, stabilizing the current network and replacing all the switches ... for better management.”
The report on deficiencies was made without taking into consideration that the plan had been put in place to replace the system, Searles said.
“Even the state IT people agreed that we are doing this the best way,” he said. As the system is being built, no policy is in writing. That will come when the system is fully in place.
As far as the disaster plan is concerned, Searles said, the same thing holds. When auditors were in the Little Valley County Center, a broken water pipe overnight sent water through the building and into the IT department, creating a disaster situation.
“(The auditor) saw firsthand the ability we have in recovering data in a disaster situation,” Searles said.
In the report, the page where the deficiency is listed is footnoted, describing the incident and that no loss of data had occurred and that the county employees were able to take care of the situation with no problems.
The footnoting in the audit report is one of the issues that Searles called to the attention of the State Comptroller’s Office in his rebuttal.
“On several instances, the report lists a deficiency,” Searles said. “It lists where the auditors thought they saw problems. If you look at the footnotes, you can see that we either provided the documentation they were looking for or some other evidence was presented to prove that we have already worked to fix the problem, or there is no problem.”
Searles said all of the recommendations have been or will be implemented. The county has six months to develop a corrective action plan and submit it to the Comptroller’s Office.