GUILDERLAND — The state comptroller has made seven recommendations for the town of Guilderland to improve its information-technology practices “to protect against unauthorized use, access and loss.”

The report, based on an audit conducted from Jan. 1, 2024 to Jan. 10 2025, was issued late last month.

The audit found employees used work computers for personal matters, the town hadn’t disabled accounts for workers who had left, and a contingency plan needs regular testing as well as adoption by the town board.

A second comptroller’s audit report, also issued last month, focused on the town’s allocation of sales-tax revenues, resulting in a steep tax hike for Altamont residents next year.

While Guilderland Supervisor Peter Barber had strong objections to the sales-tax audit recommendations, he wrote in an Oct. 30 three-page response to the IT audit, saying that the report had “very helpful recommendations and suggestions to prove the Town’s practices.”

The IT report notes that Guilderland relies on its IT systems for internet access and email and to “maintain various records, such as financial and personnel records, and evidence files for the police department, that may contain personal, private, or sensitive information.”

It goes on to note, “If an IT system is compromised, the results could range from inconvenient to catastrophic and may require extensive effort and resources to evaluate, repair and rebuild.”

The Guilderland Town Board and officials did not monitor employee Internet use or establish adequate controls to safeguard IT systems, the report says. It goes on to say that the board did not adopt an IT contingency plan to minimize the risk of data loss; it did not periodically test backups; and it did not provide IT security awareness training.

The town has 228 enabled user accounts, 188 network computer accounts, 162 desktop and laptop computers, and 31 servers, the report says.

Although Guilderland has a policy prohibiting employees from using town-owned computers for personal use, the auditors sampled 14 town computers and found six users accessed websites for personal use, such as entertainment, news, personal finance, email, shopping, travel, and personal health. One employee conducted personal business on a town computer, the report said.

Five of the six employees had signed a form, saying they acknowledged the policy in the employee handbook that town computers were for employment duties only.

The auditors also reviewed the town’s 228 enabled network user accounts and found 11 were unneeded or used seasonally and should have been disabled when not in use.

“When unneeded user accounts remain enabled, the Town has an increased risk that disgruntled employees or attackers could use these accounts as entry points” to access personal, private, or sensitive information and compromise IT resources, the report says.

Further, the report notes, although the IT director had a November 2022 draft contingency plan, the Guilderland Town Board did not adopt it and the director did not sign it to indicate he approved the plan.

Also, the auditors found the draft plan did not cover specific procedures to recover from an unexpected IT disruption. While the draft plan said it should be tested at least annually, there was no documentation showing it had been tested., the report said.

Further, while the IT department gets daily alerts as to whether the daily backups were successful, had any errors, or failed, “there is no schedule in place to restore or test backups periodically,” the report said.

The auditors conclude, “Without an approved and adopted IT contingency plan, responsible parties may not be aware of the steps they should take or how to continue doing their jobs to resume business in the event of a disaster or other unexpected IT disruption. Also, by not testing backups, Town officials have limited assurance that important data will be available in the event of a loss.”

Sensitive IT control weaknesses were communicated confidentially to officials, the report says. The town has 90 days to submit a corrective action plan.

Recommendations and responses

These are the seven recommendations made by the auditors along with the responses from Barber and IT Director Jeffery Gregory. They are grouped into three areas of concern — employee use of computers, disabling unused accounts, and having a frequently tested contingency plan:

— Implement procedures to monitor employee Internet use and ensure compliance with the Town’s IT Policy.

— Ensure all IT users sign an acknowledgment form that indicates they are aware of and will comply with the Town’s IT Policy.

— Ensure IT security awareness training is periodically provided to all individuals who use Town IT resources.

“The IT Department deploys a very robust and integrated Firewall, Endpoint Protection Antivirus, and Managed Threat/Detection Response service that includes internet content filtering,” Barber wrote, adding that the report does not reference this.

He went on to say that the IT director also “receives and reviews five distinct weekly web usage and bandwidth reports, makes timely inquiries on questionable use of the internet by Town employees, and refers documented improper use of the internet o Human Resources.”

Further, Barber noted that it cannot be determined whether the websites cited in the report are used for town purposes or personal reasons. “There is no known software that would determine whether a person is accessing a particular website for a proper Town use or personal use,” he says.

Barber also notes that, following town policy, the improper use of the internet has been subject to disciplinary actions.

Barber lists three corrective actions for the first recommendation. The town board will review and adopt an updated policy “to allow for incidental personal use of computers similar to what is already allowed for town-issued phones.”

Second, the revised policy will require written verification from each employee that he or she has read and understands the updated policy.

And third, the IT director has scheduled for the spring of 2026 a Rapid Cyber Security Assessment with the state’s Division of Homeland Security and the revised policy will require employee security awareness training.

— The IT Director should immediately disable the unneeded user accounts identified in this report.

— Town officials should develop comprehensive written procedures for managing and monitoring user accounts that include periodically reviewing user access and disabling or changing accounts when access is no longer needed.

Guilderland’s “Cyber Incident Prevention Policy” requires the deactivation of retired employees’ accounts, Barber writes, and the IT Department has procedures for managing and monitoring user access.

“There is a workflow in place with Human Resources for hiring and departing Town employees,” he writes. “The IT Department also requires periodic enhanced password changes … The Report does not mention these existing compensating controls for cyber incident prevention.

Barber goes on to list two corrective actions. The first is that, during the audit, the IT Department immediately disabled all unneeded user accounts the report identified.

Second, the IT Department will review its policy and “will again require periodic review of user access and the disabling or changing of accounts when access is no longer needed” as well as having the updated policy reviewed and adopted by the town board.

— The Board should adopt an IT contingency plan and ensure it is distributed to all responsible parties, periodically tested and updated as needed.

— The IT Director should establish procedures to ensure backups are routinely tested.

Barber writes that “it does not appear” the town board formally adopted the Nov. 15, 2022 Information System Contingency Plan” prepared by the IT Department, “which calls for the activation, notification, recovery, and reconstitution of the information system.”

The policy was developed in accordance with federal standards, he writes, and also requires periodic testing and regular backups.

“The Report does note the existing compensating controls for protecting the Town’s information system,” Barber writes. “The IT Director has also been discussing ‘sandbox’ test full restorations and disaster recovery testing with the Town’s failover servers.”

This refers to performing a complete data or system recovery simulation in an isolated, secure text environment — a sandbox — so there is no risk to the live, operational system.

Barber notes Gregory’s credentials and writes, “IT staff also regularly attend seminars on best practices for contingency plans and incorporate them into its management of IT services.”

Barber lists two corrective actions: The IT Department will review its contingency plan for updating and distribute it “to all responsible parties” as well as having the plan reviewed and adopted by the town board.

Second, Barber said, Guilderland is working with Albany County’s IT Disaster Recovery Center on conducting disaster recovery testing.