City of Yonkers – Information Technology (2017M-86)

Issued Date
August 11, 2017

Purpose of Audit

The purpose of our audit was to determine whether City officials established adequate internal controls over information technology (IT) assets for the period June 30, 2014 through November 30, 2016.

Background

The City of Yonkers is the fourth largest city in New York State, with a population of more than 200,000. The City is governed by an elected seven-member City Council. Budgeted appropriations for 2016-17 totaled approximately $1.1 billion.

Key Findings

  • The IT department’s acceptable computer use policy was not signed or acknowledged by all employees.
  • City officials have not classified personal, private and sensitive information (PPSI) based on its level of sensitivity and the potential impact should that data be disclosed, altered or destroyed without authorization.
  • City officials did not ensure that employees received adequate cyber security training.
  • City officials have not adopted a breach notification policy or a disaster recovery plan.

Key Recommendations

  • Update the City’s acceptable use policy and ensure that all users of the City’s IT assets have signed acknowledgement forms on file.
  • Adopt policies and procedures for breach notification and PPSI protection.
  • Ensure all network users receive IT security training.
  • Develop a formal disaster recovery plan to maintain or restore critical operations as quickly as possible in the event of a disaster. The plan should be distributed to all responsible parties, periodically updated and tested as needed.