City of Middletown - Water System Cybersecurity (2019M-22)

Issued Date
November 27, 2019

[read complete report - pdf]

Audit Objective

Determine whether City officials adequately safeguarded electronic access to the City’s water system.

Key Findings

  • Officials did not have adequate policies and procedures to document employee IT security duties, provide guidance for using portable devices or require monitoring of networked water system devices.
  • Officials did not provide employees with IT security awareness training.

In addition, sensitive information technology (IT) control weaknesses were communicated confidentially to officials.

Key Recommendations

  • Develop and implement sufficient IT policies and procedures for the water system.
  • Provide IT security awareness training to City employees at least annually.

City officials agreed with our recommendations and have initiated or indicated they planned to initiate corrective action.