Comptroller warns Johnstown of lax cyber security; State audit shows inappropriate computer use

The New York State Comptroller’s Office has determined City of Johnstown officials have placed the local government in danger of lawsuits, disruption of operations and cyber security breaches due to inadequate Information Technology policies.

The Comptroller released findings from its Jan. 1, 2019 to Jan. 15, 2020 audit of the city’s IT practices on March 26.

The Comptroller found the city of Johnstown paid an IT company $92,309 for services during the audit period, even though the city had no formal written contract with the company and city officials seemingly had little understanding of how the money was being spent.

“City officials have relied on an IT provider for IT services, technical assistance and purchase of IT equipment, as needed, for over 10 years without a written contract or [Service-level-agreement] SLA,” reads the Comptroller’s report. “The Council did not negotiate a written contract with its IT service provider and officials did not enter into an SLA with the provider to identify the specific services to be provided or the provider’s responsibilities.”

The state Comptroller’s Office has determined the City of Johnstown paid a $1,250 monthly service fee for its IT services, but details about how that money was spent were not forthcoming from city officials.

“Except for two four-hour on-site visits each month, officials were unable to identify the services included in the monthly fee,” reads the Comptroller’s report. “As a result of our inquiry, the IT provider gave the Treasurer a written list of services included and not included in this fee.”

The list of services included in the Comptroller’s audit of Johnstown’s IT spending is as follows:

• $37,138 for equipment and supplies

• $18,829 for software renewals and warranty

• $15,000 for monthly services

• $9,717 for technical support

• $5,355 for software services

• $4,018 for hardware installation

• $2,252 for backup services.

“City officials were given an opportunity to respond to our findings and recommendations within 30 days of the exit conference, but they did not respond,” reads the Comptroller’s report.”

Members of the Common Council did not…