No alarming revelations in report on file access
There were no bombshell revelations in a report released earlier this month of an investigation into allegations that Ulster County Comptroller Elliott Auerbach and former County Executive Michael Hein gained unauthorized access to each other’s computer servers last year.
The report did find that employees in the Comptroller’s Office and Information Services Department accessed the files on each other’s computer drives, and it found there was little in the way of county policy to prevent that access.
“The county’s current policy is vague and is lacking many necessary key internal controls, such as the details related to authorization of access,” Eisner-Amper LLP wrote in its report to the Legislature’s Ways and Means Committee
The Ways and Means Committee hired New
York City-based Eisner-Amper to look into allegations regarding the Hein administration and Auerbach. Committee members discussed the report during a meeting on Feb. 13.
The report — which covered activity between May 7 and Oct. 19, 2018 — was given to lawmakers in October, but the committee declined to make the document public at the time, saying it still was in draft form.
The report found that, between 2016 and 2018, three computers assigned to two users accessed county Finance Department files numerous times. That occurred
after the Information Services Department, responding to a support ticket because it could not access the comptroller’s network share, gave the Comptroller’s Office unfettered access to Finance Department files that had not previously been open to that office.
The report did not provide any information that would have shown the Comptroller’s Office had been given authorization by the Hein administration to go into those files, only that the access had been given by the Information Services Department.
In a reviewing computer usage reports, known as Varionis Reports, provided by the Information Services Department, Eisner-Amper
said it found that on a single date in May, a user from the Comptroller’s Office opened eight files that were outside the shared comptroller-Finance Department folder. It found that on July 9, someone from the Comptroller’s Office attempted to open two files, also outside that shared folder, but was unable to gain access.
It also found that between March 30 and July 28, a user from the Information Services Department accessed 48 files on the comptroller’s server and that between June 28 and July 25, an Information Services employee accessed the comptroller’s files 168 times.
According to a July 25, 2018, memo written by Jose DeLeon, the county’s Information Services director
and security officer, his office began investigating the alleged unauthorized access of Finance Department files in May 2018 after one of his employees discovered the comptroller’s staff was allegedly going into files that it wasn’t supposed to access.
A report from DeLeon found that between March and May of 2018, three employees in the Comptroller’s Office accessed dozens of Finance Department files hundreds of times.
Not surprisingly, both the Comptroller’s Office and the county’s executive’s administration viewed the report as vindication of their claims, and not all legislators were satisfied with the results of the investigation.
Following the Ways and Means Committee meeting,
Auerbach said the report showed what he has contended all along: that his employees were accessing files to which they had been given access.
Deputy County Executive Mark Rider said the report showed the Comptroller’s Office had been “routinely exploiting unauthorized access to the electronic files of another department.” He also said “access does not equate to authorization.”
Legislator Richard Gerentine, who led the Ways and Means Committee when the report was commissioned, said he found the final report to be lacking.
“I wanted different questions answered,” said Gerentine, R-Marlborough. “Unfortunately they weren’t.”
Gerentine said he specifically wanted to know whether there was fault involved and, if so, who was at fault.
Legislator Kathy Nolan, D-Shandaken, also was critical of the report, saying it didn’t take into consideration any of the findings of the Information Services Department investigation. Without that information, the Eisner-Amper report tells “less than half the story,” she said.
Ways and Means Committee Chairwoman Lynn Archer, D-Accord, said the Legislature will use the report to formulate policies that will better protect the county’s computer systems and prevent similar situations from occurring in the future.