Audit Objective
Determine whether information technology (IT) assets are properly safeguarded, secured and accessed for appropriate School purposes.
Key Findings
- The Board has not adopted adequate IT security policies and School officials do not have formal procedures to address breach notification, disaster recovery, data backup, password security management, IT asset inventory and user access rights.
- We identified inappropriate or questionable computer use on six computers.
In addition, sensitive IT control weaknesses were communicated confidentially to School officials.
Key Recommendations
- Adopt written IT policies and procedures to address breach notification, disaster recovery, backups, password security management, IT asset inventory and to address individual user access rights.
- Provide IT cybersecurity awareness training to personnel who use the School’s IT resources.
In addition, we confidentially communicated key IT recommendations to School officials.
School officials agreed with our recommendations and indicated they planned to initiate corrective action.