Audit Objective
Determine whether OnTECH Charter High School (School) officials ensured information technology (IT) systems were adequately secured and protected against unauthorized use, access and loss.
Key Findings
School officials did not ensure IT systems were adequately secured and protected against unauthorized use, access and loss. In addition to sensitive IT control weaknesses that were communicated confidentially to officials, the Board of Trustees (Board) and officials did not:
- Adequately manage user accounts and permissions. As a result, the six computers tested had unneeded user accounts and unnecessary administrative permissions.
- Monitor Internet usage for compliance with the School’s Acceptable Use Policy (AUP). As a result, there is an increased the risk of School computers being exposed to malicious software.
- Develop and adopt an IT contingency plan and provide staff with IT security awareness training. As a result, the School has an increased risk that its IT systems, including their hardware, software and data containing personal, private and sensitive information (PPSI), may be exposed, damaged or lost.
Key Recommendations
- Develop and enforce written procedures for managing user accounts.
- Provide security awareness training and ensure staff comply with the AUP.
- Develop, adopt, distribute, and periodically update and test a comprehensive IT contingency plan.
School officials agreed with our recommendations and indicated they have initiated or plan to initiate corrective action.