Audit Objective
Determine whether City of Lackawanna (City) officials properly implemented information technology (IT) security controls to safeguard the network against unauthorized access or disruption.
Key Findings
City officials did not establish adequate controls to safeguard the network against unauthorized access or disruption.
- City officials did not regularly review, identify and disable unnecessary network user accounts. As a result, 14 unnecessary generic network user accounts and 26 usernames associated with inactive or former employee accounts were not disabled.
- City officials have not developed written IT policies and did not provide users with IT security awareness training.
- City officials have not developed a written IT contingency plan.
Sensitive IT control weaknesses were communicated confidentially to officials.
Key Recommendations
- Develop written policies and procedures for managing network access and disable unnecessary network user accounts.
- Provide periodic IT security awareness training to all personnel who use IT resources.
- Develop a comprehensive written IT contingency plan.
City officials agreed with our recommendations and indicated they planned to initiate corrective action.