Audit Objective
Determine whether Cayuga County (County) officials ensured electronic data containing personal, private, and sensitive information (PPSI) on County-owned Public Health Department (Department) devices was adequately protected from unauthorized access and use.
Key Findings
County officials did not adequately protect the Department’s electronic data containing PPSI. In addition to sensitive information technology (IT) control weaknesses communicated confidentially to officials, we found:
- Electronic data containing PPSI on 32 of the 61 County-owned Department IT devices we examined, in violation of County policies.
- County officials have not established a County-wide data classification schematic and have not inventoried PPSI in their possession.
- County officials and IT staff did not establish formal written procedures to help adequately secure PPSI.
Key Recommendations
- Ensure IT policies and procedures are consistently and appropriately followed.
- Establish a data classification inventory that assigns the appropriate security level to each type of data.
- Develop formal written procedures to help ensure PPSI is adequately secured.
County officials agreed with our recommendations and indicated they planned to initiate corrective action.