Audit Objective
Determine whether District officials ensured that the personal, private and sensitive information (PPSI)1 maintained on the District’s financial server was adequately protected from unauthorized access, use and loss.
Key Findings
District officials did not:
- Provide cybersecurity awareness training to all employees.
- Disable or remove unnecessary user accounts in a timely manner.
Sensitive information technology (IT) control weaknesses were communicated confidentially to officials.
Key Recommendations
- Provide employees with periodic cybersecurity awareness training.
- Ensure user accounts are disabled or deleted as soon as no longer needed.
- Address the IT recommendations communicated confidentially.
District officials generally agreed with our recommendations and have initiated, or indicated they planned to initiate, corrective action.