Audit Objective
Determine whether information technology (IT) assets are properly safeguarded, secured and accessed for appropriate District purposes.
Key Findings
- District officials did not provide IT cybersecurity awareness training for individuals who used District IT assets.
- Personal Internet use was found on computers assigned to four employees who routinely accessed personal, private and sensitive information (PPSI).
In addition, sensitive IT control weaknesses were communicated confidentially to District officials.
Key Recommendations
- Provide periodic IT cybersecurity awareness training.
- Provide adequate oversight of employee Internet use to ensure it complies with Board policies and regulations.
District officials generally agreed with our recommendations and indicated they planned to initiate corrective action. Appendix B includes our comment on the District’s response.