Audit Objective
Determine whether the Board and District officials effectively managed the District’s information technology (IT) assets.
Key Findings
- The Board and District officials have not adopted adequate security policies and procedures to safeguard IT assets.
- Employees stored personal data, such as photos, videos and music, on District computers.
- District officials did not provide IT security awareness training for employees.
In addition, sensitive IT control weaknesses were communicated confidentially to District officials.
Key Recommendations
- Adopt comprehensive IT security policies, procedures and plans to safeguard IT assets and data.
- Ensure staff comply with the District’s policies related to personal use of IT assets.
- Provide periodic IT security awareness training to personnel who use IT resources.
District officials disagreed with certain aspects of our findings and recommendations, but indicated they have initiated corrective action. Appendix B includes our comments on issues raised in the District’s response letter.