Issued Date
September 27, 2019
Audit Objective
Determine whether the Board and District officials ensured District information technology (IT) assets and computerized data were safeguarded.
Key Findings
- The Board and District officials did not monitor computer use policies or adopt adequate IT security policies.
- District officials did not develop procedures for managing, limiting and monitoring user accounts and permissions and securing personal, private and sensitive information (PPSI).
- District officials did not provide IT security awareness training for District employees.
In addition, sensitive IT control weaknesses were communicated confidentially to District officials.
Key Recommendations
- Adopt and monitor comprehensive IT security policies.
- Develop comprehensive procedures for managing, limiting and monitoring user accounts and permissions and securing PPSI.
- Provide periodic IT security awareness training to personnel who use IT resources.
District officials generally agreed with our recommendations and have initiated or indicated they planned to initiate corrective action.