Audit Objective
Determine whether District officials ensured employees’ personal, private, and sensitive information (PPSI) was adequately protected from unauthorized access, use and loss.
Key Findings
- District officials did not provide IT security awareness training to all employees.
- District officials did not develop procedures for managing, limiting and monitoring user accounts and permissions and securing personal, private and sensitive information.
- The District did not have a disaster recovery plan.
Sensitive information technology (IT) control weaknesses were communicated confidentially to officials.
Key Recommendations
- Provide periodic IT security awareness training to all employees who use IT resources.
- Develop written procedures for managing access to the network and financial application.
- Develop and adopt a disaster recovery plan.
District officials agreed with our recommendations and indicated they had already taken or planned to take corrective action.