Issued Date
February 21, 2020
Audit Objective
Determine whether personal, private and sensitive information (PPSI) on, or accessed through, the District’s information technology (IT) system was properly safeguarded.
Key Findings
- District officials did not provide formalized IT security awareness training for individuals who used the District’s IT assets.
- Personal Internet use was found on computers assigned to employees who routinely accessed PPSI.
- Network and application user accounts were not properly managed.
In addition, sensitive information technology control weaknesses were communicated confidentially to District officials.
Key Recommendations
- Provide periodic IT security awareness training.
- Develop and implement written administrative regulations to further define the District’s acceptable use policy guidelines.
- Develop comprehensive written procedures for managing network and application user accounts.
District officials agreed with our recommendations and have initiated or indicated they planned to initiate corrective action.