Audit Objective
Determine whether Union Springs Central School District (District) officials established adequate controls to safeguard personal, private and sensitive information (PPSI) on mobile computing devices (MCDs).
Key Findings
District officials did not adequately safeguard MCDs to help prevent unauthorized access to PPSI. In addition to sensitive information technology (IT) control weaknesses that were communicated confidentially to officials, we found:
- District officials did not establish sufficient procedures, such as establishing a District-wide data classification matrix and inventorying PPSI in their possession, to help ensure the proper safeguarding of PPSI on MCDs.
- Fourteen of the 20 District-owned MCDs we examined contained PPSI that was not adequately safeguarded.
Key Recommendations
District officials and IT staff should:
- Develop comprehensive written procedures to help ensure PPSI on MCDs is adequately protected, which outline proper access, transmission, storage and use of PPSI.
- Establish a data classification matrix that assigns the appropriate security level to each type of data, then conduct an inventory of PPSI stored on electronic devices, and ensure this list is updated on an ongoing basis.
District officials generally agreed with our recommendations and indicated they plan to initiate corrective action.