Issued Date
February 22, 2019
Audit Objective
Determine whether Town officials ensured the Town’s Information Technology (IT) systems were adequately secured and protected against unauthorized use, access and loss.
Key Findings
- Employees accessed nonbusiness websites although it is prohibited by policy.
- Officials did not adopt a breach notification, security management or written disaster recovery plan.
- Employees were not provided with security awareness training.
In addition, sensitive IT control weaknesses were communicated confidentially to Town officials.
Key Recommendations
- Design, implement and enforce procedures to monitor the use of IT resources, including personal use.
- Adopt written IT policies and procedures to address breach notification, disaster recovery and security management.
- Provide IT security awareness training to personnel who use IT resources.
Town officials agreed with our recommendations and have initiated or indicated they planned to initiate corrective action.