Issued Date
March 29, 2019
Audit Objective
Determine whether the Board established policies and procedures to adequately safeguard information technology (IT) assets.
Key Findings
The Board did not:
- Adopt IT policies and procedures to adequately address acceptable computer use, user access rights, disaster recovery, password security management, data breach notification and backups.
- Provide users with security awareness training to help ensure their understanding in security measures to protect the network.
Town officials did not:
- Ensure user accounts for former personnel were disabled or removed in a timely manner.
Sensitive IT control weaknesses were communicated confidentially to officials.
Key Recommendations
- Adopt policies and procedures to adequately address acceptable computer use, user access rights, disaster recovery, password security management, data breach notification and backups.
- Ensure the access rights for users no longer employed are revoked.
- Provide security awareness training to personnel who use IT resources.
- Address the IT recommendations communicated confidentially.