Issued Date
August 09, 2019
Audit Objective
Determine whether the Town Board ensured the Town’s IT systems were adequately secured and protected against unauthorized use, access and loss.
Key Findings
- Personal Internet use was found on computers assigned to 10 employees who routinely accessed personal, private and sensitive information.
- Town officials did not provide IT security awareness training for individuals who used Town IT assets.
- Town Board and officials did not develop comprehensive IT policies or procedures.
Sensitive information technology (IT) control weaknesses were communicated confidentially to officials.
Key Recommendations
- Provide adequate oversight of employee Internet use to ensure it complies with Board policies.
- Provide employees with annual IT security awareness training.
- Adopt comprehensive IT policies that address acceptable use, IT security awareness training, breach notification and disaster recovery planning and communicate all IT policies to officials, employees and the IT consultant.
District officials generally agreed with our recommendations and have initiated or indicated they planned to initiate corrective action.