Issued Date
December 13, 2019
Audit Objective
Determine whether Town officials ensured the Town’s Information Technology (IT) systems were adequately secured and protected against unauthorized use, access and loss.
Key Findings
- Employees accessed nonbusiness websites although it is prohibited by Town policy.
- Officials did not adopt a data classification, breach notification or online banking policy or a written disaster recovery plan.
- Employees were not provided with IT security awareness training.
In addition to this public report, sensitive IT control weaknesses were communicated confidentially to Town officials.
Key Recommendations
- Design, implement and enforce procedures to monitor the use of the Town’s IT resources, including personal use.
- Adopt written IT policies and procedures to address data classification, breach notification, online banking and disaster recovery.
- Provide IT security awareness training to personnel who use IT resources.