Audit Objective
Determine whether Town officials ensured that the personal, private and sensitive information (PPSI) on Town servers was adequately protected from unauthorized access, use and loss.
Key Findings
- Town employees did not comply with and officials did not monitor the computer use policy.
- Twenty of 66 user accounts were not necessary for Town operations.
- Town officials did not develop a breach notification policy, disaster recovery plan or a policy addressing PPSI.
Sensitive information technology (IT) control weaknesses were communicated confidentially to officials.
Key Recommendations
- Monitor web and computer usage for compliance with policy.
- Develop written procedures for managing system access that include periodically reviewing user access and disabling or deleting user accounts when access is no longer needed.
- Develop and adopt comprehensive IT policies that address breach notification, disaster recovery and PPSI, and communicate all adopted IT policies to Town officials, employees and the IT consultant.
Town officials generally agreed with our findings and indicated they plan to initiate corrective action.