Audit Objective
Determine whether officials ensured the Town’s information technology (IT) systems were adequately secured and protected against unauthorized use, access and loss.
Key Findings
- Personal Internet use was found on computers assigned to 10 employees, including four who routinely accessed personal, private and sensitive information (PPSI).
- Town officials did not adequately manage user accounts.
- The Board did not develop a disaster recovery plan.
Sensitive information technology (IT) control weaknesses were communicated confidentially to officials.
Key Recommendations
- Provide adequate oversight of employee Internet use to ensure it complies with Board policies.
- Regularly review enabled user accounts and immediately disable user accounts when access is no longer needed.
- Develop and adopt a comprehensive disaster recovery plan, including backup procedures and offsite storage, and communicate the plan to officials and employees.
District officials generally agreed with our recommendations and indicated they had already or planned to initiate corrective action.