Determine whether Board and School officials effectively managed information technology (IT) assets.
- The Board did not develop adequate IT policies and procedures.
- School officials did not provide IT security awareness training to employees.
- The Board did not develop a disaster recovery plan.
Sensitive IT control weaknesses were communicated confidentially to officials.
- Adopt written IT policies and procedures.
- Provide periodic IT security awareness training to personnel who use IT resources, including the importance of physical security and protection of personal, private, sensitive information (PPSI).
- Develop a disaster recovery plan.
- Address the IT recommendations communicated confidentially.
School officials disagreed with certain aspects of our findings and recommendations, but indicated they planned to initiate corrective action. Appendix B includes our comments on issues raised in the School’s response letter.