[read complete report - pdf]

Audit Objective

Determine if personal, private and sensitive information (PPSI) on, or accessed by, the School’s information technology (IT) assets is properly safeguarded, secured and accessed for appropriate School purposes.

Key Findings

• Personal computer and Internet use was found on seven computers.
• Virus scanning was either not activated or not up-todate on three computers.
• PPSI was not classified and monitored to ensure protection from unauthorized access.

In addition, sensitive IT control weaknesses were communicated confidentially to School officials.

Key Recommendations

• Provide IT cybersecurity awareness training to employees who use IT assets and periodically monitor their use in accordance with the acceptable use policy.
• Ensure that virus protection is installed, activated and up-to-date on all computers.
• Classify PPSI to ensure its appropriate safeguarding.

School officials agreed with our recommendations and have initiated or indicated they planned to initiate corrective action.