[read complete report - pdf]

Audit Objective

Determine whether City of Johnstown (City) officials safeguarded information technology (IT) resources to ensure personal, private and sensitive information (PPSI) was protected.

Key Findings

City officials did not adequately safeguard IT resources to ensure PPSI was protected. The failure to protect PPSI can have significant consequences on the City, such as reputation damage, lawsuits, a disruption in operations or a security breach. City officials did not:

• Develop adequate IT policies and procedures or provide IT security awareness training.
• Have a complete and accurate IT asset inventory.
• Properly manage user accounts or ensure unneeded administrative and user accounts were disabled.
• Have a written contract or service level agreement (SLA) with the IT service provider to define responsibilities.
• Develop or adopt a disaster recovery plan to minimize the risk of data loss or suffering a serious interruption of services.

Sensitive IT control weaknesses were communicated confidentially to officials.

Key Recommendations

• Develop adequate IT policies and procedures.
• Enter into a written contract with the IT provider.
• Develop and adopt a comprehensive written disaster recovery plan.

City officials were given an opportunity to respond to our findings and recommendations within 30 days of the exit conference, but they did not respond.