Determine whether officials ensured information technology (IT) systems were adequately secured and protected against unauthorized use, access and/or loss.
- County Legislators did not monitor compliance with the County’s acceptable use policy, and did not adopt IT policies, including:
- Breach notification policy
- Disaster recovery plan
- Personal, private and sensitive information (PPSI) policy.
- County officials did not provide cyber security training to IT personnel and County employees.
Sensitive information technology (IT) control weaknesses were communicated confidentially to officials.
- Adopt comprehensive IT policies, communicate them to all employees, and review and update routinely or when significant changes in the environment occur.
- Provide adequate cyber security training to IT personnel and County employees.
County officials agreed with our findings and indicated they plan to initiate corrective action.