Determine whether District officials ensured that the personal, private and sensitive information (PPSI) on District servers and in the financial system was adequately protected from unauthorized access, use and loss.
District officials did not:
- Provide cybersecurity awareness training to employees.
- Disable and/or remove unnecessary user accounts on the network.
- Properly manage PPSI data.
Sensitive information technology (IT) control weaknesses were communicated confidentially to officials.
- Provide employees with periodic cybersecurity awareness training.
- Adopt policies and procedures for adding, deleting and modifying user access rights.
- Inventory, classify and develop controls over PPSI maintained and collected by the District.
District officials agreed with our recommendations and indicated they would initiate corrective action.