Issued Date
December 20, 2019
Audit Objective
Determine whether the Board and District officials adequately safeguarded data from potential abuse or loss.
Key Findings
- District officials did not adequately manage user accounts and their user permissions. For example, former employees and an unknown person had active accounts, and administrative permissions were granted to individuals who did not need these rights. In two instances, officials did not know why the users had excessive permissions.
- Officials did not provide IT security awareness training to employees, and the Board did not establish a disaster recovery plan.
In addition, sensitive information technology (IT) control weaknesses were communicated confidentially to District officials.
Key Recommendations
- Periodically review enabled user accounts to ensure they are still needed and limit administrative permissions to those users who need them to perform their job functions.
- Provide employees with formal IT security awareness training and adopt a disaster recovery plan.
District officials agreed with our recommendations and have initiated or indicated they planned to initiate corrective action.