[read complete report - pdf]

Audit Objective

Determine whether Town officials ensured the Town’s information technology (IT) systems were adequately secured and protected against unauthorized use, access and loss.

Key Findings

• The Board did not adopt adequate IT policies or a disaster recovery plan.
• Town officials did not have a service level agreement (SLA) with the IT consultant.
• Town officials did not provide IT security awareness training to staff.

Sensitive IT control weaknesses were communicated confidentially to officials.

Key Recommendations

• Adopt comprehensive IT policies and a disaster recovery plan.
• Enter into an SLA with the IT consultant for all services to be provided that sufficiently defines the roles and responsibilities of each party and addresses confidentiality and protection of personal, private and sensitive information (PPSI).
• Provide periodic IT security awareness training to all employees who use IT resources.

Town officials agreed with our recommendations and have initiated or indicated they planned to initiate corrective action.