Town of Urbana – Access Controls (2022M-4)

Issued Date
May 13, 2022

[read complete report - pdf]

Audit Objective

Determine whether Town of Urbana (Town) officials properly configured network and computer user access controls to safeguard the Town’s IT systems.

Key Findings

Town officials (officials) did not adequately configure network and computer user access controls. In addition to sensitive IT control weaknesses that were communicated confidentially to officials, officials did not:

  • Adopt comprehensive written information technology (IT) policies and procedures addressing areas key to securing user access controls to minimize the risk of data loss.
  • Provide IT security awareness training.
  • Adequately manage network and local user accounts and permissions.
  • Enter into an adequate service level agreement (SLA) with the Town’s IT vendor or monitor compliance with this agreement.

Key Recommendations

  • Adopt comprehensive written IT security policies and procedures and ensure computer users receive comprehensive IT security awareness training.
  • Regularly review and update user accounts and permissions and disable those that are unnecessary.
  • Establish a detailed, clear and comprehensive SLA with the IT vendor to address the Town’s specific needs and expectations and the roles and responsibilities of all parties.

Town officials generally agreed with our findings and recommendations and indicated they planned to take corrective action.