[read complete final report - pdf]

Audit Objective

Determine whether Town of Minetto (Town) officials ensured information technology (IT) systems were adequately secured and protected against unauthorized use, access and loss.

Key Findings

Town officials did not ensure IT systems were adequately secured and protected against unauthorized use, access and loss. In addition to sensitive IT control weaknesses that were communicated confidentially to officials, the Town Board (Board) and officials did not:

• Provide IT security awareness training to all computer users.
• Adequately manage local user accounts and permissions. As a result, four of 10 computers had unneeded and unused local user accounts.
• Adopt written procedures for user accounts or a comprehensive written IT contingency plan to minimize the risk of data loss or suffering a serious interruption of service.

Key Recommendations

• Provide periodic IT security awareness training to all personnel who use Town IT resources.
• Ensure user accounts and permissions are regularly reviewed and unnecessary accounts are disabled in a timely manner.
• Adopt written procedures for user accounts and permissions and a comprehensive written IT contingency plan.

Town officials generally agreed with our findings and recommendations and indicated they planned to take corrective action.