Determine whether Village officials adequately safeguarded Village information technology (IT) assets.
The Board did not:
- Develop adequate IT policies and procedures.
- Enter into a written agreement with the IT vendor for services provided to the Village.
- Provide IT security awareness training to employees.
In addition, sensitive IT control weaknesses were communicated confidentially to Village officials.
The Board should:
- Adopt comprehensive IT security policies, periodically review and update all IT policies and procedures to reflect changes in technology and the Village’s computing environment, and stipulate who is responsible for monitoring all IT policies.
- Enter into a professional service contract with the IT vendor that sufficiently defines the role and responsibilities of each party, includes all services to be provided, and addresses confidentiality and protection of personal, private and sensitive information (PPSI).
- Provide periodic IT security awareness training to personnel who use IT resources, including the importance of maintaining physical security and protecting PPSI.
District officials generally agreed with our findings and indicated they plan to initiate corrective action.