[read complete report - pdf]

Audit Objective

Determine whether Village of Islandia (Village) officials ensured information technology (IT) assets were adequately protected from unauthorized access, use and loss.

Key Findings

Village officials did not ensure IT assets were adequately protected from unauthorized access, use and loss. Officials did not:

• Adopt breach notification, password and mobile and removable device IT policies or implement a comprehensive IT contingency plan.
• Monitor and enforce compliance with its acceptable computer use policy (AUP). As a result, we found five of the nine users we audited visited websites for nonbusiness purposes.
• Complete any IT security-related training or provide the opportunity for employees to receive this type of training.

Sensitive IT control weaknesses were communicated confidentially to officials.

Key Recommendations

• Adopt comprehensive IT policies and a comprehensive IT contingency plan.
• Design and implement procedures to monitor the use of IT resources and provide periodic IT security awareness training to all employees who use IT resources.

Village officials disagreed with certain aspects of our findings and recommendations but indicated they have initiated corrective action. Appendix B includes our comments on issues raised in the Village’s response letter.