Town of Woodstock - Information Technology (2018M-211)

Issued Date
February 22, 2019

[read complete report - pdf]

Audit Objective

Determine whether Town officials ensured the Town’s Information Technology (IT) systems were adequately secured and protected against unauthorized use, access and loss.

Key Findings

  • Employees accessed nonbusiness websites although it is prohibited by policy.
  • Officials did not adopt a breach notification, security management or written disaster recovery plan.
  • Employees were not provided with security awareness training.

In addition, sensitive IT control weaknesses were communicated confidentially to Town officials.

Key Recommendations

  • Design, implement and enforce procedures to monitor the use of IT resources, including personal use.
  • Adopt written IT policies and procedures to address breach notification, disaster recovery and security management.
  • Provide IT security awareness training to personnel who use IT resources.

Town officials agreed with our recommendations and have initiated or indicated they planned to initiate corrective action.