Purpose

To determine the extent of implementation of the two recommendations included in our initial audit report, Security Over Critical Information Systems (Report 2016-S-69).

Background

Our initial audit report, which was issued on July 19, 2017, determined whether the security controls over critical State Education Department (Department) information systems were sufficient to minimize the various risks associated with unauthorized access to these systems and their associated data. The audit covered the period September 29, 2016 through March 30, 2017.  We determined that, although the Department had taken a number of steps to secure its critical information systems and associated data, there was still a risk that unauthorized persons could access these systems.  We found the Department had not taken fundamental steps to secure its critical systems, such as completing a full data classification process, adopting adequate information security policies and procedures, and improving certain technical controls over its critical systems.

Key Finding

• Department officials have not made significant progress in correcting the problems we identified in the initial report.  Of the two recommendations, one has been partially implemented and one has not been implemented.

Key Recommendation

• Officials are given 30 days after the issuance of the follow-up review to provide information on any actions that are planned to address the unresolved issues discussed in this review.

Other Related Audit/Report of Interest

State Education Department:  Security Over Critical Information Systems (2016-S-69)