[read complete report - pdf]

Audit Objective

Determine whether District officials established adequate controls to help prevent and properly respond to a malicious attack of the District’s Information Technology (IT) system.

Key Findings

• The Board did not appoint a Chief Information Officer responsible for all IT matters.
• The Board did not adopt a disaster recovery plan.
• The District’s IT Department did not provide employees and officials with IT security awareness training.

Key Recommendations

• Consider appointing a Chief Information Officer to be responsible for ensuring computerized data is secure, identifying and recommending technology solutions to the Board, ensuring IT users are appropriately trained and supervising IT Department staff.
• Adopt a disaster recovery plan.
• Ensure that computer users receive IT security awareness training and follow up training when District IT policies are updated.

District officials disagreed with certain findings in our report. Our comments on issues raised in the District’s response are included in Appendix B.