![3 Year Summary of Security Controls in Selected State and Local Entities (2020-2022) [December 2022]](https://is1-ssl.mzstatic.com/image/thumb/Podcasts211/v4/2f/2f/0d/2f2f0de1-9ed8-1b08-1733-31230f2e8339/mza_11348873077500675685.jpg/400x400bb.jpg "3 Year Summary of Security Controls in Selected State and Local Entities (2020-2022) [December 2022]")
3 Year Summary of Security Controls in Selected State and Local Entities (2020-2022) [December 2022]
Description
We completed 21 audits on 16 agencies and 4 school districts between CY 2020 and 2022 (1 entity was audited twice during this time period). This summary report shows 10 of the 21 entities did not substantially comply with applicable IT security standards and best practices. Entities struggled with properly scanning and patching their computers. Entities also had compliance problems because they did not create, maintain, or test incident response plans or continuity of operations plans. Other significant issues included poor security awareness training or failed social engineering tests. Almost half the entities had significant management, contract, or policy-related weaknesses. Additional security weaknesses included inadequate account security controls, poor encryption, back up, or destruction processes of sensitive data. We also noted several entities had inadequate network boundary protection or had poor access or environmental controls for their data centers. Lastly, we identified significant security issues within agencies’ specific IT systems. The findings in this report are similar to those in previous summary IT reports. The main reasons for compliance problems across the 20 entities included insufficient top management attention and inadequate resources.
United States
