Information Systems: Reviewing Specific IT Security Controls Across State Agencies and School Districts [July 2023]
Description
This audit determined whether selected state agencies and school districts adequately complied with certain IT security standards and best practices. State agencies must follow state IT security standards to protect sensitive information against data loss and theft. Local entities are not required to follow the state's policies.
9 of 15 entities we audited did not substantively comply with IT standards and best practices in at least 2 of 3 subject areas we evaluated. Specifically, 8 of 15 entities did not substantively comply with selected security awareness training controls. 10 of 15 entities did not substantively comply with selected account security controls. Lastly, 8 of 15 did not substantively comply with selected incident response controls. The findings demonstrate a poor "tone at the top" at many entities--meaning lack of top management oversight and supervision.