Determine whether Town of Hempstead (Town) officials established adequate access controls to help safeguard Town information technology (IT) systems against unauthorized access.
Town officials did not establish adequate access controls to help safeguard IT systems against unauthorized access.
The Board and Town officials did not:
- Develop and adopt comprehensive IT policies and procedures addressing key IT security issues, such as breach notification, and those related to acceptable computer use, protection of PPSI, application and network controls, password security, and user access controls.
- Provide IT security awareness training to all IT users, so they understand IT security measures and their roles in safeguarding data and IT assets.
In addition, sensitive IT control weaknesses were communicated confidentially to officials.
The Board should:
- Adopt comprehensive IT security policies and procedures, and periodically review them.
- Provide periodic IT security awareness training.
District officials agreed with our recommendations and indicated that they were in the process of implementing corrective action.