A Performance Audit
An Audit Report on Cybersecurity at the School for the Deaf
February 2019
Summary Analysis
The School for the Deaf (School) should strengthen its information security program to meet statutory requirements and the Department of Information Resources’ (DIR) information security standards. The School did not adequately establish and document its information security policies, standards, and procedures, and it did not perform the required risk assessment of its information systems.
As a result, the School did not implement certain information security controls in accordance with statute and DIR’s minimum standards. Specifically, the School did not implement controls to ensure that external service providers meet its information security requirements. Auditors also identified significant weaknesses in the School’s controls over access to its information systems. The identified weaknesses place the School’s data at risk of unauthorized or inappropriate access, use, and modification.
In addition, auditors identified areas for improvement related to the School’s controls over its system configurations; system development and change management; and incident detection, response, and recovery planning.
The School should develop appropriate information security policies, standards, and procedures as required by DIR’s minimum standards. To facilitate the development of those policies, standards, and procedures, the School should implement certain information security processes, including classifying its data, performing a risk assessment, and establishing a training program to increase the School’s understanding of information security risks and DIR's requirements.
The School relies on external service providers for its IT needs, including cloud-based services and products. However, it has not developed related policies and procedures to ensure that those providers meet the School’s information security requirements. Those policies and procedures should include (1) an evaluation of information security during the planning process to acquire and implement services and products and (2) monitoring of providers’ compliance with security requirements.
The School did not adequately establish and document its system configurations, and it did not develop and implement processes, policies, or procedures to manage development of and changes to its information systems as required by DIR’s minimum security standards.
Auditors identified significant weaknesses in the School’s controls over access to its information systems. To minimize security risks, auditors communicated details about the identified weaknesses related to access separately to the School in writing.
Auditors assessed controls over the School’s network and physical security and its incident detection, response, and recovery planning. While the School had some security controls in place, it should strengthen certain controls in those areas. To minimize security risks, auditors communicated details about the identified weaknesses separately to the School in writing.
Graphics, Media, Supporting documents