ISA-2019-4660

The purpose of this audit was to determine whether the Department of Information Technology (DIT) has established and implemented key objectives of information technology (IT) governance and security management in accordance with state policies and best practices. The audit found that DIT’s risk assessment process did not consider risks, other than security and availability, to ensure that risks posed to the State’s IT operations and assets, and from third party service providers were identified, evaluated, mitigated, and monitored. Additionally, DIT did not monitor contracts with third parties hosting data outside of the State’s data center to ensure vendors’ performance was sufficient and in compliance with contract requirements. Details about each item are provided in the Findings and Recommendations and Response from Department of Information Technology sections of the report. DIT management agreed with our findings and recommendations.