WIXLIB

Data GovernanceAuditInternal Audit ReportJune 24, 2020Linda J. Lindsey, CPA, CGAP, Senior DirectorLuis E. Aponte Santiago, CISA, IT Auditor

Table of ContentsPage NumberEXECUTIVE SUMMARY1DEFINITIONS2BACKGROUND2OBJECTIVE, SCOPE, AND METHODOLOGYRESULTS AND RECOMMENDATIONS

Data GovernanceInternal Audit ReportEXECUTIVE SUMMARYResu lts an d Recommen dationsWh y We Did Th is Au ditOur objective was to evaluate the District’s' DataGovernance Management as compared to industry'sWe evaluated Data Governance maturity level basedon the IBM Maturity Model. The model identifies 11best practices.domains of the data governance function and withEffective data governance is designed to ensure thatwas 2.36, with the domain that scored highest beingan organization has the right data available at theright time and that the data is accurate and in thecorrect format required to satisfy specific businessneeds.that scored lower were Data Risk Management andCompliance, Value Creation, and Audit Information,Risk / Impact RatingSignificantModerateIA - Internal Audit orM - Management–IA – 1D - Deficiency orO - Opportunity–D–1MinorWe evaluated data governance in four areas as listedbelow:Data Governance PoliciesData Governance StrategyUnknown applications, devices, andnetworksData Governance FeedbackBased on the results of our audit, we made the Audit Results at a GlanceResults and Observationsmore details is in the report.following recommendation:O bser v ations an d Con clusion Information Security and Privacy with a 4. The domainsLogging and Reporting with scores of 1. A graphic withThis audit was included in the 2019-2020 AnnualAudit Plan. scoring from 1 to 5 on each domain. The overall scoreComplete development of the BusinessImpact Analysis (BIA) and RiskAssessment (RA) to include aninventory of all mission critical systems,and assets of the District, as well asother significant information and addwording to the School Board Policy EHBData and Records Retention to reflecthow the District manages non-studentelectronic files and records.This report has been discussed with management andthey have prepared their response which follows.Page 1 of 6

Data GovernanceInternal Audit ReportDEFINITIONS:Risk / Impact RatingsMinorModerateSignificantLow risk with a financial impact of less than onepercent and/or an isolated occurrence limited to localprocesses (low impact and low likelihood)Slight to moderate risk with a financial impact betweenone and five percent and/or a noticeable issue that mayextend beyond local processes (low impact and highlikelihood or high impact and low likelihood)High risk with a financial impact greater than fivepercent and/or a significant issue that occurs inmultiple processes (high impact and high likelihood)Observations CategoriesDeficiencyOpportunityA shortcoming in controls or processes that reducesthe likelihood of achieving goals related to operations,reporting and complianceA process that falls short of best practices or does notresult in optimal productivity or use of resourcesCriteria for Observations Sourced to Management Internal audit was informed of the issue prior to starting detailed testingManagement identified, evaluated, and communicated theissue to appropriate levels of the district Management has begun corrective action with clear,actionable plans and targeted completion datesNone of the observations resulting from this audit were sourced tomanagement.Page 2 of 6

Data GovernanceInternal Audit ReportBACKGROUND:Data governance is a wide set of management and technical disciplinesdesigned to ensure that an organization has the right data available atOur scope was to assessthe right time and that the data is accurate and in the correct formatrequired to satisfy specific business needs.governance state.the District’s current dataOBJECTIVES, SCOPE AND METHODOLOGY:ObjectiveEvaluate the District's Data Governance Management as compared tobest practices to determine the maturity level on the subject.ScopeAssess the District’s current Data Governance stance.MethodologyOur audit was conducted in accordance with the International Standardsfor the Professional Practice of Internal Auditing of the Institute of InternalAuditors and included such procedures as deemed necessary toprovide reasonable assurance regarding the audit objective. InternalAuditing is an independent, objective assurance and consulting activitydesigned to add value and improve an organization’s operations. Ithelps an organization accomplish its objectives by bringing aThis audit was conductedin accordance with theInternational Standardsfor the ProfessionalPractice of InternalAuditing.systematic, disciplined approach to evaluate and improve theeffectiveness of risk management, control, and governance processes.We are required to note any material deficiencies in accordance withFlorida Statutes, School Board Policy and sound business practices. Wealso offer suggestions to improve controls or operational efficiency andeffectiveness.Due to the COVID-19 pandemic and the changing work environmentduring this period, the ITS department’s priority was to take care ofDue to COVID-19pandemic we used anaudit approach involvingstaff and students. Because of this, our audit approach used fourquestionnaires to cover thequestionnaires covering the risks addressed by this audit as listedbelow.audit.risks addressed by thisPage 3 of 6

Data GovernanceInternal Audit Report1)2)3)4)Data Governance PoliciesData Governance StrategyUnknown applications, devices and networksData Governance FeedbackWe also interviewed personnel from the ITS Department and theDistrict's Records Office.AUDIT RESULTS & RECOMMENDATIONS:Data maturity models help organizations understand their datacapabilities, identify vulnerabilities, and know in which particularareas, employees need to be trained for improvement. They also helporganizations compare their progress among their peers. As part of thisaudit, we assessed the district’s maturity across 11 domains (functions)of data governance using a five level scale. Our evaluation was basedData maturity models helporganizations understandvarious technologicalaspects and also helpsthem compare theirprogress among theirpeers.on an IBM Data Governance Maturity Model.We used the IBM DataGovernance MaturityModel.Definitions of Domains: Policy – a description of the desired organizational behavior(s)Data risk management and compliance – the methodology bywhich risks are identified, qualified, and quantified, avoided,accepted, mitigated or transferredOrganizational structure and awareness – description of thelevel of mutual responsibility between the organization and IT,and the recognition of the fiduciary responsibility to governdata at different levels of managementStewardship (Management) – a quality control disciplinedesigned to ensure custodial care of data for asset enhancement,risk management, and organizational controlWe assessed 11 domains ofdata governance.Page 4 of 6

Data GovernanceInternal Audit Report Data quality management – methods to measure, improve andcertify the quality and integrity of production, test, and archivaldataInformation security and privacy – the policies, practices andcontrols used by the organization to mitigate risk and protectdata assetsData architecture – the architectural design of structured andunstructured data systems and applications that enables dataavailability and distribution to appropriate usersClassification and metadata – the methods and tools used tocreate common definitions for business and IT terms, datamodels, data types, and repositories (Metadata that bridgehuman and computer understanding)Information lifecycle management – a systematic policy-basedapproach to information collection, use, retention, and deletionValue creation – the process by which data assets are qualifiedand quantified to enable the business to maximize the valuecreated by data assetsAudit information, logging, and reporting – the organizationalprocesses for monitoring and measuring the data value, risks,and efficacy of governanceDefinitions of Levels of Maturity 1 : 1Level 1: Initial – there is little to no awareness of the importanceof data and there are no set standards for managing dataLevel 2: Managed – the importance of data in the organizationis realizedLevel 3: Defined – data regulation and management guidelinesare defined better and are integrated with the organization’sprocessesLevel 4: Quantitatively Managed – measurable quality goals areset for each project, data process, and maintenanceLevel 5: Optimizing – data governance becomes an enterprisewide effort that improves productivity and efficacyThe scores for each domainare as follows:DomainScorePolicy3Data RiskManagement &Compliance1OrganizationalStructure &Awareness3Stewardship(Management)2Data QualityManagement3InformationSecurity &Privacy4Data Architecture3Classification &Metadata2InformationLifecycleManagement3Value Creation1AuditInformation,Logging &Reporting1Our evaluation of each domain’s maturity level was based on this 1 to 5 scale,according to the ITS Department’s responses to our audit inquiries.Page 5 of 6

Data GovernanceInternal Audit Report1) The Business Impact Analysis (BIA) and Risk Assessment (RA)are not yet complete and School Board Policy EHB - Data andRecords Retention – does not reflect how the District manages nonstudent electronic files and records. Moderate riskBest Practice:Having an up-to-date BIA helps organizations arrange theirinformation and data sets according to criticality and business needs.Also, an organization's data and records retention policy shouldaddress how electronic files and electronic records are being managed,handled, and disposed.Audit Result:According to the ITS Senior Director of Information Security, they haveclassified data according to National Institute of Standards andTechnology (NIST) and the Federal Information Processing Standards(FIPS), but that data is not addressed in a BIA because it hasn't yet beendeveloped. It is important for the ITS department to have a BIA toprovide a much clearer and prioritized view of what information iscritical to the District.By completing theBusiness Impact Analysis,along with the RiskAssessment, the ITSDepartment will have amuch clearer view of whatinformation is critical tothe District and will havean inventory count ofmission critical systemsand assets, and the dataeach of these hosts,manages, stores, ortransmits.As a result, they haven’t produced a report after the inventory iscompleted. Instead, they plan to conduct a RA and the BIA by the endof 2020 to reflect not only an inventory count of mission critical systemsand assets, but the data each of these hosts manages, stores, ortransmits. In addition, School Board Policy EHB should include astatement 2 that says which Florida statute or law the District uses tomanage, handle and dispose of non-student electronic files and records.School Board policyshould address electronicrecords.Recommendation:Complete development of a BIA to include all data that is critical andadd a statement on the School Board Policy EHB indicating whichFlorida statute or law the District follows to manage, handle anddispose of non-student electronic files and records.2Mention the statute for reference only (a link to the statute can be added too).Page 6 of 6