HomeMy WebLinkAbout2021 May 20 - Follow-Up Report: County of Hawaii Information Technology Asset Management
Follow-up Audit Report
County of Hawaii seal
County of Hawaii Office of the County Auditor
County of Hawaii Information Technology Asset Management
May 20, 2021
Maxinne Pacheco
Acting County Auditor
County of Hawaii seal
OFFICE OF THE COUNTY AUDITOR
25 Aupuni Street Hilo, Hawaii 96720 telephone number (808) 961-8386 Fax (808) 961-8905
website: http://hawaiicounty.gov e-mail: countyauditor@hawaiicounty.gov
Business Address
120 Pauahi Street Suite 309
Hilo, Hawai`i 96720
May 20, 2021
Honorable Maile Mederios David, Council Chair
and Members of the Hawaii County Council
Hawaii County Council
25 Aupuni Street
Hilo, Hawaii 96720
Dear Chair David and Council Members,
In accordance with generally accepted government auditing standards and the Hawaii
County Charter Section 3-18(d)(3), the Office of the County Auditor has a responsibility
to monitor and follow-up on audit recommendations to ensure that audit findings are
being addressed through appropriate corrective action and to aid us in planning future
audits.
We have completed our follow-up audit of the County of Hawaii Information Technology
Asset Management (Report No. 2015-01) dated November 12, 2015. The audit
objective was to determine if the Department of Information Technology implemented
the 2015 IT Asset Management recommendations. We tested eleven recommendations
and found that management took corrective action as follows:
Status of Recommendations:
4 Implemented Department has fully implemented the audit recommendation
6 In Process Department started or has partially implemented the audit recommendation
1 Not Implemented Department ahs not begun implementation of the recommendation
Currently, the Department of Information Technology (DIT) does not own or manage all
the County's IT assets. To fully meet best practices, IT asset management should be
centralized, DIT should own all IT assets, and use an IT asset management role.
Hawai`i County is an Equal Opportunity Provider and Employer
These are key elements to successful management of IT assets and without these
elements, the County is at an increased risk of security concerns, system instability,
helpdesk, and County employee inefficiencies, as well as increased hardware and
software costs.
Management has generally agreed with the comments and the status of recommendations
in this report.
We would like to express our sincere appreciation and commend the Department of
Information Technology's leadership and staff for their continued efforts to improve
information technology asset management and for their assistance, cooperation, and
prompt feedback during the follow-up audit process.
If you have any questions or concerns about the status of recommendations discussed,
please feel free to contact me at 961-8386.
Respectfully,
Maxinne Pacheco
Acting County Auditor
CC Mitchell D. Roth, Mayor
Lee Lord, Managing Director
Jon Henricks, County Clerk
Scott Uehara, Director, Department of Information Technology
Deanna Sako, Finance Director
Report Highlights May 20, 2021
County of Hawaii Information Technology
Asset Management Follow-Up
Original Audit
What we found
Two key elements of IT asset management are the centralization of the IT function and the use of an IT asset management role. Without these two elements, the County is at an increased risk of security concerns, system instability, and helpdesk inefficiencies.
What we recommended
We identified the following recommendations for management to meet best practices:
1. DIT should own all IT assets. Furthermore, an IT asset management role should be established to manage the County's IT assets including:
Developing a financial forecast of hardware and software upgrades and replacements;
Maintaining an approved software list for standardization;
Identifying re-deployable IT assets;
Continuing to evaluate leasing as an option;
Maintaining a listing of IT assets and the assigned users in a centralized database;
Centrally receiving and accepting all IT assets;
Reconciling IT assets in the IT asset management inventory; and
Ensuring the disposal of IT assets occurs in a secured manner.
2. The County should address gaps in formal written policies and procedures over IT practices.
Follow-up Audit
In November of 2015, the Office of the County Auditor issued the audit of the County of Hawai‘i Information Technology Asset Management and made eleven recommendations.
Management generally agreed with the comments and status of recommendations.
Objective
To determine if the Department of Information Technology implemented the 2015 IT asset management recommendations.
Status of Recommendations
We tested eleven recommendations and found that management took corrective action as follows:
Implemented: 4
In Process: 6
Not Implemented: 1
Hardware and software Lifecycle management
Upgrades & Replacements: (1) In Process
Purchase Request & Approval:
(1) In Process and (1) Implemented
Redeployment of Assets: (1) In Process
Leasing: (1) Implemented
Hardware and software inventory management
Centralized Management System:
(1) Implemented and (1) In Process
Receiving & Accepting: (1) In Process
Annual Physical Inventory: (1) Not Implemented
Hardware and Software security
Secured Disposal: (1) In Process and (1) Implemented
This audit was conducted in accordance with generally accepted government auditing standards.
Table of Contents
Status of Recommendations ....................................................................................... 1
Hardware and Software Lifecycle Management
1. Upgrades and Replacements .................................................................... 1
2. Purchase Request and Approval ............................................................... 3
3. Redeployment of Assets............................................................................ 4
4. Leasing ...................................................................................................... 5
Hardware and Software Inventory Management
5. Centralized Management System.............................................................. 6
6. Receiving and Accepting ........................................................................... 8
7. Annual Physical Inventory.......................................................................... 9
Hardware and Software Security
8. Secured Disposal..................................................................................... 10
AuditObjective ........................................................................................................... 11
Audit Scope and Methodology .................................................................................. 11
Conclusion .................................................................................................................. 13
Department Response ............................................................................................... 14
Status of Recommendations
Hardware and Software Lifecycle Management
Recommendation #1. Upgrades and Replacements - Status: In Process
We recommend that DIT establish an IT asset manager position to manage the County's IT assets and implement a plan to develop a one through five-year financial forecast of hardware and software upgrades and replacements for each of the departments by analyzing the historical information on the County's IT environment, current trends, and future needs.
While the County has implemented several procedures to better manage IT assets, to fully meet industry best practices and improve the process of upgrading and replacing computers and laptops, the IT asset manager should implement a plan to take ownership of all IT assets.
Auditee Action:
In September 2019, DIT developed a plan to deploy 310 computers and/or laptops. Due to the COVID-19 pandemic, deployment is ongoing.
In November 2020, we discussed the status of recommendations with the current and incoming DIT Director. We worked with the incoming administration to provide a written response to be included in this report.
We reviewed the supplemental budget requests and found the IT asset manager position was not established. In January 2021, the new DIT Director stated in his new role he has discretion to realign duties to close gaps in certain processes by dividing up work between DIT sections. He further affirmed he has a goal of developing a five-year hardware and software upgrade and replacement schedule to address this audit recommendation.
Additionally, in July 2020, we reviewed a contract authorizing the development of an IT Strategic Plan and Roadmap with the State of Hawaiʻi, Office of Enterprise Technology and the United States Department of Defense, Office of Homeland Security.
IT Asset Management Follow-up Audit Status of Recommendations page 1
Auditee Action: DIT attended a series of workshops to
learn:
• IT Strategy
Assess the current state of IT and compare it to the desired future state;
Create a roadmap of IT initiatives that will bring IT to the level neededto achieve its goals and fulfill its role to support business objectives;
and
Establish a strategic roadmap for the next 2-3 years.
• Information Security
• Disaster Recovery Planning
To fully meet best practices, management
should prioritize establishing an IT asset
manager or equivalent to manage all
County-owned IT assets and develop a
one through five-year financial forecast of
upgrades and replacements for each of
the departments by analyzing the historical
information on the County's IT
environment, current trends, and future
needs as part of their IT Strategic Plan and
Roadmap.
IT Asset Management Follow-up Audit Status of Recommendations page 2
Recommendation #2. Purchase Request and Approval Status: In Process
We recommend DIT implement a policy to maintain an approved software listing and communicate the risks to the departments. The policy should include an annual review of the listing to ensure that software listed is still relevant and does not pose a security concern to the County. A review process should be implemented to respond to requests for software titles that are not currently in the supported software listing.
Auditee Action: We reviewed 137 approved and disapproved software listings and found DIT has a process of maintaining an approved software listing and communicates the risk in their Hawai‘i County Security Handbook that provides guidance on, “What you need to know to stay safe while computing, and help protect the County’s IT assets.”
To fully meet best practices, DIT should address current software approval processes including an annual review in DIT Employee Policies.
We also recommend DIT update the County-Issued Technology Device policy to include prohibiting users from installing non-supported software and adding un-approved devices to the County network.
Status: Implemented
Auditee Action:
We reviewed DIT Employee Policies’ Electronic Resources Policy (March 2020) prohibiting:
“Engaging in disruptive or malicious activities such as unauthorized software, hardware, or data modification.”
“Installing or downloading software not approved and/or licensed to the County.”
IT Asset Management Follow-up Audit Status of Recommendations page 3
Recommendation #3. Redeployment of Assets Status: In Process
We recommend that once the IT asset manager position has been established, DIT should implement a process to identify redeployable assets and to establish County-wide formal written redeployment procedures to retrieve computers and software licenses that were installed on computers that were replaced or idle for an extended period of time. The redeployment of computers and software licenses is often cost-effective, minimizes unnecessary purchases, reduces over purchasing of assets and reduces data security risks.
Auditee Action:
We reviewed 426 equipment transfer records and found DIT partially meets best practices because they:
Identify and tag usable hardware and software through department transfers and helpdesk ticket requests.
Redeploy local or cloud-based software licenses (Microsoft/Adobe) when computers become inoperable, or user separates from the County.
Identify computers and laptops that could be redeployed because of County-wide computer upgrade and replacement initiatives.
Track equipment on loan with an In/Out log.
To fully meet best practices, DIT should address current redeployment processes including establishing a County-wide formal written redeployment procedures to retrieve computers and software licenses that were installed on computers that were replaced or idle for an extended period of time in DIT Employee Policies.
In January 2021, the new DIT Director stated they will redeploy usable IT assets within the three to five-year warranty period.
Figure 1 Items tagged for redeployment
Photo courtesy Office of the County Auditor
IT Asset Management Follow-up Audit Status of Recommendations page 4
Recommendation # 4. Leasing Status: Implemented
We recommend DIT continue to evaluate leasing as an option to procure computers and software licenses for the County.
We also reviewed yearly subscriptions for software licenses for:
Adobe VIP (Value Incentive Program)
Adobe Sign
Microsoft
ESRI (software mapping)
IT Asset Management Follow-up Audit Status of Recommendations page 5
Hardware and Software Inventory Management
Recommendation # 5. Centralized Management System Status: Implemented
We recommend DIT track users in a centralized database. Not tracking users in a centralized database may increase the County's security exposure since DIT may not be able to determine if computers are in use or locate assets. In addition, DIT may have difficulty holding employees accountable for the protection of assets and inappropriate activities. Unused computers are candidates for redeployment and may unnecessarily consume software licenses. From a software compliance perspective, software end-user licensing agreements can be tied to users instead of computers, and DIT may not be able to determine the appropriate license counts without knowing the assigned users.
The fixed assets inventory system is not accessible to DIT and the automated network and software inventory system is not used to track the user.
Auditee Action: We observed Lansweeper, an automated software program used to monitor asset data information, network security, software updates, and patches for:
1,408 users
1,449 devices
Flagging computers/devices not seen in the network in the last 30/60/90 days
Flagging users’ access upon separation from the County every two weeks
Flagging and redeploying local or cloud-based software licenses (Microsoft/Adobe) when computers become inoperable, or user separates from the County
Blocking at-risk devices from the network
Pushing out security updates and patches
Restricting most user’s administrative rights.
Reporting discrepancies to department IT liaisons
IT Asset Management Follow-up Audit Status of Recommendations page 6
Therefore, we recommend that once the IT asset manager position is established, DIT should implement a plan to identify a centralized database that has the ability to track users whether it is the fixed assets inventory system, the automated network and software inventory system, or another IT asset management inventory system. After a product has been identified, the IT asset manager should implement County-wide written procedures to centrally track users for all IT assets.
Status: In Porcess
Auditee action:
We observed DIT staff using Lansweeper to track asset data information for over 1400 users and devices connecting to the network to ensure the network is safe.
To fully meet best practices, the IT asset manager should implement County-wide written procedures to centrally track users for all IT assets in applicable DIT Employee Policies and/or IT Strategic Plan and Roadmap.
IT Asset Management Follow-up Audit Status of Recommendations page 7
Recommendation #6. Receiving and Accepting Status: In Process
We recommend DIT implement a plan to centrally receive and accept all IT assets to ensure DIT is aware of new computers or software before they are introduced into the County environment.
DIT is aware of new computers and
software because they:
• Coordinate County-wide computer
update and replacement
initiatives/Refresh.
• Restrict most user's administrative
rights.
• Require users to submit a helpdesk
ticket for hardware/software
installation and/or configuration to
the network.
• Require users to submit a Custom
Technology Request Form for all
other non-price term agreement
equipment and software requests.
To fully meet best practices, DIT should
implement a plan to centrally receive and
accept all IT assets and/or address
current receiving and accepting
processes to ensure DIT is aware of new
computers or software before they are
introduced into the County environment
in DIT Employee Policies.
IT Asset Management Follow-up Audit Status of Recommendations page 8
Recommendation # 7. Annual Physical Inventory Status Not Implemented
We recommend DIT periodically reconcile IT assets listed on the Fixed Asset Detail Report with the automated network and software inventory system to ensure all IT assets are properly recorded and included in the annual physical inventory. Any discrepancies should be investigated and resolved immediately.
Auditee Action: We corroborated with DIT staff and reviewed the County’s inventory records and found DIT performs physical inventory of only their departments IT assets.
To fully meet best practices, DIT should conduct periodic County-wide physical inventory to ensure all IT assets are properly recorded and included in the annual physical inventory.
IT Asset Management Follow-up Audit Status of Recommendations page 9
Hardware and Software Security
8. Secured Disposal Status In Process
We understand that the Director of IT plans to issue a memo with the “Electronic Records Destruction Policy for Computer and Electronic Media" to the Department heads and managers requiring the transfer of all obsolete hard drives to DIT for destruction. We recommend the County review this policy at least annually and update accordingly.
Auditee Action: We reviewed the DIT Employee Policies Electronic Data Storage Destruction Policy (March 2020) and found the policy was periodically reviewed but not updated accordingly.
To fully meet best practices, DIT should address the transfer of all obsolete hard drives to DIT for destruction including annual review process in DIT Employee Policies.
We also understand that the current computer deployment location is temporary. However, if DIT continues to use the facility, we recommend that additional physical security controls be implemented to safeguard IT assets and media from loss or theft.
Status: Implemented
Auditee Action
We verified additional physical security controls to safeguard IT assets and media from loss or theft, specifically we:
Observed security camera system and safeguarding practices in place at Schultz Siding office and baseyard.
Reviewed 82 disposal records and three police reports to confirm there were no redeployed items in DIT’s custody that were stolen.
Compared Equipment Disposal Forms to Certificates of Disposal and found no exceptions.
Observed manual hard drive crusher used to destroy obsolete hard drives and media tapes at secured location.
Figure 2 Manual Hard Driver Crusher
Photo courtesy
Office of the County Auditor
IT Asset Management Follow-up Audit Status of Recommendations page 10
Audit Objective
The objective of this follow-up audit was to determine if the Department of Information
Technology implemented the 2015 IT asset management recommendations.
Audit Scope and Methodology
To verify the Department of Information Technology implemented the IT asset
management recommendations, we:
• Corroborated information with appropriate staff to follow-up on the responses to
audit recommendations
• Performed tests of controls
• Reviewed applicable source documents:
Inventory Procedures Manual dated 1-1-83
DIT Employee Policies dated 12-31-16, revised 7-1-17, and 3-23-2020
Electronic Resources Policy
Password Policy
E-Mail Retention Policy
Electronic Data Storage Destruction Policy
Mobile Device Policy
Social Media Policy
Memorandum of Understanding for the County of Hawaii Department of
Information Technology's Strategic Plan and Roadmap 6-18-2020
Statement of Work: IT Strategy, Information Security, and Disaster
Recovery Planning Workshops for County of Hawaii
Windows Upgrade and Deployment Strategies dated 9-11-19
Project Data Criteria dated 10-2-19
Information Technology Information Security Handbook
Standard Operating Procedures for County Devices
Approved/disapproved software listings
Loaner equipment In/Out logs
Inventory records including department transfers and disposals
2015 - 2019 Price Term Agreements for Computer Equipment
Supplemental Budget Requests
Council Resolutions and Communications
Other as needed information from December 2015 to January 2021
• Conducted site visits to verify monitoring, redeployment, and safeguarding
practices at Waiakea Office Plaza and Schultz Siding Office.
IT Asset Management Follow-up Audit Audit Objective, Scope and Methodology page 11
The scope of the audit was limited to departments that the Department of Information
Technology supports. The audit excluded the Department of Water Supply, Police
Department, Office of Housing and Community Development, Office of the Prosecuting
Attorney, and the Office of Aging.
We conducted this performance audit in accordance with generally accepted government
auditing standards. Those standards require that we plan and perform the audit to
obtain sufficient, appropriate evidence to provide reasonable basis for our findings and
conclusions based on our audit objectives. We believe that the evidence obtained
provides a reasonable basis for our findings and conclusions based on our audit
objectives.
IT Asset Management Follow-up Audit Audit Objective, Scope and Methodology 112
Conclusion
We sincerely thank the Department of Information Technology's leadership and staff for
their cooperation during our follow-up work and for their efforts in working toward
implementing and partially implementing most IT asset management recommendations,
such as:
➢ Lifecycle management for hardware and software upgrades and replacements
➢ Purchase request and approval
maintaining approved software listing and communicating the risks to
departments
updating County-Issued Technology Devise policy prohibiting users from
installing non-supported software and adding un-approved devices to the
County network
➢ Redeployment of assets
➢ Evaluating leasing as an option to procure computers and software licenses
➢ Tracking users in a centralized database
➢ Centrally receiving and accepting all IT assets to ensure DIT is aware of new
computers or software before they are introduced into the County environment
➢ Secure disposal
Annual review of secured disposal policy
Additional physical security controls to safeguard IT assets from loss or
theft.
Opportunities exist to fully meet best practices, such as DIT should:
➢ Centralize the IT asset management function
➢ Own all IT assets and establish an IT asset management role
Develop a one through five-year financial forecast of upgrades and
replacements for each of the departments by analyzing the historical
information on the County's IT environment, current trends, and future
needs.
➢ Conduct periodic physical inventory to ensure all County IT assets are properly
recorded and included in the annual physical inventory.
➢ Address gaps in Employee Policies to address:
Current software approval processes including annual review
Current redeployment processes including the retrieval of computers and
software licenses that were installed on computers that were replaced or idle
for an extended period of time.
Implement County-wide written procedures to centrally track users for all
IT assets
Centrally receive and accept all IT assets and/or current receiving and
accepting processes, and
Transfer of all obsolete hard drives to DIT for destruction including an annual
review process.
IT Asset Management Follow-up Audit Conclusion page 13
Department Response
Mitchell D. Roth Mayor
Lee Lord Managing Director
Scott Uehara Director
County of Hawaii
Department of Information Technology
1990 Kinoole Street, Suite 105 Hilo, Hawaii 96720
Telephone (808) 932-2960 Fax (808) 961-8089
May 18, 2021
Acting County Auditor
Maxinne Pacheco
25 Aupuni Street
Hilo, Hawaii 96720
To Maxinne Pacheco:
You will find the Department of Information and Technology's response letter to the Hawaii
County Audit for 2021.
Should there be any questions or concerns, please feel free to contact me.
Sincerely,
Scott Uehara
Department of Information Technology, Director
1990 Kinoole Street, Suite 4105
Hilo, HI 96720
4808-932-2975
Scott.Uehara@hawaiicounty.gov
County of Hawai'i is an Equal Opportunity Provider and Employer.
IT Asset Management Follow-up Audit Department Response page 14
Hardware and Software Lifecycle Management
1. Upgrades and Replacements (Status: In Process)
Recommendation: Recommended that DIT establish an IT asset manager position to manage the
County's IT assets and implement a plan to develop a one through five year financial forecast of
hardware and software upgrades and replacements for each of the departments by analyzing the
historical information on the County's IT environment, current trends and future needs.
While the County has implemented several procedures to better manage IT assets, to fully meet
industry best practices and improve the process of upgrading and replacing computers and
laptops, the IT asset manager should implement a plan to take ownership of all IT assets.
Response: An IT asset management position was recommended in the November 12, 2015 audit
and is being recommended again in the November 30, 2020 audit. In the November 12, 2015
audit report, management of hardware and software lifecycle, inventory, financial and security
procedures were compared against the Best Practices Library published by the International
Association of Information Technology Asset Managers.
Managing Information Technology assets across the County is an important issue that must be
addressed. In order to manage the overall life cycle of these assets, the finances, inventory, and
contractual/risk management responsibilities are required. The IT Asset Manager (ITAM)will
have many different roles to play. They will be not only short term, but long-term goals. The
position will also introduce best practices that provide value to the County as a whole. The
simplest way to summarize the importance of this role is with the saying, "If you are not
managing your technology, you are not managing your business." By Dr. Barbara Rembiesa.
While DIT moves towards investigating the ITAM position, questions still need to be answered,
such as:
• Will the ITAM be financially responsible for missing assets, when this position does not
have total physical accountability for assets?
• As technology moves forward with mobile technology, how will asset control account for
equipment which are routinely moving?
• Will inventory auditing be conducted in tandem or asynchronous from yearly and
administrative audits?
2. Purchase Request and Approval (Status: In Process)
Recommendation: Recommended that DIT implement a policy to maintain an approved software
listing and communicate the risks to the departments. The policy should include an annual
review of the listing to ensure that software listed is still relevant and does not pose a security
concern to the County. A review process should be implemented to respond to requests for
software titles that are not currently in the supported software listing.
Response: DIT does manage a list of approved and unapproved software listing. It is agreed that
a policy should be created to address baseline standards for the review process of software.
County of Hawai'i is an Equal Opportunity Provider and Employer.
IT Asset Management Follow-up Audit Department Response page 15
3. Redeployment of Assets (Status: In Process)
Recommendation: Was recommended that once the IT asset manager position has been
established, DIT should implement a process to identify redeployable assets and to establish
County-wide formal written redeployment procedures to retrieve computers and software
licenses that were installed on computers that were replaced or idle for an extended period of
time. The redeployment of computers and software licenses is often cost effective, minimizes
unnecessary purchases, reduces over purchasing of assets and reduces data security risks.
Response: DIT continues efforts to utilize assets capable of supporting user requirements and
aligning with established security requirements. The Coronavirus pandemic required DIT to
quickly adjust to work reassignments and this caused some assets to fall out of compliance for
redeployment.
4. Leasing
Recommendation: Recommended that DIT continue to evaluate leasing as an option to procure
computers and software licenses for the County.
Response: Agree with recommendation and implementation of leasing.
5. Centralized Management System (Status: In Process)
Recommendation: Recommended that DIT track users in a centralized database. Not tracking
users in a centralized database may increase the County's security exposure since DIT may not
be able to determine if computers are in use or locate assets. In addition, DIT may have difficulty
holding employees accountable for the protection of assets and inappropriate activities. Unused
computers are candidates for redeployment and may unnecessarily consume software licenses.
From a software compliance perspective, software end-user licensing agreements can be tied to
users instead of computers, and DIT may not be able to determine the appropriate license counts
without knowing the assigned users. The fixed assets inventory system is not accessible to DIT
and the automated network and software inventory system is not used to track the user.
Therefore, we recommend that once the IT asset manager position is established, DIT should
implement a plan to identify a centralized database that has the ability to track users whether it is
the fixed assets inventory system, the automated network and software inventory system, or
another IT asset management inventory system. After a product has been identified, the IT asset
manager should implement County-wide written procedures to centrally track users for all IT
assets.
Response: The majority of software licenses have been migrated from device assignments to
being assigned to users. User tracking will need to account for all device and license types as
some employees have stationary assets in their office environment, and also have mobile assets
which will require additional tracking of the asset and software associated.
To aide DIT in tracking users, we need assistance from all County departments to timely notify
DIT of employee changes.
County of Hawai'i is an Equal Opportunity Provider and Employer.
IT Asset Management Follow-up Audit Department Response page 16
6. Receiving and Accepting (Status: In Process)
Recommendation: Recommended that DIT implement a plan to centrally receive and accept all
IT assets to ensure DIT is aware of new computers or software before they are introduced into
the County environment.
Response: DIT will work on a policy and process with the Finance department to accurately
account for all computer purchases to ensure that all assets will be centrally received. To move
forward with this recommendation, DIT will need a warehouse or location to physically store
assets while waiting for configuration and deployment.
7. Annual Physical Inventory (Status: Not Implemented)
Recommendation: Recommended that DIT periodically reconcile IT assets listed on the Fixed
Asset Detail Report with the automated network and software inventory system to ensure all IT
assets are properly recorded and included in the annual physical inventory. Any discrepancies
should be investigated and resolved immediately.
Response: The Coronavirus pandemic has introduced new challenges to inventory assets as many
devices have remained off, and thusly automated network scans have not been fully successful
with ascertaining if assets are still in place. Without additional staff, dedicated to asset
management, this will remain on ongoing issue.
8. Secured Disposal (Status: In Process)
Recommendation: We understand that the Director of IT plans to issue a memo with the
"Electronic Records Destruction Policy for Computer and Electronic Media" to the Department
heads and managers requiring the transfer of all obsolete hard drives to DIT for destruction.
Recommend the County review this policy at least annually and update accordingly. We also
understand that the current computer deployment location is temporary. However, if DIT
continues to use the facility, we recommend that additional physical security controls be
implemented to safeguard IT assets and media from loss or theft.
Response: We will request a secured facility and container to ensure assets and media are
safeguarded from theft and/or loss. As a County, a review and agreement must be congruent on
a record retention policy to include electronic documents and media.
County of Hawai'i is an Equal Opportunity Provider and Employer.
IT Asset Management Follow-up Audit Department Response page 17