During its audit of the town of Wilton and Board of Education\u2019s internal controls, consulting firm Blum Shapiro performed an information technology (IT) general controls review, which focused on IT organization, policies and procedures, security, and system backup.In a post-audit management letter, Blum Shapiro noted several recommendations for the education board to consider when determining the appropriate level of technology controls. The board reviewed and discussed these recommendations during its Feb. 5 meeting. Passwords The firm\u2019s first recommendation was to strengthen the district\u2019s network password security. \u201cIt would force everybody to reset their passwords and their complexity on June 20,\u201d Technology Director Mathew Hepfer told the board, \u201cand every 90 days, they will be forced to create a new password.\u201d Although this is \u201ca move that may be very, very unpopular,\u201d said Mr. Hepfer, \u201cthe good news is that organizations have done this for years and people get used to it.\u201d Access lockoutsMr. Hepfer said the district began formalizing and strengthening its procedures to ensure access lockouts for terminated and retired employees at the end of last year. \u201cOur human resources department and data system analyst [James Mizera] created a protocol of what to do when someone leaves and how long we keep different accounts active,\u201d said Mr. Hepfer. \u201cMost things are shut off immediately, but we\u2019ve formalized the procedure a bit more since Blum Shapiro gave their recommendation.\u201d Employee maintenance Blum Shapiro recommended that the board review employee maintenance access to \u201censure proper segregation of duties between all systems.\u201d Mr. Hepfer said he, Financial Director Ken Post and Human Resource Director Susan Paley met with \u201ckey staff members\u201d to discuss formalizing employee controls. Disaster recovery Blum Shapiro also recommended that the board formalize and test a disaster recovery plan, for which the board has already developed a plan template. In response to Blum Shapiro\u2019s recommendation, the board said its disaster recovery plan need to be updated \u201cto reflect recent changes to infrastructure and also to develop a formal testing schedule,\u201d which the schools expect to complete this school year. \u201cThis is something we were working on, but we had actually held off on updating our formal disaster recovery plan because we were in the process of virtualizing our servers,\u201d said Mr. Hepfer. \u201cWe\u2019re also in the process of changing some of our data systems for HR [human resources], so we\u2019re kind of in a little bit of a holding pattern right now, but we have begun the process of formalizing the plan.\u201d E-discovery Blum Shapiro\u2019s last technology recommendation was for the board to work with legal counsel to confirm the appropriate, necessary steps and actions to prepare a compliant e-discovery plan. The education board said it developed a formal plan for responding to Freedom of Information Act requests with its legal counsel. \u201cThe plan includes a workflow and a formal notification procedure,\u201d according to the board, which also noted that the schools\u2019 email archiving server was upgraded in the fall to \u201cmore efficiently respond to requests for e-discovery."