Citizen Portal
Sign In

Maricopa County says data-classification policy approved; auditors flagged access-control weaknesses

3759667 ยท June 11, 2025

Loading...

AI-Generated Content: All content on this page was generated by AI to highlight key points from the meeting. For complete details and context, we recommend watching the full video. so we can fix them.

Summary

Auditors flagged incomplete IT policies and inconsistent enforcement; county IT officials described deployment of Varonis software, appointed data stewards and ongoing identity-and-access management work to address the finding.

Maricopa County officials told the Board of Supervisors on June 9, 2025, that a previously reported information-technology control weakness is being addressed after the Arizona Auditor General reported delays in approving and implementing IT policies.

The audit finding matters because auditors identified a weakness in policies and procedures to restrict logical and physical access to county systems and data; the auditors said those policies were developed but not approved or implemented during the audit period, delaying remediation of the control deficiency.

Melanie Chesney, deputy auditor general, described the office's responsibility to report internal-control deficiencies. Michelle Walters, audit manager, told the board the county provided draft policies to department directors in June 2024 and planned board-level approval in fiscal year 2025. Board members asked for clarification about timing and approval.

County Manager Jen Pokorski and Shay McGrew, chief technology officer for Enterprise Technology and Innovation, said the county approved a countywide data-classification policy in December 2024 and has procured and deployed Varonis software to locate and classify data. McGrew said departments have appointed data stewards who will validate Varonis classifications; those stewards will receive training this year and end users will be able to tag documents on creation. He described three classification levels in current use: public, restricted and classified.

McGrew said the county has been working on data classification for about four years and is pairing that work with an identity-and-access-management program underway for three years to better manage entitlements and limit inappropriate access. He said the county conducts annual security-awareness training and phishing campaigns through Workday Learn, and employees can report suspicious emails via an Outlook "report phish" button; the county also targets additional training at users who repeatedly misidentify phishing attempts.

The Auditor General and county staff said the work is ongoing; the auditors noted the FY2024 report could not consider policies finalized after the audit period but acknowledged progress documented to the board.