The Johnson County Auditor’s Office presented a performance audit on Oct. 9 that found the county has made measurable progress identifying data custodians and classifying data, but that more work is needed to complete classification, maintain documentation and ensure vendor information‑security reviews cover all applicable third parties.

Doug Jones, county auditor, told commissioners the audit — conducted in accordance with government auditing standards — examined the county’s efforts to identify data custodians, classify data sensitivity and assess vendor security controls. The county’s IT governance council has proposed a five‑level classification scheme (public, internal, exempt, protected and restricted). The audit recommended drafting clear training for data custodians, allocating resources to sustain governance work and documenting the operational procedures used to assess vendor security risks.

"We determined the county has made progress addressing all three areas, but more work remains," Jones said, and noted that some vendors or software subscriptions in active use have not been assessed under the county’s vendor security review process.

Bill Nixon, director of Technology/Chief Information Officer, said the department supports the recommendations and will include data stewardship training in the 2026 workplan and document vendor review procedures. He noted the county already applies a risk‑based review that requires stronger controls for vendors handling restricted or protected data and that contract language and insurance requirements are being updated as contracts are renewed.

The audit report includes five recommendations: (1) finalize and adopt the revised data classifications and provide custodian training; (2) ensure county employees are aware of vendor security‑review requirements; (3) update the contract administration plan to incorporate security review prompts; (4) document day‑to‑day vendor assessment procedures; and (5) continue resource planning so departments can meet custodian responsibilities. Audit staff reported roughly 500 audit hours for the review.

Commissioners and staff treated the report as informational; the director of Technology and the county manager agreed to include the audit recommendations in the 2026 implementation schedule.