Our evaluation focused on how these components had implemented computer security technical, management, and operational controls at the airport and nearby locations. We performed onsite inspections of the areas where these assets were located, interviewed departmental staff, and conducted technical tests of internal controls. We also reviewed applicable policies, procedures, and other relevant documentation. The information technology security controls implemented at these sites have deficiencies that, if exploited, could result in the loss of confidentiality, integrity, and availability of the components’ respective information technology systems. For example, a technical control includes regularly scanning servers for vulnerabilities. However, not all departmental servers were being scanned for vulnerabilities.