I’ve occasionally posted school district audits conducted by the New York State Comptroller’s Office to highlight the state of infosecurity – or lack thereof – in the k-12 sector. Here’s a summary of, and link to, a newly released audit (emphasis added by me):
Alfred-Almond Central School District
Although a previous Office of the State Comptroller audit recommended that the District adopt policies and procedures that restrict users’ financial software application permissions to only those functions that are necessary for their job duties, the District did not act on this recommendation. The District also has not adopted a formalized process for monitoring user activity for appropriateness. As a result, we identified 24 user accounts, or 69 percent of the established accounts, that had inappropriate or unnecessary access rights or permissions. Auditors also confirmed that the former district treasurer attempted to manipulate her paid leave accruals by adding 60 unauthorized sick days valued at approximately $10,000. District officials notified auditors that they discovered through an informal review of leave records that the former treasurer attempted to manipulate her paid leave records. District officials corrected the leave records, and the former treasurer did not receive any undue benefit.